Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0b8004aa authored by Gertjan van Wingerde's avatar Gertjan van Wingerde Committed by Ivo van Doorn
Browse files

rt2x00: Properly reserve room for descriptors in skbs. 



Instead of fiddling with the skb->data pointer and thereby risking
out of bounds accesses, properly reserve the space needed in an
skb for descriptors.

Signed-off-by: default avatarGertjan van Wingerde <gwingerde@gmail.com>
Acked-by: default avatarIvo van Doorn <IvDoorn@gmail.com>
Signed-off-by: default avatarIvo van Doorn <IvDoorn@gmail.com>
parent baaffe67

drivers/net/wireless/rt2x00/rt2400pci.c

+1 −1
Original line number Diff line number Diff line
@@ -1229,7 +1229,7 @@ static void rt2400pci_txdone(struct rt2x00_dev *rt2x00dev, 
		}

		txdesc.retry = rt2x00_get_field32(word, TXD_W0_RETRY_COUNT);



		rt2x00lib_txdone(entry, &txdesc);

		rt2x00pci_txdone(entry, &txdesc);

	}

}

drivers/net/wireless/rt2x00/rt2500pci.c

+1 −1
Original line number Diff line number Diff line
@@ -1365,7 +1365,7 @@ static void rt2500pci_txdone(struct rt2x00_dev *rt2x00dev, 
		}

		txdesc.retry = rt2x00_get_field32(word, TXD_W0_RETRY_COUNT);



		rt2x00lib_txdone(entry, &txdesc);

		rt2x00pci_txdone(entry, &txdesc);

	}

}

drivers/net/wireless/rt2x00/rt2500usb.c

+8 −6
Original line number Diff line number Diff line
@@ -1034,7 +1034,7 @@ static void rt2500usb_write_tx_desc(struct rt2x00_dev *rt2x00dev, 
				    struct txentry_desc *txdesc)

{

	struct skb_frame_desc *skbdesc = get_skb_frame_desc(skb);

	__le32 *txd = (__le32 *)(skb->data - TXD_DESC_SIZE);

	__le32 *txd = (__le32 *) skb->data;

	u32 word;



	/*
@@ -1080,6 +1080,7 @@ static void rt2500usb_write_tx_desc(struct rt2x00_dev *rt2x00dev, 
	/*

	 * Register descriptor details in skb frame descriptor.

	 */

	skbdesc->flags |= SKBDESC_DESC_IN_SKB;

	skbdesc->desc = txd;

	skbdesc->desc_len = TXD_DESC_SIZE;

}
@@ -1107,6 +1108,12 @@ static void rt2500usb_write_beacon(struct queue_entry *entry, 
	rt2x00_set_field16(&reg, TXRX_CSR19_BEACON_GEN, 0);

	rt2500usb_register_write(rt2x00dev, TXRX_CSR19, reg);



	/*

	 * Add space for the descriptor in front of the skb.

	 */

	skb_push(entry->skb, TXD_DESC_SIZE);

	memset(entry->skb->data, 0, TXD_DESC_SIZE);



	/*

	 * Write the TX descriptor for the beacon.

	 */
@@ -1117,11 +1124,6 @@ static void rt2500usb_write_beacon(struct queue_entry *entry, 
	 */

	rt2x00debug_dump_frame(rt2x00dev, DUMP_FRAME_BEACON, entry->skb);



	/*

	 * Take the descriptor in front of the skb into account.

	 */

	skb_push(entry->skb, TXD_DESC_SIZE);



	/*

	 * USB devices cannot blindly pass the skb->len as the

	 * length of the data to usb_fill_bulk_urb. Pass the skb

drivers/net/wireless/rt2x00/rt2800lib.c

+1 −2
Original line number Diff line number Diff line
@@ -282,9 +282,8 @@ int rt2800_wait_wpdma_ready(struct rt2x00_dev *rt2x00dev) 
}

EXPORT_SYMBOL_GPL(rt2800_wait_wpdma_ready);



void rt2800_write_txwi(struct sk_buff *skb, struct txentry_desc *txdesc)

void rt2800_write_txwi(__le32 *txwi, struct txentry_desc *txdesc)

{

	__le32 *txwi = (__le32 *)(skb->data - TXWI_DESC_SIZE);

	u32 word;



	/*

drivers/net/wireless/rt2x00/rt2800lib.h

+1 −1
Original line number Diff line number Diff line
@@ -111,7 +111,7 @@ void rt2800_mcu_request(struct rt2x00_dev *rt2x00dev, 
			const u8 command, const u8 token,

			const u8 arg0, const u8 arg1);



void rt2800_write_txwi(struct sk_buff *skb, struct txentry_desc *txdesc);

void rt2800_write_txwi(__le32 *txwi, struct txentry_desc *txdesc);

void rt2800_process_rxwi(struct sk_buff *skb, struct rxdone_entry_desc *txdesc);



extern const struct rt2x00debug rt2800_rt2x00debug;