summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2011-09-27 11:00:08 +0300
committerKalle Valo <kvalo@qca.qualcomm.com>2011-09-27 21:24:12 +0300
commit00b1edf16960695d820607845797b14e6ed1a26c (patch)
treeb68fa2775d94d3302df06919d099520a24a83a1e
parentaad9339fa2a5e5b51874cfec9883819f59090198 (diff)
ath6kl: fix TCP corruption
Commit 94e532d1a ("ath6kl: Fix system freeze under heavy data load") aligns the skb data without checking if the skb is cloned. Because of this ath6kl can corrupt the local TCP stack information that can result in TCP retransmission failing and TCP connections stalling. To avoid the corruption we need to copy the skb. Now the alignment in ath6kl_htc_tx_buf_align() doesn't corrupt TCP packets anymore (and is not even used for the cloned skb's that got copied since the alignment of the data is handled at the copy time). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-rw-r--r--drivers/net/wireless/ath/ath6kl/txrx.c18
1 files changed, 18 insertions, 0 deletions
diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c
index 348c6463fe0..0869ff396b5 100644
--- a/drivers/net/wireless/ath/ath6kl/txrx.c
+++ b/drivers/net/wireless/ath/ath6kl/txrx.c
@@ -317,6 +317,24 @@ int ath6kl_data_tx(struct sk_buff *skb, struct net_device *dev)
spin_unlock_bh(&ar->lock);
+ if (!IS_ALIGNED((unsigned long) skb->data - HTC_HDR_LENGTH, 4) &&
+ skb_cloned(skb)) {
+ /*
+ * We will touch (move the buffer data to align it. Since the
+ * skb buffer is cloned and not only the header is changed, we
+ * have to copy it to allow the changes. Since we are copying
+ * the data here, we may as well align it by reserving suitable
+ * headroom to avoid the memmove in ath6kl_htc_tx_buf_align().
+ */
+ struct sk_buff *nskb;
+
+ nskb = skb_copy_expand(skb, HTC_HDR_LENGTH, 0, GFP_ATOMIC);
+ if (nskb == NULL)
+ goto fail_tx;
+ kfree_skb(skb);
+ skb = nskb;
+ }
+
cookie->skb = skb;
cookie->map_no = map_no;
set_htc_pkt_info(&cookie->htc_pkt, cookie, skb->data, skb->len,