Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ac6724d4 authored by Felix Fietkau's avatar Felix Fietkau Committed by Greg Kroah-Hartman
Browse files

mt76: clear skb pointers from rx aggregation reorder buffer during cleanup 



[ Upstream commit 9379df2fd9234e3b67a23101c2370c99f6af6d77 ]

During the cleanup of the aggregation session, a rx handler (or release timer)
on another CPU might still hold a pointer to the reorder buffer and could
attempt to release some packets.
Clearing pointers during cleanup avoids a theoretical use-after-free bug here.

Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 7444a79b

drivers/net/wireless/mediatek/mt76/agg-rx.c

+1 −0
Original line number Diff line number Diff line
@@ -278,6 +278,7 @@ static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid) 
		if (!skb)

			continue;



		tid->reorder_buf[i] = NULL;

		tid->nframes--;

		dev_kfree_skb(skb);

	}