From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Felix Fietkau <nbd@nbd.name>,
Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 4.19 058/103] cfg80211: fix page refcount issue in A-MSDU decap
Date: Wed, 22 Jan 2020 10:29:14 +0100 [thread overview]
Message-ID: <20200122092812.743594611@linuxfoundation.org> (raw)
In-Reply-To: <20200122092803.587683021@linuxfoundation.org>
From: Felix Fietkau <nbd@nbd.name>
commit 81c044fc3bdc5b7be967cd3682528ea94b58c06a upstream.
The fragments attached to a skb can be part of a compound page. In that case,
page_ref_inc will increment the refcount for the wrong page. Fix this by
using get_page instead, which calls page_ref_inc on the compound head and
also checks for overflow.
Fixes: 2b67f944f88c ("cfg80211: reuse existing page fragments in A-MSDU rx")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20200113182107.20461-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -537,7 +537,7 @@ __frame_add_frag(struct sk_buff *skb, st
struct skb_shared_info *sh = skb_shinfo(skb);
int page_offset;
- page_ref_inc(page);
+ get_page(page);
page_offset = ptr - page_address(page);
skb_add_rx_frag(skb, sh->nr_frags, page, page_offset, len, size);
}
next prev parent reply other threads:[~2020-01-22 9:44 UTC|newest]
Thread overview: 108+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-22 9:28 [PATCH 4.19 000/103] 4.19.98-stable review Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 001/103] ARM: dts: meson8: fix the size of the PMU registers Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 002/103] clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 003/103] dt-bindings: reset: meson8b: fix duplicate reset IDs Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 004/103] ARM: dts: imx6q-dhcom: fix rtc compatible Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 005/103] clk: Dont try to enable critical clocks if prepare failed Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 006/103] ASoC: msm8916-wcd-digital: Reset RX interpolation path after use Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 007/103] iio: buffer: align the size of scan bytes to size of the largest element Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 008/103] USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 009/103] USB: serial: option: Add support for Quectel RM500Q Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 010/103] USB: serial: opticon: fix control-message timeouts Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 011/103] USB: serial: option: add support for Quectel RM500Q in QDL mode Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 012/103] USB: serial: suppress driver bind attributes Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 013/103] USB: serial: ch341: handle unbound port at reset_resume Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 014/103] USB: serial: io_edgeport: handle unbound ports on URB completion Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 015/103] USB: serial: io_edgeport: add missing active-port sanity check Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 016/103] USB: serial: keyspan: handle unbound ports Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 017/103] USB: serial: quatech2: " Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 018/103] scsi: fnic: fix invalid stack access Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 019/103] scsi: mptfusion: Fix double fetch bug in ioctl Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 020/103] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 021/103] ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1 Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 022/103] ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 023/103] ALSA: dice: fix fallback from protocol extension into limited functionality Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 024/103] ALSA: seq: Fix racy access for queue timer in proc read Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 025/103] ALSA: usb-audio: fix sync-ep altsetting sanity check Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 026/103] arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 027/103] Fix built-in early-load Intel microcode alignment Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 028/103] block: fix an integer overflow in logical block size Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 029/103] ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 030/103] LSM: generalize flag passing to security_capable Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 031/103] ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 032/103] usb: core: hub: Improved device recognition on remote wakeup Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 033/103] x86/resctrl: Fix an imbalance in domain_remove_cpu() Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 034/103] x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 035/103] x86/efistub: Disable paging at mixed mode entry Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 036/103] drm/i915: Add missing include file <linux/math64.h> Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 037/103] x86/resctrl: Fix potential memory leak Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 038/103] perf hists: Fix variable names inconsistency in hists__for_each() macro Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 039/103] perf report: Fix incorrectly added dimensions as switch perf data file Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 040/103] mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 041/103] mm: memcg/slab: call flush_memcg_workqueue() only if memcg workqueue is valid Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 042/103] btrfs: rework arguments of btrfs_unlink_subvol Greg Kroah-Hartman
