From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sara Sharon <sara.sharon@intel.com>,
Lorenzo Bianconi <lorenzo.bianconi@redhat.com>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 14/94] mac80211: avoid kernel panic when building AMSDU from non-linear SKB
Date: Mon, 8 Oct 2018 20:30:55 +0200 [thread overview]
Message-ID: <20181008175605.730869734@linuxfoundation.org> (raw)
In-Reply-To: <20181008175605.067676667@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sara Sharon <sara.sharon@intel.com>
[ Upstream commit 166ac9d55b0ab70b644e429be1f217fe8393cbd7 ]
When building building AMSDU from non-linear SKB, we hit a
kernel panic when trying to push the padding to the tail.
Instead, put the padding at the head of the next subframe.
This also fixes the A-MSDU subframes to not have the padding
accounted in the length field and not have pad at all for
the last subframe, both required by the spec.
Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Reviewed-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/tx.c | 38 +++++++++++++++++++++-----------------
1 file changed, 21 insertions(+), 17 deletions(-)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3022,27 +3022,18 @@ void ieee80211_clear_fast_xmit(struct st
}
static bool ieee80211_amsdu_realloc_pad(struct ieee80211_local *local,
- struct sk_buff *skb, int headroom,
- int *subframe_len)
+ struct sk_buff *skb, int headroom)
{
- int amsdu_len = *subframe_len + sizeof(struct ethhdr);
- int padding = (4 - amsdu_len) & 3;
-
- if (skb_headroom(skb) < headroom || skb_tailroom(skb) < padding) {
+ if (skb_headroom(skb) < headroom) {
I802_DEBUG_INC(local->tx_expand_skb_head);
- if (pskb_expand_head(skb, headroom, padding, GFP_ATOMIC)) {
+ if (pskb_expand_head(skb, headroom, 0, GFP_ATOMIC)) {
wiphy_debug(local->hw.wiphy,
"failed to reallocate TX buffer\n");
return false;
}
}
- if (padding) {
- *subframe_len += padding;
- skb_put_zero(skb, padding);
- }
-
return true;
}
@@ -3066,8 +3057,7 @@ static bool ieee80211_amsdu_prepare_head
if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
return true;
- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr),
- &subframe_len))
+ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr)))
return false;
data = skb_push(skb, sizeof(*amsdu_hdr));
@@ -3133,7 +3123,8 @@ static bool ieee80211_amsdu_aggregate(st
void *data;
bool ret = false;
unsigned int orig_len;
- int n = 1, nfrags;
+ int n = 1, nfrags, pad = 0;
+ u16 hdrlen;
if (!ieee80211_hw_check(&local->hw, TX_AMSDU))
return false;
@@ -3184,8 +3175,19 @@ static bool ieee80211_amsdu_aggregate(st
if (max_frags && nfrags > max_frags)
goto out;
- if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + 2,
- &subframe_len))
+ /*
+ * Pad out the previous subframe to a multiple of 4 by adding the
+ * padding to the next one, that's being added. Note that head->len
+ * is the length of the full A-MSDU, but that works since each time
+ * we add a new subframe we pad out the previous one to a multiple
+ * of 4 and thus it no longer matters in the next round.
+ */
+ hdrlen = fast_tx->hdr_len - sizeof(rfc1042_header);
+ if ((head->len - hdrlen) & 3)
+ pad = 4 - ((head->len - hdrlen) & 3);
+
+ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) +
+ 2 + pad))
goto out;
ret = true;
@@ -3197,6 +3199,8 @@ static bool ieee80211_amsdu_aggregate(st
memcpy(data, &len, 2);
memcpy(data + 2, rfc1042_header, sizeof(rfc1042_header));
+ memset(skb_push(skb, pad), 0, pad);
+
head->len += skb->len;
head->data_len += skb->len;
*frag_tail = skb;
next prev parent reply other threads:[~2018-10-08 18:41 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-08 18:30 [PATCH 4.14 00/94] 4.14.75-stable review Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 01/94] drm/amd/pp: initialize result to before oring in data Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 02/94] drm/amdgpu: add another ATPX quirk for TOPAZ Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 03/94] serial: mvebu-uart: Fix reporting of effective CSIZE to userspace Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 04/94] tools/power turbostat: fix possible sprintf buffer overflow Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 05/94] mac80211: Run TXQ teardown code before de-registering interfaces Greg Kroah-Hartman
2018-10-08 18:30 ` Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 06/94] mac80211_hwsim: require at least one channel Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 07/94] KVM: PPC: Book3S HV: Dont truncate HPTE index in xlate function Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 08/94] btrfs: btrfs_shrink_device should call commit transaction at the end Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 09/94] scsi: csiostor: add a check for NULL pointer after kmalloc() Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 10/94] mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 11/94] mac80211_hwsim: " Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 12/94] gpio: adp5588: Fix sleep-in-atomic-context bug Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 13/94] mac80211: mesh: fix HWMP sequence numbering to follow standard Greg Kroah-Hartman
2018-10-08 18:30 ` Greg Kroah-Hartman [this message]
2018-10-08 18:30 ` [PATCH 4.14 15/94] gpiolib: acpi: Switch to cansleep version of GPIO library call Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 16/94] gpiolib-acpi: Register GpioInt ACPI event handlers from a late_initcall Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 17/94] net: hns: add the code for cleaning pkt in chip Greg Kroah-Hartman
2018-10-08 18:30 ` [PATCH 4.14 18/94] net: hns: add netif_carrier_off before change speed and duplex Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 19/94] cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 20/94] mac80211: do not convert to A-MSDU if frag/subframe limited Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 21/94] mac80211: always account for A-MSDU header changes Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 22/94] tools/kvm_stat: fix python3 issues Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 23/94] tools/kvm_stat: fix handling of invalid paths in debugfs provider Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 24/94] gpio: Fix crash due to registration race Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 25/94] ARC: atomics: unbork atomic_fetch_##op() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 26/94] md/raid5-cache: disable reshape completely Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 27/94] RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 28/94] i2c: uniphier: issue STOP only for last message or I2C_M_STOP Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 29/94] i2c: uniphier-f: " Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 30/94] net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 31/94] fs/cifs: dont translate SFM_SLASH (U+F026) to backslash Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 32/94] mac80211: fix an off-by-one issue in A-MSDU max_subframe computation Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 33/94] cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 34/94] mac80211: fix a race between restart and CSA