From eefce91a384a64c7bbf913eb08c4adfb911c3639 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Sat, 17 May 2008 00:57:13 +0200 Subject: mac80211: dont allow fragmentation and requeuing on A-MPDU queues There really is no reason for a driver to reject a frame on an A-MPDU queue when it can stop that queue for any period of time and is given frames one by one. Hence, disallow it with a big warning and reduce mac80211-internal state. Also add a warning when we try to fragment a frame destined for an A-MPDU queue and drop it, the actual bug needs to be fixed elsewhere but I'm not exactly sure how to yet. Signed-off-by: Johannes Berg Cc: Ron Rindjunsky Signed-off-by: John W. Linville --- net/mac80211/tx.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'net/mac80211/tx.c') diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index ac9a4af7ad4..6268bbca148 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -673,6 +673,16 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx) if (!(tx->flags & IEEE80211_TX_FRAGMENTED)) return TX_CONTINUE; + /* + * Warn when submitting a fragmented A-MPDU frame and drop it. + * This is an error and needs to be fixed elsewhere, but when + * done needs to take care of monitor interfaces (injection) + * etc. + */ + if (WARN_ON(tx->flags & IEEE80211_TX_CTL_AMPDU || + IEEE80211_SKB_CB(tx->skb)->queue >= tx->local->hw.queues)) + return TX_DROP; + first = tx->skb; hdrlen = ieee80211_get_hdrlen(tx->fc); @@ -1216,8 +1226,17 @@ static int ieee80211_tx(struct net_device *dev, struct sk_buff *skb) retry: ret = __ieee80211_tx(local, skb, &tx); if (ret) { - struct ieee80211_tx_stored_packet *store = - &local->pending_packet[info->queue]; + struct ieee80211_tx_stored_packet *store; + + /* + * Since there are no fragmented frames on A-MPDU + * queues, there's no reason for a driver to reject + * a frame there, warn and drop it. + */ + if (WARN_ON(queue >= local->hw.queues)) + goto drop; + + store = &local->pending_packet[queue]; if (ret == IEEE80211_TX_FRAG_AGAIN) skb = NULL; -- cgit