2020-01-22 9:28 ` [PATCH 4.19 043/103] btrfs: fix invalid removal of root ref Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 044/103] btrfs: do not delete mismatched root refs Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 045/103] btrfs: fix memory leak in qgroup accounting Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 046/103] mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 047/103] ARM: dts: imx6qdl: Add Engicam i.Core 1.5 MX6 Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 048/103] ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 049/103] ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 050/103] net: stmmac: 16KB buffer must be 16 byte aligned Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 051/103] net: stmmac: Enable 16KB buffer size Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 052/103] mm/huge_memory.c: make __thp_get_unmapped_area static Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 053/103] mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD alignment Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 054/103] arm64: dts: agilex/stratix10: fix pmu interrupt numbers Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 055/103] bpf: Fix incorrect verifier simulation of ARSH under ALU32 Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 056/103] cfg80211: fix deadlocks in autodisconnect work Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 057/103] cfg80211: fix memory leak in cfg80211_cqm_rssi_update Greg Kroah-Hartman
2020-01-22 9:29 ` Greg Kroah-Hartman [this message]
2020-01-22 9:29 ` [PATCH 4.19 059/103] netfilter: fix a use-after-free in mtype_destroy() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 060/103] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 061/103] netfilter: nft_tunnel: fix null-attribute check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 062/103] netfilter: nf_tables: remove WARN and add NLA_STRING upper limits Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 063/103] netfilter: nf_tables: store transaction list locally while requesting module Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 064/103] netfilter: nf_tables: fix flowtable list del corruption Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 065/103] NFC: pn533: fix bulk-message timeout Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 066/103] batman-adv: Fix DAT candidate selection on little endian systems Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 067/103] macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 068/103] hv_netvsc: Fix memory leak when removing rndis device Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 069/103] net: dsa: tag_qca: fix doubled Tx statistics Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 070/103] net: hns: fix soft lockup when there is not enough memory Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 071/103] net: usb: lan78xx: limit size of local TSO packets Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 072/103] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 073/103] ptp: free ptp device pin descriptors properly Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 074/103] r8152: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 075/103] tcp: fix marked lost packets not being retransmitted Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 076/103] sh_eth: check sh_eth_cpu_data::dual_port when dumping registers Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 077/103] mlxsw: spectrum: Wipe xstats.backlog of down ports Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 078/103] mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 079/103] xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 080/103] tcp: refine rule to allow EPOLLOUT generation under mem pressure Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 081/103] irqchip: Place CONFIG_SIFIVE_PLIC into the menu Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 082/103] cw1200: Fix a signedness bug in cw1200_load_firmware() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 083/103] arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 084/103] cfg80211: check for set_wiphy_params Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 085/103] tick/sched: Annotate lockless access to last_jiffies_update Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 086/103] arm64: dts: marvell: Fix CP110 NAND controller node multi-line comment alignment Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 087/103] Revert "arm64: dts: juno: add dma-ranges property" Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 088/103] mtd: devices: fix mchp23k256 read and write Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 089/103] drm/nouveau/bar/nv50: check bar1 vmm return value Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 090/103] drm/nouveau/bar/gf100: ensure BAR is mapped Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 091/103] drm/nouveau/mmu: qualify vmm during dtor Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 092/103] reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 093/103] scsi: esas2r: unlock on error in esas2r_nvram_read_direct() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 094/103] scsi: qla4xxx: fix double free bug Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 095/103] scsi: bnx2i: fix potential use after free Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 096/103] scsi: target: core: Fix a pr_debug() argument Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 097/103] scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 098/103] scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 099/103] scsi: core: scsi_trace: Use get_unaligned_be*() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 100/103] perf probe: Fix wrong address verification Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 101/103] clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle() Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 102/103] regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Greg Kroah-Hartman
2020-01-22 9:29 ` [PATCH 4.19 103/103] hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call Greg Kroah-Hartman
2020-01-22 14:58 ` [PATCH 4.19 000/103] 4.19.98-stable review Jon Hunter
2020-01-22 17:03 ` Naresh Kamboju
2020-01-22 19:00 ` Guenter Roeck
2020-01-22 20:53 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200122092812.743594611@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nbd@nbd.name \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).