From 7077256b525928f5176fdb19eb34c85b76da133d Mon Sep 17 00:00:00 2001
From: Malcolm Priestley <tvboxspy@gmail.com>
Date: Wed, 27 May 2020 09:49:18 +0100
Subject: [PATCH] staging: vt6656: vnt_tx_packet use skb_clone to preserve
 sk_buff.

The sk_buff needs to preserved for copying to various parts
of context and passing back to mac80211

clone sk_buff in context so to continue to writing to orginal
sk_buff data area to send in vnt_tx_context.

dev_kfree_skb the context on error or dev_kfree_skb the
orignal when done. The error handling continues as before.

Only one place in function needs to change from
ieee80211_get_hdrlen_from_skb to ieee80211_hdrlen(hdr) which
is already to pointing to correct position.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Link: https://lore.kernel.org/r/b87e8cc1-f584-989d-830b-609d712f08c7@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/vt6656/rxtx.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/drivers/staging/vt6656/rxtx.c b/drivers/staging/vt6656/rxtx.c
index a1b16ef..05b9a9e 100644
--- a/drivers/staging/vt6656/rxtx.c
+++ b/drivers/staging/vt6656/rxtx.c
@@ -545,13 +545,18 @@ int vnt_tx_packet(struct vnt_private *priv, struct sk_buff *skb)
 		return -ENOMEM;
 	}
 
-	tx_context->skb = skb;
 	tx_context->pkt_type = pkt_type;
 	tx_context->frame_len = skb->len + 4;
 	tx_context->tx_rate =  rate->hw_value;
 
 	spin_unlock_irqrestore(&priv->lock, flags);
 
+	tx_context->skb = skb_clone(skb, GFP_ATOMIC);
+	if (!tx_context->skb) {
+		tx_context->in_use = false;
+		return -ENOMEM;
+	}
+
 	tx_header_size = vnt_get_hdr_size(info);
 	tx_bytes = tx_header_size + skb->len;
 	tx_header_size += sizeof(struct vnt_tx_usb_header);
@@ -565,12 +570,9 @@ int vnt_tx_packet(struct vnt_private *priv, struct sk_buff *skb)
 	tx_buffer->usb.type = 0x00;
 
 	tx_context->type = CONTEXT_DATA_PACKET;
-	tx_context->tx_buffer = tx_buffer;
+	tx_context->tx_buffer = skb->data;
 	tx_context->buf_len = skb->len;
 
-	/* Return skb->data to mac80211 header */
-	skb_pull(skb, tx_header_size);
-
 	/*Set fifo controls */
 	if (pkt_type == PK_TYPE_11A)
 		tx_buffer_head->fifo_ctl = 0;
@@ -606,7 +608,7 @@ int vnt_tx_packet(struct vnt_private *priv, struct sk_buff *skb)
 		tx_buffer_head->fifo_ctl |= cpu_to_le16(FIFOCTL_LHEAD);
 
 	tx_buffer_head->frag_ctl =
-			cpu_to_le16(ieee80211_get_hdrlen_from_skb(skb) << 10);
+			cpu_to_le16(ieee80211_hdrlen(hdr->frame_control) << 10);
 
 	if (info->control.hw_key)
 		tx_context->frame_len += info->control.hw_key->icv_len;
@@ -623,10 +625,13 @@ int vnt_tx_packet(struct vnt_private *priv, struct sk_buff *skb)
 	spin_lock_irqsave(&priv->lock, flags);
 
 	if (vnt_tx_context(priv, tx_context)) {
+		dev_kfree_skb(tx_context->skb);
 		spin_unlock_irqrestore(&priv->lock, flags);
 		return -EIO;
 	}
 
+	dev_kfree_skb(skb);
+
 	spin_unlock_irqrestore(&priv->lock, flags);
 
 	return 0;
-- 
2.7.4