Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5a94173f authored by Lorenzo Bianconi's avatar Lorenzo Bianconi Committed by Greg Kroah-Hartman
Browse files

mt76: dma: do not report truncated frames to mac80211 



commit d0bd52c591a1070c54dc428e926660eb4f981099 upstream.

Commit b102f0c522cf6 ("mt76: fix array overflow on receiving too many
fragments for a packet") fixes a possible OOB access but it introduces a
memory leak since the pending frame is not released to page_frag_cache
if the frag array of skb_shared_info is full. Commit 93a1d4791c10
("mt76: dma: fix a possible memory leak in mt76_add_fragment()") fixes
the issue but does not free the truncated skb that is forwarded to
mac80211 layer. Fix the leftover issue discarding even truncated skbs.

Fixes: 93a1d4791c10 ("mt76: dma: fix a possible memory leak in mt76_add_fragment()")
Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/a03166fcc8214644333c68674a781836e0f57576.1612697217.git.lorenzo@kernel.org


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 072d8778

drivers/net/wireless/mediatek/mt76/dma.c

+7 −4
Original line number Diff line number Diff line
@@ -395,13 +395,13 @@ mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data, 
{

	struct sk_buff *skb = q->rx_head;

	struct skb_shared_info *shinfo = skb_shinfo(skb);

	int nr_frags = shinfo->nr_frags;



	if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {

	if (nr_frags < ARRAY_SIZE(shinfo->frags)) {

		struct page *page = virt_to_head_page(data);

		int offset = data - page_address(page) + q->buf_offset;



		skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len,

				q->buf_size);

		skb_add_rx_frag(skb, nr_frags, page, offset, len, q->buf_size);

	} else {

		skb_free_frag(data);

	}
@@ -410,7 +410,10 @@ mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data, 
		return;



	q->rx_head = NULL;

	if (nr_frags < ARRAY_SIZE(shinfo->frags))

		dev->drv->rx_skb(dev, q - dev->q_rx, skb);

	else

		dev_kfree_skb(skb);

}



static int