commit 9a3f45116f5e08819136cd512fd7f6450ac22aa8
Author: Michael Buesch <m...@bu3sch.de>
Date: Wed Oct 28 22:08:13 2009 +0100
b43: Fix DMA TX bounce buffer copying
b43 allocates a bouncebuffer, if the supplied TX skb is in an invalid
memory range for DMA.
However, this is broken in that it fails to copy over some metadata to the
new skb.
This patch fixes three problems:
* Failure to adjust the ieee80211_tx_info pointer to the new buffer.
This results in a kmemcheck warning.
* Failure to copy the skb cb, which contains ieee80211_tx_info, to the new
skb.
This results in breakage of various TX-status postprocessing (Rate
control).
* Failure to transfer the queue mapping.
This results in the wrong queue being stopped on saturation and can
result in queue overflow.
Signed-off-by: Michael Buesch <m...@bu3sch.de>
Tested-by: Christian Casteyde <casteyde.christ...@free.fr>
Signed-off-by: John W. Linville <linvi...@tuxdriver.com>
---
We forgot to CC -stable on this patch, but it fixes a bug that users are hitting
(bug #14582)
---
drivers/net/wireless/b43/dma.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- linux-2.6.31.orig/drivers/net/wireless/b43/dma.c
+++ linux-2.6.31/drivers/net/wireless/b43/dma.c
@@ -1158,8 +1158,9 @@ struct b43_dmaring *parse_cookie(struct
}
static int dma_tx_fragment(struct b43_dmaring *ring,
- struct sk_buff *skb)
+ struct sk_buff **in_skb)
{
+ struct sk_buff *skb = *in_skb;
const struct b43_dma_ops *ops = ring->ops;
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
u8 *header;
@@ -1225,8 +1226,14 @@ static int dma_tx_fragment(struct b43_dm
}
memcpy(skb_put(bounce_skb, skb->len), skb->data, skb->len);
+ memcpy(bounce_skb->cb, skb->cb, sizeof(skb->cb));
+ bounce_skb->dev = skb->dev;
+ skb_set_queue_mapping(bounce_skb, skb_get_queue_mapping(skb));
+ info = IEEE80211_SKB_CB(bounce_skb);
+
dev_kfree_skb_any(skb);
skb = bounce_skb;
+ *in_skb = bounce_skb;
meta->skb = skb;
meta->dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1);
if (b43_dma_mapping_error(ring, meta->dmaaddr, skb->len, 1)) {
@@ -1359,7 +1366,11 @@ int b43_dma_tx(struct b43_wldev *dev, st
* static, so we don't need to store it per frame. */
ring->queue_prio = skb_get_queue_mapping(skb);
- err = dma_tx_fragment(ring, skb);
+ /* dma_tx_fragment might reallocate the skb, so invalidate pointers
pointing
+ * into the skb data or cb now. */
+ hdr = NULL;
+ info = NULL;
+ err = dma_tx_fragment(ring, &skb);
if (unlikely(err == -ENOKEY)) {
/* Drop this packet, as we don't have the encryption key
* anymore and must not transmit it unencrypted. */
--
Greetings, Michael.
_______________________________________________
Bcm43xx-dev mailing list
Bcm43xx-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
