mwifiex: fix large amsdu packets causing firmware hang

Sometimes host prepares and downloads a large amsdu packet to firmware which leads to a memory corruption in firmware. The reason is __dev_alloc_skb() may allocate larger buffer than required size. This patch solves the problem by checking "adapter->tx_buf_size" instead of relying on skb_tailroom(). Signed-off-by: N Cathy Luo <cluo@marvell.com> Signed-off-by: N Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org>

mwifiex: fix large amsdu packets causing firmware hang
Sometimes host prepares and downloads a large amsdu packet to firmware which leads to a memory corruption in firmware. The reason is __dev_alloc_skb() may allocate larger buffer than required size. This patch solves the problem by checking "adapter->tx_buf_size" instead of relying on skb_tailroom(). Signed-off-by: N Cathy Luo <cluo@marvell.com> Signed-off-by: N Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org>
c81396f3 · Cathy Luo · Kalle Valo · 184ca823 · c81396f3
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/net/wireless/marvell/mwifiex/11n_aggr.c drivers/net/wireless/marvell/mwifiex/11n_aggr.c +2 -1

未找到文件。
--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -205,7 +205,8 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,

 	do {
 		/* Check if AMSDU can accommodate this MSDU */
-		if (skb_tailroom(skb_aggr) < (skb_src->len + LLC_SNAP_LEN))
+		if ((skb_aggr->len + skb_src->len + LLC_SNAP_LEN) >
+		    adapter->tx_buf_size)
 			break;

 		skb_src = skb_dequeue(&pra_list->skb_head);