From: Ilan Peer <ilan.peer@xxxxxxxxx>
commit bbb18f7e23a3f5f56d5c8b4ee0f78f00edb3b1b2 upstream.
The allocation of the scatter gather data structure should be done
based on the number of memory chunks that need to be mapped, and it
is not dependent on the overall payload length. Fix it.
In addition, as the skb_to_sgvec() function returns an 'int' do not
assign it to an 'unsigned int' as otherwise the error check would be
useless.
Fixes: 7f5e3038f029 ("wifi: iwlwifi: map entire SKB when sending AMSDUs")
Signed-off-by: Ilan Peer <ilan.peer@xxxxxxxxx>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx>
Link: https://patch.msgid.link/20250306122425.8c0e23a3d583.I3cb4d6768c9d28ce3da6cd0a6c65466176cfc1ee@changeid
Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/intel/iwlwifi/pcie/tx.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
@@ -1867,12 +1867,12 @@ struct sg_table *iwl_pcie_prep_tso(struc
unsigned int offset)
{
struct sg_table *sgt;
- unsigned int n_segments;
+ unsigned int n_segments = skb_shinfo(skb)->nr_frags + 1;
+ int orig_nents;
if (WARN_ON_ONCE(skb_has_frag_list(skb)))
return NULL;
- n_segments = DIV_ROUND_UP(skb->len - offset, skb_shinfo(skb)->gso_size);
*hdr = iwl_pcie_get_page_hdr(trans,
hdr_room + __alignof__(struct sg_table) +
sizeof(struct sg_table) +
@@ -1887,11 +1887,12 @@ struct sg_table *iwl_pcie_prep_tso(struc
sg_init_table(sgt->sgl, n_segments);
/* Only map the data, not the header (it is copied to the TSO page) */
- sgt->orig_nents = skb_to_sgvec(skb, sgt->sgl, offset,
- skb->len - offset);
- if (WARN_ON_ONCE(sgt->orig_nents <= 0))
+ orig_nents = skb_to_sgvec(skb, sgt->sgl, offset, skb->len - offset);
+ if (WARN_ON_ONCE(orig_nents <= 0))
return NULL;
+ sgt->orig_nents = orig_nents;
+
/* And map the entire SKB */
if (dma_map_sgtable(trans->dev, sgt, DMA_TO_DEVICE, 0) < 0)
return NULL;
Patches currently in stable-queue which might be from ilan.peer@xxxxxxxxx are
queue-6.12/wifi-mac80211-support-parsing-epcs-ml-element.patch
queue-6.12/wifi-iwlwifi-free-pages-allocated-when-failing-to-bu.patch
queue-6.12/wifi-mac80211-fix-mle-non-inheritance-parsing.patch
queue-6.12/wifi-mac80211-fix-vendor-specific-inheritance.patch
queue-6.12/wifi-iwlwifi-fix-a-msdu-tso-preparation.patch
queue-6.12/wifi-iwlwifi-pcie-fix-tso-preparation.patch
