[PATCH] hostap: Fix skb->cb use for TX meta data

Old AP mode code for power saving was using skb->cb for couple of
flags before the more generic 802.11 TX code started using the same
buffer for struct hostap_skb_tx_data. This resulted in the power save
code corrupting the magic value in beginning of the buffer and TX code
dropping the power saved packets because of this for the case where
STAs send PS-Poll frames with PwrMgmt flag set.

This patch modifies the power save code to use the same struct
hostap_skb_tx_data as rest of the TX path in order to avoid corrupting
the data in skb->cb.

In addition, this patch reorders fields in the structure and makes
them use smaller types in order to make the structure fit in skb->cb
on 64-bit hosts.

Signed-off-by: Jouni Malinen <jkmaline@cc.hut.fi>
Signed-off-by: Jeff Garzik <jgarzik@pobox.com>

drivers/net/wireless/hostap/hostap_80211_tx.c

@@ -226,7 +226,8 @@ int hostap_data_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	meta = (struct hostap_skb_tx_data *) skb->cb;
 	memset(meta, 0, sizeof(*meta));
 	meta->magic = HOSTAP_SKB_TX_DATA_MAGIC;
-	meta->wds = use_wds;
+	if (use_wds)
+		meta->flags |= HOSTAP_TX_FLAGS_WDS;
 	meta->ethertype = ethertype;
 	meta->iface = iface;
 
@@ -410,7 +411,8 @@ int hostap_master_start_xmit(struct sk_buff *skb, struct net_device *dev)
 	case AP_TX_CONTINUE_NOT_AUTHORIZED:
 		if (local->ieee_802_1x &&
 		    HOSTAP_FC_GET_TYPE(fc) == WLAN_FC_TYPE_DATA &&
-		    meta->ethertype != ETH_P_PAE && !meta->wds) {
+		    meta->ethertype != ETH_P_PAE &&
+		    !(meta->flags & HOSTAP_TX_FLAGS_WDS)) {
 			printk(KERN_DEBUG "%s: dropped frame to unauthorized "
 			       "port (IEEE 802.1X): ethertype=0x%04x\n",
 			       dev->name, meta->ethertype);

drivers/net/wireless/hostap/hostap_ap.c

@@ -1840,6 +1840,8 @@ static void ap_handle_dropped_data(local_info_t *local,
 static void pspoll_send_buffered(local_info_t *local, struct sta_info *sta,
 				 struct sk_buff *skb)
 {
+	struct hostap_skb_tx_data *meta;
+
 	if (!(sta->flags & WLAN_STA_PS)) {
 		/* Station has moved to non-PS mode, so send all buffered
 		 * frames using normal device queue. */
@@ -1849,11 +1851,11 @@ static void pspoll_send_buffered(local_info_t *local, struct sta_info *sta,
 
 	/* add a flag for hostap_handle_sta_tx() to know that this skb should
 	 * be passed through even though STA is using PS */
-	memcpy(skb->cb, AP_SKB_CB_MAGIC, AP_SKB_CB_MAGIC_LEN);
-	skb->cb[AP_SKB_CB_MAGIC_LEN] = AP_SKB_CB_BUFFERED_FRAME;
+	meta = (struct hostap_skb_tx_data *) skb->cb;
+	meta->flags |= HOSTAP_TX_FLAGS_BUFFERED_FRAME;
 	if (!skb_queue_empty(&sta->tx_buf)) {
 		/* indicate to STA that more frames follow */
-		skb->cb[AP_SKB_CB_MAGIC_LEN] |= AP_SKB_CB_ADD_MOREDATA;
+		meta->flags |= HOSTAP_TX_FLAGS_ADD_MOREDATA;
 	}
 	dev_queue_xmit(skb);
 }
@@ -2707,7 +2709,8 @@ ap_tx_ret hostap_handle_sta_tx(local_info_t *local, struct hostap_tx_data *tx)
 		atomic_inc(&sta->users);
 	spin_unlock(&local->ap->sta_table_lock);
 
