From e220ffb5338fc16a9f36662c1a7c32f6923e53ce Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Thu, 11 Oct 2018 15:16:28 +0200
Subject: [PATCH] mac80211: fix A-MSDU packet handling with TCP retransmission

Improves local TCP throughput and fixes use-after-free bugs that could lead
to crashes.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 ...-skb-fraglist-before-freeing-the-skb.patch | 31 +++++++++++++++++++
 ...80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch |  2 +-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 package/kernel/mac80211/patches/subsys/351-mac80211-free-skb-fraglist-before-freeing-the-skb.patch

diff --git a/package/kernel/mac80211/patches/subsys/351-mac80211-free-skb-fraglist-before-freeing-the-skb.patch b/package/kernel/mac80211/patches/subsys/351-mac80211-free-skb-fraglist-before-freeing-the-skb.patch
new file mode 100644
index 0000000000..200e4fe38d
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/351-mac80211-free-skb-fraglist-before-freeing-the-skb.patch
@@ -0,0 +1,31 @@
+From: Sara Sharon <sara.sharon@intel.com>
+Date: Thu, 11 Oct 2018 14:21:21 +0200
+Subject: [PATCH] mac80211: free skb fraglist before freeing the skb
+
+mac80211 uses the frag list to build AMSDU. When freeing
+the skb, it may not be really freed, since someone is still
+holding a reference to it.
+In that case, when TCP skb is being retransmitted, the
+pointer to the frag list is being reused, while the data
+in there is no longer valid.
+Since we will never get frag list from the network stack,
+as mac80211 doesn't advertise the capability, we can safely
+free and nullify it before releasing the SKB.
+
+Signed-off-by: Sara Sharon <sara.sharon@intel.com>
+---
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -561,6 +561,11 @@ static void ieee80211_report_used_skb(st
+ 	}
+ 
+ 	ieee80211_led_tx(local);
++
++	if (skb_has_frag_list(skb)) {
++		kfree_skb_list(skb_shinfo(skb)->frag_list);
++		skb_shinfo(skb)->frag_list = NULL;
++	}
+ }
+ 
+ /*
diff --git a/package/kernel/mac80211/patches/subsys/358-mac80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch b/package/kernel/mac80211/patches/subsys/358-mac80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch
index c52a4f61a9..8183fb89b6 100644
--- a/package/kernel/mac80211/patches/subsys/358-mac80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch
+++ b/package/kernel/mac80211/patches/subsys/358-mac80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch
@@ -96,7 +96,7 @@ Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
  	struct rcu_head rcu_head;
 --- a/net/mac80211/status.c
 +++ b/net/mac80211/status.c
-@@ -653,9 +653,22 @@ void ieee80211_tx_monitor(struct ieee802
+@@ -658,9 +658,22 @@ void ieee80211_tx_monitor(struct ieee802
  	struct sk_buff *skb2;
  	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
  	struct ieee80211_sub_if_data *sdata;
-- 
2.30.2