mt76: clear skb pointers from rx aggregation reorder buffer during cleanup

During the cleanup of the aggregation session, a rx handler (or release timer) on another CPU might still hold a pointer to the reorder buffer and could attempt to release some packets. Clearing pointers during cleanup avoids a theoretical use-after-free bug here. Signed-off-by: Felix Fietkau <nbd@nbd.name>
author: Felix Fietkau <nbd@nbd.name> 2019-12-14 00:15:26 +0100
committer: Felix Fietkau <nbd@nbd.name> 2020-02-14 10:06:02 +0100
commit: 9379df2fd9234e3b67a23101c2370c99f6af6d77 (patch)
tree: a0ee2c7a5c3cca29284905b5ea2eed5ac151d801 /drivers/net/wireless/mediatek/mt76/agg-rx.c
parent: d55aa5e17461b8b423adae376978032c4a10a1d8 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c
index a4c64ae8fb1a..f77f03530259 100644
--- a/drivers/net/wireless/mediatek/mt76/agg-rx.c
+++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c
@@ -276,6 +276,7 @@ static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid)
 		if (!skb)
 			continue;
 
+		tid->reorder_buf[i] = NULL;
 		tid->nframes--;
 		dev_kfree_skb(skb);
 	}
author	Felix Fietkau <nbd@nbd.name>	2019-12-14 00:15:26 +0100
committer	Felix Fietkau <nbd@nbd.name>	2020-02-14 10:06:02 +0100
commit	9379df2fd9234e3b67a23101c2370c99f6af6d77 (patch)
tree	a0ee2c7a5c3cca29284905b5ea2eed5ac151d801 /drivers/net/wireless/mediatek/mt76/agg-rx.c
parent	d55aa5e17461b8b423adae376978032c4a10a1d8 (diff)