-	if (local->iw_mode == IW_MODE_MASTER && sta == NULL && !meta->wds &&
+	if (local->iw_mode == IW_MODE_MASTER && sta == NULL &&
+	    !(meta->flags & HOSTAP_TX_FLAGS_WDS) &&
 	    meta->iface->type != HOSTAP_INTERFACE_MASTER &&
 	    meta->iface->type != HOSTAP_INTERFACE_AP) {
 #if 0
@@ -2743,18 +2746,15 @@ ap_tx_ret hostap_handle_sta_tx(local_info_t *local, struct hostap_tx_data *tx)
 	if (!(sta->flags & WLAN_STA_PS))
 		goto out;
 
-	if (memcmp(skb->cb, AP_SKB_CB_MAGIC, AP_SKB_CB_MAGIC_LEN) == 0) {
-		if (skb->cb[AP_SKB_CB_MAGIC_LEN] & AP_SKB_CB_ADD_MOREDATA) {
-			/* indicate to STA that more frames follow */
-			hdr->frame_control |=
-				__constant_cpu_to_le16(WLAN_FC_MOREDATA);
-		}
+	if (meta->flags & HOSTAP_TX_FLAGS_ADD_MOREDATA) {
+		/* indicate to STA that more frames follow */
+		hdr->frame_control |= __constant_cpu_to_le16(WLAN_FC_MOREDATA);
+	}
 
-		if (skb->cb[AP_SKB_CB_MAGIC_LEN] & AP_SKB_CB_BUFFERED_FRAME) {
-			/* packet was already buffered and now send due to
-			 * PS poll, so do not rebuffer it */
-			goto out;
-		}
+	if (meta->flags & HOSTAP_TX_FLAGS_BUFFERED_FRAME) {
+		/* packet was already buffered and now send due to
+		 * PS poll, so do not rebuffer it */
+		goto out;
 	}
 
 	if (skb_queue_len(&sta->tx_buf) >= STA_MAX_TX_BUFFER) {

drivers/net/wireless/hostap/hostap_ap.h

@@ -6,15 +6,6 @@
 /* maximum number of frames to buffer per STA */
 #define STA_MAX_TX_BUFFER 32
 
-/* Flags used in skb->cb[6] to control how the packet is handled in TX path.
- * skb->cb[0..5] must contain magic value 'hostap' to indicate that cb[6] is
- * used. */
-#define AP_SKB_CB_MAGIC "hostap"
-#define AP_SKB_CB_MAGIC_LEN 6
-#define AP_SKB_CB_BUFFERED_FRAME BIT(0)
-#define AP_SKB_CB_ADD_MOREDATA BIT(1)
-
-
 /* STA flags */
 #define WLAN_STA_AUTH BIT(0)
 #define WLAN_STA_ASSOC BIT(1)

drivers/net/wireless/hostap/hostap_wlan.h

@@ -941,16 +941,21 @@ struct hostap_interface {
 
 #define HOSTAP_SKB_TX_DATA_MAGIC 0xf08a36a2
 
-/* TX meta data - stored in skb->cb buffer, so this must be not increase over
- * 48-byte limit */
+/*
+ * TX meta data - stored in skb->cb buffer, so this must not be increased over
+ * the 40-byte limit
+ */
 struct hostap_skb_tx_data {
-	unsigned int magic; /* HOSTAP_SKB_TX_DATA_MAGIC */
-	int rate; /* transmit rate */
+	u32 magic; /* HOSTAP_SKB_TX_DATA_MAGIC */
+	u8 rate; /* transmit rate */
+#define HOSTAP_TX_FLAGS_WDS BIT(0)
+#define HOSTAP_TX_FLAGS_BUFFERED_FRAME BIT(1)
+#define HOSTAP_TX_FLAGS_ADD_MOREDATA BIT(2)
+	u8 flags; /* HOSTAP_TX_FLAGS_* */
+	u16 tx_cb_idx;
 	struct hostap_interface *iface;
 	unsigned long jiffies; /* queueing timestamp */
-	int wds;
 	unsigned short ethertype;
-	int tx_cb_idx;
 };