diff mbox series

[05/24] mac80211: free skb fraglist before freeing the skb

Message ID	20181215090325.31604-6-luca@coelho.fi (mailing list archive)
State	Accepted
Delegated to:	Johannes Berg
Headers	show Return-Path: <linux-wireless-owner@kernel.org> From: Luca Coelho <luca@coelho.fi> To: johannes@sipsolutions.net Cc: linux-wireless@vger.kernel.org, Sara Sharon <sara.sharon@intel.com>, Luca Coelho <luciano.coelho@intel.com> Date: Sat, 15 Dec 2018 11:03:06 +0200 Message-Id: <20181215090325.31604-6-luca@coelho.fi> In-Reply-To: <20181215090325.31604-1-luca@coelho.fi> References: <20181215090325.31604-1-luca@coelho.fi> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [PATCH 05/24] mac80211: free skb fraglist before freeing the skb Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk
Series	cfg80211/mac80211 patches from our internal tree 2018-12-15 \| expand [00/24] cfg80211/mac80211 patches from our internal tree 2018-12-15 [01/24] mac80211: suspicious RCU usage fix [02/24] ieee80211: add bits for TWT in Extended Capabilities IE [03/24] mac80211: propagate the support for TWT to the driver [04/24] mac80211: update HE operation fields to D3.0 [05/24] mac80211: free skb fraglist before freeing the skb [06/24] mac80211: don't build AMSDU from GSO packets [07/24] mac80211: document RCU requirements for ieee80211_tx_dequeue() [08/24] mac80211: remove superfluous NULL check [09/24] mac80211: fix a kernel panic when TXing after TXQ teardown [10/24] mac80211: never pass NULL params to ieee80211_if_add() [11/24] mac80211: fix radiotap vendor presence bitmap handling [12/24] mac80211: ignore NullFunc frames in the duplicate detection [13/24] cfg80211: pmsr: fix MAC address setting [14/24] mac80211: update driver when MU EDCA params change [15/24] cfg80211: fix ieee80211_get_vht_max_nss() [16/24] mac80211: Properly handle SKB with radiotap only [17/24] cfg80211: Include the PMK and PMKID in NL80211_CMD_EXTERNAL_AUTH [18/24] mac80211: set STA flag DISABLE_HE if HE is not supported [19/24] mac80211: do not advertise HE cap IE if HE disabled [20/24] cfg80211: add some missing fall through annotations [21/24] nl80211: fix memory leak if validate_pae_over_nl80211() fails [22/24] cfg80211: clarify LCI/civic location documentation [23/24] mac80211: ftm responder: remove pointless defensive coding [24/24] mac80211: Properly access radiotap vendor data

Commit Message

Luca Coelho Dec. 15, 2018, 9:03 a.m. UTC

From: Sara Sharon <sara.sharon@intel.com>

mac80211 uses the frag list to build AMSDU. When freeing
the skb, it may not be really freed, since someone is still
holding a reference to it.
In that case, when TCP skb is being retransmitted, the
pointer to the frag list is being reused, while the data
in there is no longer valid.
Since we will never get frag list from the network stack,
as mac80211 doesn't advertise the capability, we can safely
free and nullify it before releasing the SKB.

Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
 net/mac80211/status.c | 5 +++++
 1 file changed, 5 insertions(+)

diff mbox series

Patch

diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index aa4afbf0abaf..267236297b2a 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -556,6 +556,11 @@  static void ieee80211_report_used_skb(struct ieee80211_local *local,
 	}
 
 	ieee80211_led_tx(local);
+
+	if (skb_has_frag_list(skb)) {
+		kfree_skb_list(skb_shinfo(skb)->frag_list);
+		skb_shinfo(skb)->frag_list = NULL;
+	}
 }
 
 /*