diff options
| author | Karthikeyan Periyasamy <periyasa@codeaurora.org> | 2019-11-27 14:08:53 +0000 |
|---|---|---|
| committer | Kalle Valo <kvalo@codeaurora.org> | 2019-11-29 09:47:37 +0200 |
| commit | 30679ec409189de89f55552a623c264091d72b66 (patch) | |
| tree | b4092f102ecdc6703006fd18cdf173f976619674 /drivers/net/wireless/ath/ath11k | |
| parent | f425078b449f90793c73423e4bbc44da6aad48d6 (diff) | |
ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API
Accessing already stored first msdu data after the skb expand trigger
use_after_free, since first msdu got deleted. so do the descriptor copy
operation before the skb expand operation.
Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Diffstat (limited to 'drivers/net/wireless/ath/ath11k')
| -rw-r--r-- | drivers/net/wireless/ath/ath11k/dp_rx.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 67efa247bf65..f87bd327b082 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -1376,6 +1376,11 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar, skb_put(first, DP_RX_BUFFER_SIZE); skb_pull(first, buf_first_hdr_len); + /* When an MSDU spread over multiple buffers attention, MSDU_END and + * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs. + */ + ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc); + space_extra = msdu_len - (buf_first_len + skb_tailroom(first)); if (space_extra > 0 && (pskb_expand_head(first, 0, space_extra, GFP_ATOMIC) < 0)) { @@ -1391,11 +1396,6 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar, return -ENOMEM; } - /* When an MSDU spread over multiple buffers attention, MSDU_END and - * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs. - */ - ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc); - rem_len = msdu_len - buf_first_len; while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) { rxcb = ATH11K_SKB_RXCB(skb); |