From e220ffb5338fc16a9f36662c1a7c32f6923e53ce Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 11 Oct 2018 15:16:28 +0200 Subject: [PATCH] mac80211: fix A-MSDU packet handling with TCP retransmission Improves local TCP throughput and fixes use-after-free bugs that could lead to crashes. Signed-off-by: Felix Fietkau --- ...-skb-fraglist-before-freeing-the-skb.patch | 31 +++++++++++++++++++ ...80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch | 2 +- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 package/kernel/mac80211/patches/subsys/351-mac80211-free-skb-fraglist-before-freeing-the-skb.patch diff --git a/package/kernel/mac80211/patches/subsys/351-mac80211-free-skb-fraglist-before-freeing-the-skb.patch b/package/kernel/mac80211/patches/subsys/351-mac80211-free-skb-fraglist-before-freeing-the-skb.patch new file mode 100644 index 00000000000..200e4fe38d8 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/351-mac80211-free-skb-fraglist-before-freeing-the-skb.patch @@ -0,0 +1,31 @@ +From: Sara Sharon +Date: Thu, 11 Oct 2018 14:21:21 +0200 +Subject: [PATCH] mac80211: free skb fraglist before freeing the skb + +mac80211 uses the frag list to build AMSDU. When freeing +the skb, it may not be really freed, since someone is still +holding a reference to it. +In that case, when TCP skb is being retransmitted, the +pointer to the frag list is being reused, while the data +in there is no longer valid. +Since we will never get frag list from the network stack, +as mac80211 doesn't advertise the capability, we can safely +free and nullify it before releasing the SKB. + +Signed-off-by: Sara Sharon +--- + +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -561,6 +561,11 @@ static void ieee80211_report_used_skb(st + } + + ieee80211_led_tx(local); ++ ++ if (skb_has_frag_list(skb)) { ++ kfree_skb_list(skb_shinfo(skb)->frag_list); ++ skb_shinfo(skb)->frag_list = NULL; ++ } + } + + /* diff --git a/package/kernel/mac80211/patches/subsys/358-mac80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch b/package/kernel/mac80211/patches/subsys/358-mac80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch index c52a4f61a95..8183fb89b6a 100644 --- a/package/kernel/mac80211/patches/subsys/358-mac80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch +++ b/package/kernel/mac80211/patches/subsys/358-mac80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch @@ -96,7 +96,7 @@ Signed-off-by: Janusz Dziedzic struct rcu_head rcu_head; --- a/net/mac80211/status.c +++ b/net/mac80211/status.c -@@ -653,9 +653,22 @@ void ieee80211_tx_monitor(struct ieee802 +@@ -658,9 +658,22 @@ void ieee80211_tx_monitor(struct ieee802 struct sk_buff *skb2; struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); struct ieee80211_sub_if_data *sdata; -- 2.30.2