32 lines
938 B
Diff
32 lines
938 B
Diff
|
From: Sara Sharon <sara.sharon@intel.com>
|
||
|
|
Date: Thu, 11 Oct 2018 14:21:21 +0200
|
||
|
|
Subject: [PATCH] mac80211: free skb fraglist before freeing the skb
|
||
|
|
|
||
|
|
mac80211 uses the frag list to build AMSDU. When freeing
|
||
|
|
the skb, it may not be really freed, since someone is still
|
||
|
|
holding a reference to it.
|
||
|
|
In that case, when TCP skb is being retransmitted, the
|
||
|
|
pointer to the frag list is being reused, while the data
|
||
|
|
in there is no longer valid.
|
||
|
|
Since we will never get frag list from the network stack,
|
||
|
|
as mac80211 doesn't advertise the capability, we can safely
|
||
|
|
free and nullify it before releasing the SKB.
|
||
|
|
|
||
|
|
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
|
||
|
|
---
|
||
|
|
|
||
|
|
--- a/net/mac80211/status.c
|
||
|
|
+++ b/net/mac80211/status.c
|
||
|
|
@@ -561,6 +561,11 @@ static void ieee80211_report_used_skb(st
|
||
|
|
}
|
||
|
|
|
||
|
|
ieee80211_led_tx(local);
|
||
|
|
+
|
||
|
|
+ if (skb_has_frag_list(skb)) {
|
||
|
|
+ kfree_skb_list(skb_shinfo(skb)->frag_list);
|
||
|
|
+ skb_shinfo(skb)->frag_list = NULL;
|
||
|
|
+ }
|
||
|
|
}
|
||
|
|
|
||
|
|
/*
|