linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: James Hughes <james.hughes@raspberrypi.org>
To: Arend van Spriel <arend.vanspriel@broadcom.com>
Cc: Kalle Valo <kvalo@codeaurora.org>,
	linux-wireless <linux-wireless@vger.kernel.org>
Subject: Re: [PATCH] ath6kl: assure headroom of skbuff is writable in .start_xmit()
Date: Tue, 25 Apr 2017 10:36:46 +0100	[thread overview]
Message-ID: <CAE_XsML=O-Ga9VXxifuE_rUqG47uKVyjwSHGXNSMorPa6340Og@mail.gmail.com> (raw)
In-Reply-To: <1493111408-27692-1-git-send-email-arend.vanspriel@broadcom.com>

On 25 April 2017 at 10:10, Arend van Spriel
<arend.vanspriel@broadcom.com> wrote:
> An issue was found brcmfmac driver in which a skbuff in .start_xmit()
> callback was actually cloned. So instead of checking for sufficient
> headroom it should also be writable. Hence use skb_cow_head() to
> check and expand the headroom appropriately.
>
> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> ---
> Hi Kalle,
>
> Did a recursive grep in drivers/net/wireless and found a similar
> case in ath6kl. I do not have the hardware to test so this is
> only compile tested.
>
> Regards,
> Arend
> ---
>  drivers/net/wireless/ath/ath6kl/txrx.c | 13 ++++---------
>  1 file changed, 4 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c
> index a531e0c..e6b2517 100644
> --- a/drivers/net/wireless/ath/ath6kl/txrx.c
> +++ b/drivers/net/wireless/ath/ath6kl/txrx.c
> @@ -399,15 +399,10 @@ int ath6kl_data_tx(struct sk_buff *skb, struct net_device *dev)
>                         csum_dest = skb->csum_offset + csum_start;
>                 }
>
> -               if (skb_headroom(skb) < dev->needed_headroom) {
> -                       struct sk_buff *tmp_skb = skb;
> -
> -                       skb = skb_realloc_headroom(skb, dev->needed_headroom);
> -                       kfree_skb(tmp_skb);
> -                       if (skb == NULL) {
> -                               dev->stats.tx_dropped++;
> -                               return 0;
> -                       }
> +               if (skb_cow_head(skb, dev->needed_headroom)) {
> +                       dev->stats.tx_dropped++;
> +                       kfree_skb(skb);
> +                       return 0;
>                 }
>
>                 if (ath6kl_wmi_dix_2_dot3(ar->wmi, skb)) {
> --
> 1.9.1
>

Not sure if this is the right place to comment on this, but I've had a
quick look around various network drivers, and there are similar
constructs in a LOT of drivers. I've picked two at random, and both
seem to show this issue. When the issue first came up in a USB
attached smsc ethernet driver, at least 6 other drivers with similar
faults were found in the net/usb tree.  Now I could just be being
paranoid, and am missing something, so here are the files I looked
at...

drivers/net/marvell/mwifiex/uap_txrx.c line 161 - no relevant skb_cow
operations in this file, but changes are made to the buffers
/drivers/net/ethernet/sun/niu.c line 6657 - ditto

I'm a bit of a beginner at this stuff, so not sure how this should be
taken forward.

James

  reply	other threads:[~2017-04-25  9:36 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-25  9:10 [PATCH] ath6kl: assure headroom of skbuff is writable in .start_xmit() Arend van Spriel
2017-04-25  9:36 ` James Hughes [this message]
2017-04-25 11:10   ` Arend Van Spriel
2017-04-25 11:50     ` James Hughes
2017-04-26  8:53 ` Kalle Valo
2017-04-26 15:44   ` Steve deRosier
2017-04-26 18:03     ` Arend Van Spriel
2017-04-26 19:54       ` James Hughes
2017-04-27  4:55         ` Steve deRosier
2017-04-27  8:54           ` James Hughes
2017-05-04 13:08           ` Kalle Valo
     [not found] ` <20170426085337.293296148E@smtp.codeaurora.org>
2017-04-26  9:00   ` Arend van Spriel
2017-05-19  7:48 ` Kalle Valo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAE_XsML=O-Ga9VXxifuE_rUqG47uKVyjwSHGXNSMorPa6340Og@mail.gmail.com' \
    --to=james.hughes@raspberrypi.org \
    --cc=arend.vanspriel@broadcom.com \
    --cc=kvalo@codeaurora.org \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).