diff options
| author |   Wright Feng <Wright.Feng@cypress.com> | 2019-04-26 03:41:46 +0000 |
|---|---|---|
| committer |   Kalle Valo <kvalo@codeaurora.org> | 2019-05-01 18:26:07 +0300 |
| commit | 2d91c8ad068a5cad4d9e7ece8dc811a697c7176a (patch) | |
| tree | 8030110859ba9c0f4e7a68090babeb402cd5aa36 /drivers/net/wireless | |
| parent | brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() (diff) | |
| download | linux-dev-2d91c8ad068a5cad4d9e7ece8dc811a697c7176a.tar.xz linux-dev-2d91c8ad068a5cad4d9e7ece8dc811a697c7176a.zip | |
brcmfmac: set txflow request id from 1 to pktids array size
Some PCIE firmwares drop txstatus if pktid is 0 and make packet held in
host side and never be released. If that packet type is 802.1x, the
pend_8021x_cnt value will be always greater than 0 and show "Timed out
waiting for no pending 802.1x packets" error message when sending key to
dongle every time.
To be compatible with all firmwares, host should set txflow request id
from 1 instead of from 0.
Signed-off-by: Wright Feng <wright.feng@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Diffstat (limited to 'drivers/net/wireless')
| -rw-r--r-- | drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c index d3780eae7f19..9d1f9ff25bfa 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c @@ -375,7 +375,7 @@ brcmf_msgbuf_get_pktid(struct device *dev, struct brcmf_msgbuf_pktids *pktids, struct brcmf_msgbuf_pktid *pktid; struct sk_buff *skb; - if (idx >= pktids->array_size) { + if (idx < 0 || idx >= pktids->array_size) { brcmf_err("Invalid packet id %d (max %d)\n", idx, pktids->array_size); return NULL; @@ -747,7 +747,7 @@ static void brcmf_msgbuf_txflow(struct brcmf_msgbuf *msgbuf, u16 flowid) tx_msghdr = (struct msgbuf_tx_msghdr *)ret_ptr; tx_msghdr->msg.msgtype = MSGBUF_TYPE_TX_POST; - tx_msghdr->msg.request_id = cpu_to_le32(pktid); + tx_msghdr->msg.request_id = cpu_to_le32(pktid + 1); tx_msghdr->msg.ifidx = brcmf_flowring_ifidx_get(flow, flowid); tx_msghdr->flags = BRCMF_MSGBUF_PKT_FLAGS_FRAME_802_3; tx_msghdr->flags |= (skb->priority & 0x07) << @@ -884,7 +884,7 @@ brcmf_msgbuf_process_txstatus(struct brcmf_msgbuf *msgbuf, void *buf) u16 flowid; tx_status = (struct msgbuf_tx_status *)buf; - idx = le32_to_cpu(tx_status->msg.request_id); + idx = le32_to_cpu(tx_status->msg.request_id) - 1; flowid = le16_to_cpu(tx_status->compl_hdr.flow_ring_id); flowid -= BRCMF_H2D_MSGRING_FLOWRING_IDSTART; skb = brcmf_msgbuf_get_pktid(msgbuf->drvr->bus_if->dev, |