target/linux/sunxi/patches-3.14/231-2-brcmfmac-fix-use-of-skb-ctrlbuf-in-SDIO.patch

   1 From 3eee5fd6d045dc744f98fd684258e3fdfa667fd6 Mon Sep 17 00:00:00 2001
   2 From: Arend van Spriel <arend@broadcom.com>
   3 Date: Tue, 25 Feb 2014 20:30:27 +0100
   4 Subject: [PATCH] brcmfmac: fix use of skb control buffer in SDIO driver part
   5
   6 The SDIO driver has a 16-bit field defined in the skbuff control buffer.
   7 However, it is accessed as a u32 overwriting other control info. Another
   8 issue is that the field is not initialized for networking packets, but
   9 the control buffer content is unspecified as other networking layers can
  10 use it.
  11
  12 Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
  13 Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
  14 Reviewed-by: Daniel (Deognyoun) Kim <dekim@broadcom.com>
  15 Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
  16 Signed-off-by: Arend van Spriel <arend@broadcom.com>
  17 Signed-off-by: John W. Linville <linville@tuxdriver.com>
  18 ---
  19  drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 10 ++++++----
  20  1 file changed, 6 insertions(+), 4 deletions(-)
  21
  22 --- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
  23 +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
  24 @@ -1955,7 +1955,7 @@ static int brcmf_sdio_txpkt_prep_sg(stru
  25                 memcpy(pkt_pad->data,
  26                        pkt->data + pkt->len - tail_chop,
  27                        tail_chop);
  28 -               *(u32 *)(pkt_pad->cb) = ALIGN_SKB_FLAG + tail_chop;
  29 +               *(u16 *)(pkt_pad->cb) = ALIGN_SKB_FLAG + tail_chop;
  30                 skb_trim(pkt, pkt->len - tail_chop);
  31                 skb_trim(pkt_pad, tail_pad + tail_chop);
  32                 __skb_queue_after(pktq, pkt, pkt_pad);
  33 @@ -2003,7 +2003,7 @@ brcmf_sdio_txpkt_prep(struct brcmf_sdio
  34                  * already properly aligned and does not
  35                  * need an sdpcm header.
  36                  */
  37 -               if (*(u32 *)(pkt_next->cb) & ALIGN_SKB_FLAG)
  38 +               if (*(u16 *)(pkt_next->cb) & ALIGN_SKB_FLAG)
  39                         continue;
  40
  41                 /* align packet data pointer */
  42 @@ -2067,11 +2067,11 @@ brcmf_sdio_txpkt_postp(struct brcmf_sdio
  43         u8 *hdr;
  44         u32 dat_offset;
  45         u16 tail_pad;
  46 -       u32 dummy_flags, chop_len;
  47 +       u16 dummy_flags, chop_len;
  48         struct sk_buff *pkt_next, *tmp, *pkt_prev;
  49
  50         skb_queue_walk_safe(pktq, pkt_next, tmp) {
  51 -               dummy_flags = *(u32 *)(pkt_next->cb);
  52 +               dummy_flags = *(u16 *)(pkt_next->cb);
  53                 if (dummy_flags & ALIGN_SKB_FLAG) {
  54                         chop_len = dummy_flags & ALIGN_SKB_CHOP_LEN_MASK;
  55                         if (chop_len) {
  56 @@ -2554,6 +2554,8 @@ static int brcmf_sdio_bus_txdata(struct
  57
  58         /* Priority based enq */
  59         spin_lock_irqsave(&bus->txqlock, flags);
  60 +       /* reset bus_flags in packet cb */
  61 +       *(u16 *)(pkt->cb) = 0;
  62         if (!brcmf_c_prec_enq(bus->sdiodev->dev, &bus->txq, pkt, prec)) {
  63                 skb_pull(pkt, bus->tx_hdrlen);
  64                 brcmf_err("out of bus->txq !!!\n");