This is a note to let you know that I've just added the patch titled brcmfmac: Ensure pointer correctly set if skb data location changes to the 4.11-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch and it can be found in the queue-4.11 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 455a1eb4654c24560eb9dfc634f29cba3d87601e Mon Sep 17 00:00:00 2001 From: James Hughes <james.hughes@xxxxxxxxxxxxxxx> Date: Mon, 24 Apr 2017 12:40:50 +0100 Subject: brcmfmac: Ensure pointer correctly set if skb data location changes From: James Hughes <james.hughes@xxxxxxxxxxxxxxx> commit 455a1eb4654c24560eb9dfc634f29cba3d87601e upstream. The incoming skb header may be resized if header space is insufficient, which might change the data adddress in the skb. Ensure that a cached pointer to that data is correctly set by moving assignment to after any possible changes. Signed-off-by: James Hughes <james.hughes@xxxxxxxxxxxxxxx> Acked-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c @@ -198,7 +198,7 @@ static netdev_tx_t brcmf_netdev_start_xm int ret; struct brcmf_if *ifp = netdev_priv(ndev); struct brcmf_pub *drvr = ifp->drvr; - struct ethhdr *eh = (struct ethhdr *)(skb->data); + struct ethhdr *eh; brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx); @@ -236,6 +236,8 @@ static netdev_tx_t brcmf_netdev_start_xm goto done; } + eh = (struct ethhdr *)(skb->data); + if (eh->h_proto == htons(ETH_P_PAE)) atomic_inc(&ifp->pend_8021x_cnt); Patches currently in stable-queue which might be from james.hughes@xxxxxxxxxxxxxxx are queue-4.11/brcmfmac-make-skb-header-writable-before-use.patch queue-4.11/brcmfmac-ensure-pointer-correctly-set-if-skb-data-location-changes.patch