ath6kl: Fix accessing wrong skb->data in ath6kl_tx_complete()

When buffer alignmnet is applied, the data pointer of skb taken from
cookie will no longer point to the first byte of the actual data.
But the skb->data pointer is used in ath6kl_tx_complete() to get
the index of the virtual interface which will not give the correct
interface index and sometimes may give the following WARN_ON() message.
Use packet->buf instead of skb->data to fix this.

WARNING: at drivers/net/wireless/ath/ath6kl/wmi.c:88 ath6kl_get_vif_by_index+0x5b/0x60 [ath6kl]()
Hardware name: 2842K3U
Modules linked in: ath6kl mmc_block cfg80211 binfmt_misc ppdev nfs nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel
+snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy thinkpad_acpi snd_seq_oss snd_seq_midi snd_rawmidi joydev fbcon tileblit font bitblit softcursor
+snd_seq_midi_event snd_seq snd_timer snd_seq_device i915 uvcvideo drm_kms_helper drm psmouse serio_raw snd i2c_algo_bit sdhci_pci videodev intel_agp soundcore intel_gtt jmb38x_ms
+memstick sdhci snd_page_alloc nvram lp parport agpgart video ahci r8169 mii libahci [last unloaded: ath6kl]
Pid: 15482, comm: kworker/u:1 Tainted: G        W   3.1.0-rc10-wl+ #2
Call Trace:
 [<c0144d72>] warn_slowpath_common+0x72/0xa0
 [<fb7c94fb>] ? ath6kl_get_vif_by_index+0x5b/0x60 [ath6kl]
 [<fb7c94fb>] ? ath6kl_get_vif_by_index+0x5b/0x60 [ath6kl]
 [<c0144dc2>] warn_slowpath_null+0x22/0x30
 [<fb7c94fb>] ath6kl_get_vif_by_index+0x5b/0x60 [ath6kl]
 [<fb7c7028>] ath6kl_tx_complete+0x128/0x4d0 [ath6kl]
 [<c04df920>] ? mmc_request_done+0x80/0x80
 [<fb7b9e2e>] htc_tx_complete+0x5e/0x70 [ath6kl]
 [<c05e4cf6>] ? _raw_spin_unlock_bh+0x16/0x20
 [<fb7ce588>] ? ath6kl_sdio_scatter_req_add+0x48/0x60 [ath6kl]
 [<fb7b9f42>] htc_async_tx_scat_complete+0xb2/0x120 [ath6kl]
 [<fb7ce9e7>] ath6kl_sdio_scat_rw+0x87/0x370 [ath6kl]
 [<c0101e12>] ? __switch_to+0xd2/0x190
 [<c01397b5>] ? finish_task_switch+0x45/0xd0
 [<c05e272e>] ? __schedule+0x3ae/0x8b0
 [<fb7cf00a>] ath6kl_sdio_write_async_work+0x4a/0xf0 [ath6kl]
 [<c015d266>] process_one_work+0x116/0x3c0
 [<fb7cefc0>] ? ath6kl_sdio_read_write_sync+0xb0/0xb0 [ath6kl]
 [<c015f5b0>] worker_thread+0x140/0x3b0
 [<c015f470>] ? manage_workers+0x1f0/0x1f0
 [<c0163424>] kthread+0x74/0x80
 [<c01633b0>] ? kthread_worker_fn+0x160/0x160
 [<c05ebdc6>] kernel_thread_helper+0x6/0x10

Reported-by: Aarthi Thiruvengadam <athiruve@qca.qualcomm.com>
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c
index d9cff2b..62beadb 100644 (file)
--- a/drivers/net/wireless/ath/ath6kl/txrx.c
+++ b/drivers/net/wireless/ath/ath6kl/txrx.c
@@ -571,8 +571,6 @@ void ath6kl_tx_complete(void *context, struct list_head *packet_queue)
                if (!skb || !skb->data)
                        goto fatal;
 
-               packet->buf = skb->data;
-
                __skb_queue_tail(&skb_queue, skb);
 
                if (!status && (packet->act_len != skb->len))
@@ -593,10 +591,10 @@ void ath6kl_tx_complete(void *context, struct list_head *packet_queue)
 
                if (eid == ar->ctrl_ep) {
                        if_idx = wmi_cmd_hdr_get_if_idx(
-                               (struct wmi_cmd_hdr *) skb->data);
+                               (struct wmi_cmd_hdr *) packet->buf);
                } else {
                        if_idx = wmi_data_hdr_get_if_idx(
-                               (struct wmi_data_hdr *) skb->data);
+                               (struct wmi_data_hdr *) packet->buf);
                }
 
                vif = ath6kl_get_vif_by_index(ar, if_idx);