Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4250619ybl;
        Mon, 13 Jan 2020 10:21:38 -0800 (PST)
X-Google-Smtp-Source: APXvYqyzCgIp20pCPvIxTxnMHjPXI5Vv3fn0S6Xwzojqp5qgT6DCxn7WF86Vv+ZkqxKGn3UbUpZC
X-Received: by 2002:a05:6808:b37:: with SMTP id t23mr13915900oij.149.1578939698162;
        Mon, 13 Jan 2020 10:21:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578939698; cv=none;
        d=google.com; s=arc-20160816;
        b=ZtKM4nUkBVvlDa6JyhKSrRxv3T0fEiwVJcgrBS2dPGCpDGMtoA6XkkhXmNUryYxuJe
         Drry+JpYQXibZWkByV+V/8uuzgR3doZQHUHC0QLo8WIqjHTtZG6FoeuLUbRnxvB6BpFC
         TtRd7Mo3fMf0zbYODcM7H0D5RJ9SGiiH5vkMsDiu57I8nPuJ7YLfPg4G6q+gKkyvsqVt
         q6MTCXDJ0tNrRCTMZvqQDlmFlq8hQOxxKfYhuenHQsL4Dka7TJVMu0VVtyaXtS2T/KmT
         6rnEswoAeQcNfwDJrLmgmF5773dge9IHDjzXfxH0NOnoDu5gno3+DtRG5mlXHdgRX6UE
         wzuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=jfg1CH/BWu8y14E87TMalUIfmXnxxWjXnaCMLIpLMCA=;
        b=OuxzTY9Hqcxq18W40Je1H+kk01ViYZZJK3ELdMk3mKENJQlTEcQ+7M73ULie0IzwiW
         pRut+ye0t3Bk02Zb6XpA/luKCWDd9r/Rfhh/n/TIrj/QK/ZUXzH5eBZbHxNzpLP91Fst
         /qyc/5ymf5ssFxeF9I1LBCwFJOo1lsW45stSRFz/xIB3e6hWGPga4tD38mNf2WXFvkR3
         x0geW/IxhJ1YsBF6qP/xNGll3Z/CkOGYpphKhp0saGwzUtDnxiWAHZ5CtDnHUOIZ8kna
         ddSngiddNrc0P6m6f3AXMl7fKxGrZuQE7Ydq4GKtPAF+HhJ7bXU2orF7Z0c82kPa24dP
         RnlA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@nbd.name header.s=20160729 header.b=tDNHg+NK;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c126si5923356oib.239.2020.01.13.10.21.15;
        Mon, 13 Jan 2020 10:21:38 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@nbd.name header.s=20160729 header.b=tDNHg+NK;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728641AbgAMSVK (ORCPT <rfc822;sgg.btech@gmail.com> + 99 others);
        Mon, 13 Jan 2020 13:21:10 -0500
Received: from nbd.name ([46.4.11.11]:38002 "EHLO nbd.name"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728633AbgAMSVK (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 13 Jan 2020 13:21:10 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=nbd.name;
         s=20160729; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject
        :Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:Content-Description:
        Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
        In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
        List-Post:List-Owner:List-Archive;
        bh=jfg1CH/BWu8y14E87TMalUIfmXnxxWjXnaCMLIpLMCA=; b=tDNHg+NKl0rDlws2ygYpd0woxj
        6Mn2WR2FddwrqoSFd5f5s2YQsRrVT/RrFtXpWCBSZ6pCi08n/VmEYwE6CQIw1vnlfuGKo+0igiUUu
        U2DKmEAOzdUv1Tggk/jsRh8C+hLC50SBylE94bz9VbK71hHR5TyDE5p4pjc3NWwIguoo=;
Received: from [80.255.7.117] (helo=maeck.local)
        by ds12 with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <nbd@nbd.name>)
        id 1ir4Kq-0005oU-PE; Mon, 13 Jan 2020 19:21:08 +0100
Received: by maeck.local (Postfix, from userid 501)
        id D159777EB435; Mon, 13 Jan 2020 19:21:07 +0100 (CET)
From:   Felix Fietkau <nbd@nbd.name>
To:     linux-wireless@vger.kernel.org
Cc:     johannes@sipsolutions.net
Subject: [PATCH 5.5] cfg80211: fix page refcount issue in A-MSDU decap
Date:   Mon, 13 Jan 2020 19:21:07 +0100
Message-Id: <20200113182107.20461-1-nbd@nbd.name>
X-Mailer: git-send-email 2.24.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

The fragments attached to a skb can be part of a compound page. In that case,
page_ref_inc will increment the refcount for the wrong page. Fix this by
using get_page instead, which calls page_ref_inc on the compound head and
also checks for overflow.

Fixes: 2b67f944f88c ("cfg80211: reuse existing page fragments in A-MSDU rx")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/wireless/util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 5b4ed5bbc542..8481e9ac33da 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -564,7 +564,7 @@ __frame_add_frag(struct sk_buff *skb, struct page *page,
 	struct skb_shared_info *sh = skb_shinfo(skb);
 	int page_offset;
 
-	page_ref_inc(page);
+	get_page(page);
 	page_offset = ptr - page_address(page);
 	skb_add_rx_frag(skb, sh->nr_frags, page, page_offset, len, size);
 }
-- 
2.24.0