Commit c56affaf authored by Inaky Perez-Gonzalez's avatar Inaky Perez-Gonzalez

wimax/i2400m: fix panic/warnings caused by missed check on empty TX message

In some situations, when a new TX message header is started, there
might be no space for data payloads. In this case the message is left
with zero payloads and the i2400m_tx_close() function has just to mark
it as "to skip". If it tries to go ahead it will overwrite things
because there is no space to add padding as defined by the
bus-specific layer. This can cause buffer overruns and in some stress
cases, panics.

Found and diagnosed by Cindy H. Kao.
Signed-off-by: default avatarInaky Perez-Gonzalez <inaky@linux.intel.com>
parent 8593a196
...@@ -474,10 +474,18 @@ void i2400m_tx_close(struct i2400m *i2400m) ...@@ -474,10 +474,18 @@ void i2400m_tx_close(struct i2400m *i2400m)
struct i2400m_msg_hdr *tx_msg_moved; struct i2400m_msg_hdr *tx_msg_moved;
size_t aligned_size, padding, hdr_size; size_t aligned_size, padding, hdr_size;
void *pad_buf; void *pad_buf;
unsigned num_pls;
if (tx_msg->size & I2400M_TX_SKIP) /* a skipper? nothing to do */ if (tx_msg->size & I2400M_TX_SKIP) /* a skipper? nothing to do */
goto out; goto out;
num_pls = le16_to_cpu(tx_msg->num_pls);
/* We can get this situation when a new message was started
* and there was no space to add payloads before hitting the
tail (and taking padding into consideration). */
if (num_pls == 0) {
tx_msg->size |= I2400M_TX_SKIP;
goto out;
}
/* Relocate the message header /* Relocate the message header
* *
* Find the current header size, align it to 16 and if we need * Find the current header size, align it to 16 and if we need
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment