From: Vasanthakumar Thiagarajan Date: Mon, 7 Nov 2011 07:20:17 +0000 (+0530) Subject: ath6kl: Fix accessing wrong skb->data in ath6kl_tx_complete() X-Git-Url: https://openfabrics.org/gitweb/?a=commitdiff_plain;h=f3803eb2f57450ad3f67f8f6dd728f94ad8c717d;p=~shefty%2Frdma-dev.git ath6kl: Fix accessing wrong skb->data in ath6kl_tx_complete() When buffer alignmnet is applied, the data pointer of skb taken from cookie will no longer point to the first byte of the actual data. But the skb->data pointer is used in ath6kl_tx_complete() to get the index of the virtual interface which will not give the correct interface index and sometimes may give the following WARN_ON() message. Use packet->buf instead of skb->data to fix this. WARNING: at drivers/net/wireless/ath/ath6kl/wmi.c:88 ath6kl_get_vif_by_index+0x5b/0x60 [ath6kl]() Hardware name: 2842K3U Modules linked in: ath6kl mmc_block cfg80211 binfmt_misc ppdev nfs nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel +snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy thinkpad_acpi snd_seq_oss snd_seq_midi snd_rawmidi joydev fbcon tileblit font bitblit softcursor +snd_seq_midi_event snd_seq snd_timer snd_seq_device i915 uvcvideo drm_kms_helper drm psmouse serio_raw snd i2c_algo_bit sdhci_pci videodev intel_agp soundcore intel_gtt jmb38x_ms +memstick sdhci snd_page_alloc nvram lp parport agpgart video ahci r8169 mii libahci [last unloaded: ath6kl] Pid: 15482, comm: kworker/u:1 Tainted: G W 3.1.0-rc10-wl+ #2 Call Trace: [] warn_slowpath_common+0x72/0xa0 [] ? ath6kl_get_vif_by_index+0x5b/0x60 [ath6kl] [] ? ath6kl_get_vif_by_index+0x5b/0x60 [ath6kl] [] warn_slowpath_null+0x22/0x30 [] ath6kl_get_vif_by_index+0x5b/0x60 [ath6kl] [] ath6kl_tx_complete+0x128/0x4d0 [ath6kl] [] ? mmc_request_done+0x80/0x80 [] htc_tx_complete+0x5e/0x70 [ath6kl] [] ? _raw_spin_unlock_bh+0x16/0x20 [] ? ath6kl_sdio_scatter_req_add+0x48/0x60 [ath6kl] [] htc_async_tx_scat_complete+0xb2/0x120 [ath6kl] [] ath6kl_sdio_scat_rw+0x87/0x370 [ath6kl] [] ? __switch_to+0xd2/0x190 [] ? finish_task_switch+0x45/0xd0 [] ? __schedule+0x3ae/0x8b0 [] ath6kl_sdio_write_async_work+0x4a/0xf0 [ath6kl] [] process_one_work+0x116/0x3c0 [] ? ath6kl_sdio_read_write_sync+0xb0/0xb0 [ath6kl] [] worker_thread+0x140/0x3b0 [] ? manage_workers+0x1f0/0x1f0 [] kthread+0x74/0x80 [] ? kthread_worker_fn+0x160/0x160 [] kernel_thread_helper+0x6/0x10 Reported-by: Aarthi Thiruvengadam Signed-off-by: Vasanthakumar Thiagarajan Signed-off-by: Kalle Valo --- diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c index d9cff2b950b..62beadb649b 100644 --- a/drivers/net/wireless/ath/ath6kl/txrx.c +++ b/drivers/net/wireless/ath/ath6kl/txrx.c @@ -571,8 +571,6 @@ void ath6kl_tx_complete(void *context, struct list_head *packet_queue) if (!skb || !skb->data) goto fatal; - packet->buf = skb->data; - __skb_queue_tail(&skb_queue, skb); if (!status && (packet->act_len != skb->len)) @@ -593,10 +591,10 @@ void ath6kl_tx_complete(void *context, struct list_head *packet_queue) if (eid == ar->ctrl_ep) { if_idx = wmi_cmd_hdr_get_if_idx( - (struct wmi_cmd_hdr *) skb->data); + (struct wmi_cmd_hdr *) packet->buf); } else { if_idx = wmi_data_hdr_get_if_idx( - (struct wmi_data_hdr *) skb->data); + (struct wmi_data_hdr *) packet->buf); } vif = ath6kl_get_vif_by_index(ar, if_idx);