[ 3.8.y.z extended stable ] Patch "ath9k_htc: Restore skb headroom when returning skb to mac80211" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Thu Sep 5 20:49:42 UTC 2013 

This is a note to let you know that I have just added a patch titled

    ath9k_htc: Restore skb headroom when returning skb to mac80211

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.9.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From bdcbc9c66338d3c904af881260011a3606f1393d Mon Sep 17 00:00:00 2001
From: Helmut Schaa <helmut.schaa at googlemail.com>
Date: Fri, 16 Aug 2013 21:39:40 +0200
Subject: ath9k_htc: Restore skb headroom when returning skb to mac80211

commit d2e9fc141e2aa21f4b35ee27072d84e9aa6e2ba0 upstream.

ath9k_htc adds padding between the 802.11 header and the payload during
TX by moving the header. When handing the frame back to mac80211 for TX
status handling the header is not moved back into its original position.
This can result in a too small skb headroom when entering ath9k_htc
again (due to a soft retransmission for example) causing an
skb_under_panic oops.

Fix this by moving the 802.11 header back into its original position
before returning the frame to mac80211 as other drivers like rt2x00
or ath5k do.

Reported-by: Marc Kleine-Budde <mkl at blackshift.org>
Signed-off-by: Helmut Schaa <helmut.schaa at googlemail.com>
Tested-by: Marc Kleine-Budde <mkl at blackshift.org>
Signed-off-by: Marc Kleine-Budde <mkl at blackshift.org>
Signed-off-by: John W. Linville <linville at tuxdriver.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 8788621..be484b5 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -448,6 +448,7 @@ static void ath9k_htc_tx_process(struct ath9k_htc_priv *priv,
 	struct ieee80211_conf *cur_conf = &priv->hw->conf;
 	bool txok;
 	int slot;
+	int hdrlen, padsize;

 	slot = strip_drv_header(priv, skb);
 	if (slot < 0) {
@@ -504,6 +505,15 @@ send_mac80211:

 	ath9k_htc_tx_clear_slot(priv, slot);

+	/* Remove padding before handing frame back to mac80211 */
+	hdrlen = ieee80211_get_hdrlen_from_skb(skb);
+
+	padsize = hdrlen & 3;
+	if (padsize && skb->len > hdrlen + padsize) {
+		memmove(skb->data + padsize, skb->data, hdrlen);
+		skb_pull(skb, padsize);
+	}
+
 	/* Send status to mac80211 */
 	ieee80211_tx_status(priv->hw, skb);
 }
--
1.8.1.2

More information about the kernel-team mailing list