On Wed, Apr 01, 2020 at 01:03:41PM +0200, Jerome Pouiller wrote: > From: Jérôme Pouiller <jerome.pouiller@xxxxxxxxxx> > > The last argument of hif_handle_tx_data() was now unused. In add, > hif_handle_tx_data() has nothing to do with HIF layer and should be > renamed. Finally, it not convenient to pass a wfx_vif as parameter. It > is easier to let hif_handle_tx_data() find the interface itself. > > Signed-off-by: Jérôme Pouiller <jerome.pouiller@xxxxxxxxxx> > --- > drivers/staging/wfx/queue.c | 19 ++++++++++--------- > 1 file changed, 10 insertions(+), 9 deletions(-) > > diff --git a/drivers/staging/wfx/queue.c b/drivers/staging/wfx/queue.c > index 2553f77522d9..8647731e02c0 100644 > --- a/drivers/staging/wfx/queue.c > +++ b/drivers/staging/wfx/queue.c > @@ -319,13 +319,17 @@ bool wfx_tx_queues_is_empty(struct wfx_dev *wdev) > return ret; > } > > -static bool hif_handle_tx_data(struct wfx_vif *wvif, struct sk_buff *skb, > - struct wfx_queue *queue) > +static bool wfx_handle_tx_data(struct wfx_dev *wdev, struct sk_buff *skb) > { > struct hif_req_tx *req = wfx_skb_txreq(skb); > struct ieee80211_key_conf *hw_key = wfx_skb_tx_priv(skb)->hw_key; > struct ieee80211_hdr *frame = > (struct ieee80211_hdr *)(req->frame + req->data_flags.fc_offset); > + struct wfx_vif *wvif = > + wdev_to_wvif(wdev, ((struct hif_msg *)skb->data)->interface); ^^^^^^^^^ This is on the TX side so it's probably okay, but one problem I have noticed is that we do this on the RX side as well with checking that if (skb->len < sizeof(struct hif_msg)) return -EINVAL; So we could be reading beyond the end of the skb. If we got really unlucky it could lead to an Oops. regards, dan carpenter