rt2x00: Fix panic on frame padding for rt2800 usb devices
Backtrace: rt2800usb_write_tx_data rt2x00queue_write_tx_frame rt2x00mac_tx invoke_tx_handlers __ieee80211_tx ieee80211_tx virt_to_head_page ieee80211_xmit ieee80211_tx_skb ieee80211_scan_work schedule ieee80211_scan_work process_one_work ... It tried to expand the skb past it's end using skb_put. So I replaced it with a call to skb_padto, which takes the issue into account. Signed-off-by: Ismael Luceno <ismael.luceno@gmail.com> Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Ismael Luceno
John W. Linville
parent
736e3acadc
commit
11f16aefcc
|
|
@ -369,7 +369,10 @@ static void rt2800usb_write_tx_desc(struct queue_entry *entry,
|
|||
static void rt2800usb_write_tx_data(struct queue_entry *entry,
|
||||
struct txentry_desc *txdesc)
|
||||
{
|
||||
u8 padding_len;
|
||||
unsigned int len;
|
||||
int err;
|
||||
|
||||
rt2800_write_tx_data(entry, txdesc);
|
||||
|
||||
/*
|
||||
* pad(1~3 bytes) is added after each 802.11 payload.
|
||||
|
|
@ -378,9 +381,14 @@ static void rt2800usb_write_tx_data(struct queue_entry *entry,
|
|||
* | TXINFO | TXWI | 802.11 header | L2 pad | payload | pad | USB end pad |
|
||||
* |<------------- tx_pkt_len ------------->|
|
||||
*/
|
||||
rt2800_write_tx_data(entry, txdesc);
|
||||
padding_len = roundup(entry->skb->len + 4, 4) - entry->skb->len;
|
||||
memset(skb_put(entry->skb, padding_len), 0, padding_len);
|
||||
len = roundup(entry->skb->len, 4) + 4;
|
||||
err = skb_padto(entry->skb, len);
|
||||
if (unlikely(err)) {
|
||||
WARNING(entry->queue->rt2x00dev, "TX SKB padding error, out of memory\n");
|
||||
return;
|
||||
}
|
||||
|
||||
entry->skb->len = len;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
Loading…
Reference in a new issue