From patchwork Sun Nov 15 11:34:31 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Buesch <mb@bu3sch.de>
X-Patchwork-Id: 60107
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id nAFBZF3n028697
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Sun, 15 Nov 2009 11:35:15 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752176AbZKOLfI (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Sun, 15 Nov 2009 06:35:08 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752172AbZKOLfI
	(ORCPT <rfc822;linux-wireless-outgoing>);
	Sun, 15 Nov 2009 06:35:08 -0500
Received: from bu3sch.de ([62.75.166.246]:34507 "EHLO vs166246.vserver.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752137AbZKOLfG (ORCPT <rfc822; linux-wireless@vger.kernel.org>);
	Sun, 15 Nov 2009 06:35:06 -0500
Received: by vs166246.vserver.de with esmtpa (Exim 4.69)
	id 1N9dNu-00024z-UV; Sun, 15 Nov 2009 11:35:11 +0000
From: Michael Buesch <mb@bu3sch.de>
To: stable@kernel.org
Subject: [PATCH stable] b43: Fix DMA TX bounce buffer copying
Date: Sun, 15 Nov 2009 12:34:31 +0100
User-Agent: KMail/1.9.9
Cc: bcm43xx-dev@lists.berlios.de, linux-wireless@vger.kernel.org
X-Move-Along: Nothing to see here. No, really... Nothing.
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200911151234.33621.mb@bu3sch.de>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org


--- linux-2.6.31.orig/drivers/net/wireless/b43/dma.c
+++ linux-2.6.31/drivers/net/wireless/b43/dma.c
@@ -1158,8 +1158,9 @@ struct b43_dmaring *parse_cookie(struct 
 }
 
 static int dma_tx_fragment(struct b43_dmaring *ring,
-			   struct sk_buff *skb)
+			   struct sk_buff **in_skb)
 {
+	struct sk_buff *skb = *in_skb;
 	const struct b43_dma_ops *ops = ring->ops;
 	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
 	u8 *header;
@@ -1225,8 +1226,14 @@ static int dma_tx_fragment(struct b43_dm
 		}
 
 		memcpy(skb_put(bounce_skb, skb->len), skb->data, skb->len);
+		memcpy(bounce_skb->cb, skb->cb, sizeof(skb->cb));
+		bounce_skb->dev = skb->dev;
+		skb_set_queue_mapping(bounce_skb, skb_get_queue_mapping(skb));
+		info = IEEE80211_SKB_CB(bounce_skb);
+
 		dev_kfree_skb_any(skb);
 		skb = bounce_skb;
+		*in_skb = bounce_skb;
 		meta->skb = skb;
 		meta->dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1);
 		if (b43_dma_mapping_error(ring, meta->dmaaddr, skb->len, 1)) {
@@ -1359,7 +1366,11 @@ int b43_dma_tx(struct b43_wldev *dev, st
 	 * static, so we don't need to store it per frame. */
 	ring->queue_prio = skb_get_queue_mapping(skb);
 
-	err = dma_tx_fragment(ring, skb);
+	/* dma_tx_fragment might reallocate the skb, so invalidate pointers pointing
+	 * into the skb data or cb now. */
+	hdr = NULL;
+	info = NULL;
+	err = dma_tx_fragment(ring, &skb);
 	if (unlikely(err == -ENOKEY)) {
 		/* Drop this packet, as we don't have the encryption key
 		 * anymore and must not transmit it unencrypted. */