flows Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 35/94] mac80211: Fix station bandwidth setting after channel switch Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 36/94] mac80211: dont Tx a deauth frame if the AP forbade Tx Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 37/94] mac80211: shorten the IBSS debug messages Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 38/94] tools/vm/slabinfo.c: fix sign-compare warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 39/94] tools/vm/page-types.c: fix "defined but not used" warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 40/94] mm: madvise(MADV_DODUMP): allow hugetlbfs pages Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 41/94] bpf: 32-bit RSH verification must truncate input before the ALU op Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 42/94] netfilter: xt_cluster: add dependency on conntrack module Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 43/94] HID: add support for Apple Magic Keyboards Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 44/94] usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i] Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 45/94] pinctrl: msm: Really mask level interrupts to prevent latching Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 46/94] HID: hid-saitek: Add device ID for RAT 7 Contagion Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 47/94] scsi: iscsi: target: Set conn->sess to NULL when iscsi_login_set_conn_values fails Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 48/94] scsi: qedi: Add the CRC size within iSCSI NVM image Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 49/94] perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 50/94] perf util: Fix bad memory access in trace info Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 51/94] perf probe powerpc: Ignore SyS symbols irrespective of endianness Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 52/94] netfilter: nf_tables: release chain in flushing set Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 53/94] Revert "iio: temperature: maxim_thermocouple: add MAX31856 part" Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 54/94] RDMA/ucma: check fd type in ucma_migrate_id() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 55/94] HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 56/94] USB: yurex: Check for truncation in yurex_read() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 57/94] nvmet-rdma: fix possible bogus dereference under heavy load Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 58/94] net/mlx5: Consider PCI domain in search for next dev Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 59/94] drm/nouveau/TBDdevinit: dont fail when PMU/PRE_OS is missing from VBIOS Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 60/94] drm/nouveau/disp: fix DP disable race Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 61/94] dm raid: fix rebuild of specific devices by updating superblock Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 62/94] fs/cifs: suppress a string overflow warning Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 63/94] net: ena: fix driver when PAGE_SIZE == 64kB Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 64/94] net: ena: fix missing calls to READ_ONCE Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 65/94] perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing CPUs Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 66/94] dm thin metadata: try to avoid ever aborting transactions Greg Kroah-Hartman
2018-10-08 19:45 ` Sudip Mukherjee
2018-10-09 9:30 ` Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 67/94] netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 68/94] arch/hexagon: fix kernel/dma.c build warning Greg Kroah-Hartman
2018-10-08 18:31 ` Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 69/94] hexagon: modify ffs() and fls() to return int Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 70/94] arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto" Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 71/94] drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk Greg Kroah-Hartman
2018-10-08 18:31 ` Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 72/94] r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 73/94] s390/qeth: use vzalloc for QUERY OAT buffer Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 74/94] s390/qeth: dont dump past end of unknown HW header Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 75/94] cifs: read overflow in is_valid_oplock_break() Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 76/94] xen/manage: dont complain about an empty value in control/sysrq node Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 77/94] xen: avoid crash in disable_hotplug_cpu Greg Kroah-Hartman
2018-10-08 18:31 ` [PATCH 4.14 78/94] xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 79/94] ovl: fix access beyond unterminated strings Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 80/94] ovl: fix memory leak on unlink of indexed file Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 81/94] ovl: fix format of setxattr debug Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 82/94] sysfs: Do not return POSIX ACL xattrs via listxattr Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 83/94] smb2: fix missing files in root share directory listing Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 84/94] iommu/amd: Clear memory encryption mask from physical address Greg Kroah-Hartman
2018-10-08 18:32 ` Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 85/94] ALSA: hda/realtek - Cannot adjust speakers volume on Dell XPS 27 7760 Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 86/94] crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 87/94] crypto: mxs-dcp - Fix wait logic on chan threads Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 88/94] crypto: caam/jr - fix ablkcipher_edesc pointer arithmetic Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 89/94] gpiolib: Free the last requested descriptor Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 90/94] Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect() Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 91/94] tools: hv: fcopy: set error in case an unknown operation was requested Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 92/94] proc: restrict kernel stack dumps to root Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 93/94] ocfs2: fix locking for res->tracking and dlm->tracking_list Greg Kroah-Hartman
2018-10-08 18:32 ` [PATCH 4.14 94/94] ixgbe: check return value of napi_complete_done() Greg Kroah-Hartman
2018-10-08 23:14 ` [PATCH 4.14 00/94] 4.14.75-stable review Shuah Khan
2018-10-09 16:15 ` Greg Kroah-Hartman
2018-10-10 4:13 ` Naresh Kamboju
2018-10-09 21:06 ` Guenter Roeck
2018-10-10 6:54 ` Jon Hunter
2018-10-10 6:54 ` Jon Hunter
2018-10-10 7:42 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181008175605.730869734@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.levin@microsoft.com \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo.bianconi@redhat.com \
--cc=sara.sharon@intel.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.