From: Chih-Kang Chang Date: Mon, 30 Aug 2021 07:32:40 +0000 (+0800) Subject: mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug X-Git-Tag: baikal/aarch64/sdk6.1~5643^2~21^2~7 X-Git-Url: https://git.baikalelectronics.ru/sdk/?a=commitdiff_plain;h=c4b4cb6e9e32c2ef6f5005e6206583b78ce7b60a;p=kernel.git mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug In ieee80211_amsdu_aggregate() set a pointer frag_tail point to the end of skb_shinfo(head)->frag_list, and use it to bind other skb in the end of this function. But when execute ieee80211_amsdu_aggregate() ->ieee80211_amsdu_realloc_pad()->pskb_expand_head(), the address of skb_shinfo(head)->frag_list will be changed. However, the ieee80211_amsdu_aggregate() not update frag_tail after call pskb_expand_head(). That will cause the second skb can't bind to the head skb appropriately.So we update the address of frag_tail to fix it. Fixes: 997eb7fcb902 ("mac80211: add A-MSDU tx support") Signed-off-by: Chih-Kang Chang Signed-off-by: Zong-Zhe Yang Signed-off-by: Ping-Ke Shih Link: https://lore.kernel.org/r/20210830073240.12736-1-pkshih@realtek.com [reword comment] Signed-off-by: Johannes Berg --- diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 2d1193ed3eb52..824bed71be138 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -3380,6 +3380,14 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata, if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head)) goto out; + /* If n == 2, the "while (*frag_tail)" loop above didn't execute + * and frag_tail should be &skb_shinfo(head)->frag_list. + * However, ieee80211_amsdu_prepare_head() can reallocate it. + * Reload frag_tail to have it pointing to the correct place. + */ + if (n == 2) + frag_tail = &skb_shinfo(head)->frag_list; + /* * Pad out the previous subframe to a multiple of 4 by adding the * padding to the next one, that's being added. Note that head->len