projects / openwrt / staging / blogic.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a9149d2) | patch
mt76: fix array overflow on receiving too many fragments for a packet
authorFelix Fietkau <nbd@nbd.name>
Thu, 20 Feb 2020 11:41:39 +0000 (12:41 +0100)
committerKalle Valo <kvalo@codeaurora.org>
Tue, 3 Mar 2020 15:30:25 +0000 (17:30 +0200)
commitb102f0c522cf668c8382c56a4f771b37d011cda2
tree7241c52d1e25587c46fe14df15ee207c0c11eeaftree | snapshot
parenta9149d243f259ad8f02b1e23dfe8ba06128f15e1commit | diff
mt76: fix array overflow on receiving too many fragments for a packet

If the hardware receives an oversized packet with too many rx fragments,
skb_shinfo(skb)->frags can overflow and corrupt memory of adjacent pages.
This becomes especially visible if it corrupts the freelist pointer of
a slab page.

Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/mediatek/mt76/dma.c diff | blob | history
John Crispins staging tree