diff options
author | Felix Fietkau <nbd@nbd.name> | 2018-10-11 18:48:35 +0200 |
---|---|---|
committer | Felix Fietkau <nbd@nbd.name> | 2018-10-11 18:48:35 +0200 |
commit | 4fa4b5edaf79a3574e1485ebb04ba7e0d2289d63 (patch) | |
tree | 69a6494b436c79d0c18297776acd9cfa87d0715c | |
parent | 70cb2d20c9f5dff7c1f3344812fd0d1ac06e911d (diff) | |
download | upstream-4fa4b5edaf79a3574e1485ebb04ba7e0d2289d63.tar.gz upstream-4fa4b5edaf79a3574e1485ebb04ba7e0d2289d63.tar.bz2 upstream-4fa4b5edaf79a3574e1485ebb04ba7e0d2289d63.zip |
mac80211: fix A-MSDU packet handling with TCP retransmission
Improves local TCP throughput and fixes use-after-free bugs that could lead
to crashes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
-rw-r--r-- | package/kernel/mac80211/patches/396-mac80211-free-skb-fraglist-before-freeing-the-skb.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/396-mac80211-free-skb-fraglist-before-freeing-the-skb.patch b/package/kernel/mac80211/patches/396-mac80211-free-skb-fraglist-before-freeing-the-skb.patch new file mode 100644 index 0000000000..4819dfc648 --- /dev/null +++ b/package/kernel/mac80211/patches/396-mac80211-free-skb-fraglist-before-freeing-the-skb.patch @@ -0,0 +1,31 @@ +From: Sara Sharon <sara.sharon@intel.com> +Date: Thu, 11 Oct 2018 14:21:21 +0200 +Subject: [PATCH] mac80211: free skb fraglist before freeing the skb + +mac80211 uses the frag list to build AMSDU. When freeing +the skb, it may not be really freed, since someone is still +holding a reference to it. +In that case, when TCP skb is being retransmitted, the +pointer to the frag list is being reused, while the data +in there is no longer valid. +Since we will never get frag list from the network stack, +as mac80211 doesn't advertise the capability, we can safely +free and nullify it before releasing the SKB. + +Signed-off-by: Sara Sharon <sara.sharon@intel.com> +--- + +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -550,6 +550,11 @@ static void ieee80211_report_used_skb(st + } + + ieee80211_led_tx(local); ++ ++ if (skb_has_frag_list(skb)) { ++ kfree_skb_list(skb_shinfo(skb)->frag_list); ++ skb_shinfo(skb)->frag_list = NULL; ++ } + } + + /* |