]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commitdiff
mt76: dma: do not report truncated frames to mac80211
authorLorenzo Bianconi <lorenzo@kernel.org>
Sun, 7 Feb 2021 11:48:31 +0000 (12:48 +0100)
committerKalle Valo <kvalo@codeaurora.org>
Fri, 26 Feb 2021 11:49:57 +0000 (13:49 +0200)
Commit b102f0c522cf6 ("mt76: fix array overflow on receiving too many
fragments for a packet") fixes a possible OOB access but it introduces a
memory leak since the pending frame is not released to page_frag_cache
if the frag array of skb_shared_info is full. Commit 93a1d4791c10
("mt76: dma: fix a possible memory leak in mt76_add_fragment()") fixes
the issue but does not free the truncated skb that is forwarded to
mac80211 layer. Fix the leftover issue discarding even truncated skbs.

Fixes: 93a1d4791c10 ("mt76: dma: fix a possible memory leak in mt76_add_fragment()")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/a03166fcc8214644333c68674a781836e0f57576.1612697217.git.lorenzo@kernel.org
drivers/net/wireless/mediatek/mt76/dma.c

index abdc8d364361ca1f6af1b723c45f8929d0d5aedd..2f27c43ad76df3f354f6196fb49e3df911a45ad4 100644 (file)
@@ -512,13 +512,13 @@ mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data,
 {
        struct sk_buff *skb = q->rx_head;
        struct skb_shared_info *shinfo = skb_shinfo(skb);
+       int nr_frags = shinfo->nr_frags;
 
-       if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
+       if (nr_frags < ARRAY_SIZE(shinfo->frags)) {
                struct page *page = virt_to_head_page(data);
                int offset = data - page_address(page) + q->buf_offset;
 
-               skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len,
-                               q->buf_size);
+               skb_add_rx_frag(skb, nr_frags, page, offset, len, q->buf_size);
        } else {
                skb_free_frag(data);
        }
@@ -527,7 +527,10 @@ mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data,
                return;
 
        q->rx_head = NULL;
-       dev->drv->rx_skb(dev, q - dev->q_rx, skb);
+       if (nr_frags < ARRAY_SIZE(shinfo->frags))
+               dev->drv->rx_skb(dev, q - dev->q_rx, skb);
+       else
+               dev_kfree_skb(skb);
 }
 
 static int