Patch "mt76: mt7921: don't assume adequate headroom for SDIO headers" has been added to the 6.5-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    mt76: mt7921: don't assume adequate headroom for SDIO headers

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mt76-mt7921-don-t-assume-adequate-headroom-for-sdio-.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 702dcd436419b6e4a195d70042a0825d04fcbfc2
Author: Matt Whitlock <kernel@xxxxxxxxxxxxxxxxx>
Date:   Thu Apr 20 15:24:51 2023 -0400

    mt76: mt7921: don't assume adequate headroom for SDIO headers
    
    [ Upstream commit 98c4d0abf5c478db1ad126ff0c187dbb84c0803c ]
    
    mt7921_usb_sdio_tx_prepare_skb() calls mt7921_usb_sdio_write_txwi() and
    mt7921_skb_add_usb_sdio_hdr(), both of which blindly assume that
    adequate headroom will be available in the passed skb. This assumption
    typically is satisfied when the skb was allocated in the net core for
    transmission via the mt7921 netdev (although even that is only an
    optimization and is not strictly guaranteed), but the assumption is
    sometimes not satisfied when the skb originated in the receive path of
    another netdev and was passed through to the mt7921, such as by the
    bridge layer. Blindly prepending bytes to an skb is always wrong.
    
    This commit introduces a call to skb_cow_head() before the call to
    mt7921_usb_sdio_write_txwi() in mt7921_usb_sdio_tx_prepare_skb() to
    ensure that at least MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE bytes can be
    pushed onto the skb.
    
    Without this fix, I can trivially cause kernel panics by bridging an
    MT7921AU-based USB 802.11ax interface with an Ethernet interface on an
    Intel Atom-based x86 system using its onboard RTL8169 PCI Ethernet
    adapter and also on an ARM-based Raspberry Pi 1 using its onboard
    SMSC9512 USB Ethernet adapter. Note that the panics do not occur in
    every system configuration, as they occur only if the receiving netdev
    leaves less headroom in its received skbs than the mt7921 needs for its
    SDIO headers.
    
    Here is an example stack trace of this panic on Raspberry Pi OS Lite
    2023-02-21 running kernel 6.1.24+ [1]:
    
     skb_panic from skb_push+0x44/0x48
     skb_push from mt7921_usb_sdio_tx_prepare_skb+0xd4/0x190 [mt7921_common]
     mt7921_usb_sdio_tx_prepare_skb [mt7921_common] from mt76u_tx_queue_skb+0x94/0x1d0 [mt76_usb]
     mt76u_tx_queue_skb [mt76_usb] from __mt76_tx_queue_skb+0x4c/0xc8 [mt76]
     __mt76_tx_queue_skb [mt76] from mt76_txq_schedule.part.0+0x13c/0x398 [mt76]
     mt76_txq_schedule.part.0 [mt76] from mt76_txq_schedule_all+0x24/0x30 [mt76]
     mt76_txq_schedule_all [mt76] from mt7921_tx_worker+0x58/0xf4 [mt7921_common]
     mt7921_tx_worker [mt7921_common] from __mt76_worker_fn+0x9c/0xec [mt76]
     __mt76_worker_fn [mt76] from kthread+0xbc/0xe0
     kthread from ret_from_fork+0x14/0x34
    
    After this fix, bridging the mt7921 interface works fine on both of my
    previously problematic systems.
    
    [1] https://github.com/raspberrypi/firmware/tree/5c276f55a4b21345cd4d6200a504ee991851ff7a
    
    Link: https://github.com/openwrt/openwrt/issues/11796
    Signed-off-by: Matt Whitlock <kernel@xxxxxxxxxxxxxxxxx>
    Signed-off-by: Felix Fietkau <nbd@xxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
index 1675bf5204812..a671c601c5836 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
@@ -1180,6 +1180,10 @@ int mt7921_usb_sdio_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
 	if (unlikely(tx_info->skb->len <= ETH_HLEN))
 		return -EINVAL;
 
+	err = skb_cow_head(skb, MT_SDIO_TXD_SIZE + MT_SDIO_HDR_SIZE);
+	if (err)
+		return err;
+
 	if (!wcid)
 		wcid = &dev->mt76.global_wcid;
 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux