Commit 34b1e0e9 authored by Sara Sharon's avatar Sara Sharon Committed by Johannes Berg

mac80211: free skb fraglist before freeing the skb

mac80211 uses the frag list to build AMSDU. When freeing
the skb, it may not be really freed, since someone is still
holding a reference to it.
In that case, when TCP skb is being retransmitted, the
pointer to the frag list is being reused, while the data
in there is no longer valid.
Since we will never get frag list from the network stack,
as mac80211 doesn't advertise the capability, we can safely
free and nullify it before releasing the SKB.
Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent d350a0f4
...@@ -556,6 +556,11 @@ static void ieee80211_report_used_skb(struct ieee80211_local *local, ...@@ -556,6 +556,11 @@ static void ieee80211_report_used_skb(struct ieee80211_local *local,
} }
ieee80211_led_tx(local); ieee80211_led_tx(local);
if (skb_has_frag_list(skb)) {
kfree_skb_list(skb_shinfo(skb)->frag_list);
skb_shinfo(skb)->frag_list = NULL;
}
} }
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment