aboutsummaryrefslogtreecommitdiffstats
path: root/package
diff options
context:
space:
mode:
Diffstat (limited to 'package')
-rw-r--r--package/kernel/mac80211/patches/396-mac80211-free-skb-fraglist-before-freeing-the-skb.patch31
1 files changed, 31 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/396-mac80211-free-skb-fraglist-before-freeing-the-skb.patch b/package/kernel/mac80211/patches/396-mac80211-free-skb-fraglist-before-freeing-the-skb.patch
new file mode 100644
index 0000000000..4819dfc648
--- /dev/null
+++ b/package/kernel/mac80211/patches/396-mac80211-free-skb-fraglist-before-freeing-the-skb.patch
@@ -0,0 +1,31 @@
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Thu, 11 Oct 2018 14:21:21 +0200
+Subject: [PATCH] mac80211: free skb fraglist before freeing the skb
+
+mac80211 uses the frag list to build AMSDU. When freeing
+the skb, it may not be really freed, since someone is still
+holding a reference to it.
+In that case, when TCP skb is being retransmitted, the
+pointer to the frag list is being reused, while the data
+in there is no longer valid.
+Since we will never get frag list from the network stack,
+as mac80211 doesn't advertise the capability, we can safely
+free and nullify it before releasing the SKB.
+
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+---
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -550,6 +550,11 @@ static void ieee80211_report_used_skb(st
+ }
+
+ ieee80211_led_tx(local);
++
++ if (skb_has_frag_list(skb)) {
++ kfree_skb_list(skb_shinfo(skb)->frag_list);
++ skb_shinfo(skb)->frag_list = NULL;
++ }
+ }
+
+ /*