Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp3394251pxb;
        Mon, 30 Aug 2021 00:36:26 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJysJU2fPEqmU/AxAr8t8VTWRpmXwICZNbnsI48+U1FVHaLAyECL2r6K2xLjUmHuR6/bIx4a
X-Received: by 2002:a05:6638:381e:: with SMTP id i30mr2578600jav.9.1630308986281;
        Mon, 30 Aug 2021 00:36:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1630308986; cv=none;
        d=google.com; s=arc-20160816;
        b=HbS1JLqzsEmKWxgug1JL2BeDmwU6Ftj4URzDzXflNqcvaitchRYR+vtCmoKdxEDCq/
         EhSgvsBXX3V491EpUy/ClHONeWaDBRf5e/jbdLIC3P3j/zQywVkB249KnIFu5ekJ6ubM
         a7iCXcsDC3ykNJhJig8wrfWPlgzTJwUPvYkDQojvpeJTwXhuDoRZwVn6mNJF04eT9ky9
         uj3sG2q3Joc9eH2IT5Vs+m5VdJoLsAVeoEdKb13kUfh8tFQm9yiy+Mc3MDC7GlHhQMZi
         r1yDyosr9Lkt4KINpQcF5id9OQeNRO3NNlG/AvXVZ5/y/lRKDWderxO4yULM3SYukHJy
         1eFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:authenticated-by;
        bh=z6ZLu+G/uwlpd/XuW0YF+2AVdfgX3/Z63a+y8F2gWNo=;
        b=Q2pfDSm3txZKCkmFOwf2ZaowvXVnaPoJSUmiK1uigQ7SITgOItiBA0srS7Hpsut7Sm
         zBzJBuVslc0xRmgfDZGjWbTuULthV8G66qE2ajVZIeT0XMbtLJfJmtGphULC0SjhNyam
         C797sw/Rkfr4fn24VBEdxT7pTKj5TCp3Kd55I4+M03yD8vKeg3iwyZ7njKYKGAC2+0G+
         9W1vhO1NkRNdTb/LCr/6IOwydLqtOlI5CI2j9z+prVSZA3nVYep0AdsRthT+mNa3SYU9
         lis+fdXxKvxKaDXd6zU9VRmjouxdfz+i3MZ8uBtBJ//o6giSKCHy8lLcnfjfP2JPXMOy
         ORgQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r6si14709022ilc.69.2021.08.30.00.36.09;
        Mon, 30 Aug 2021 00:36:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233901AbhH3Heh (ORCPT <rfc822;liu.airalert@gmail.com>
        + 99 others); Mon, 30 Aug 2021 03:34:37 -0400
Received: from rtits2.realtek.com ([211.75.126.72]:47698 "EHLO
        rtits2.realtek.com.tw" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232321AbhH3Heg (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 30 Aug 2021 03:34:36 -0400
Authenticated-By: 
X-SpamFilter-By: ArmorX SpamTrap 5.73 with qID 17U7XXsG4007809, This message is accepted by code: ctloc85258
Received: from mail.realtek.com (rtexh36503.realtek.com.tw[172.21.6.25])
        by rtits2.realtek.com.tw (8.15.2/2.71/5.88) with ESMTPS id 17U7XXsG4007809
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
        Mon, 30 Aug 2021 15:33:33 +0800
Received: from RTEXMBS04.realtek.com.tw (172.21.6.97) by
 RTEXH36503.realtek.com.tw (172.21.6.25) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2308.14; Mon, 30 Aug 2021 15:33:32 +0800
Received: from localhost (172.21.69.146) by RTEXMBS04.realtek.com.tw
 (172.21.6.97) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Mon, 30 Aug
 2021 15:33:32 +0800
From:   Ping-Ke Shih <pkshih@realtek.com>
To:     <johannes@sipsolutions.net>
CC:     <linux-wireless@vger.kernel.org>, <nbd@nbd.name>,
        <gary.chang@realtek.com>, <kevin_yang@realtek.com>
Subject: [PATCH v3] mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
Date:   Mon, 30 Aug 2021 15:32:40 +0800
Message-ID: <20210830073240.12736-1-pkshih@realtek.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [172.21.69.146]
X-ClientProxiedBy: RTEXMBS02.realtek.com.tw (172.21.6.95) To
 RTEXMBS04.realtek.com.tw (172.21.6.97)
X-KSE-ServerInfo: RTEXMBS04.realtek.com.tw, 9
X-KSE-AntiSpam-Interceptor-Info: trusted connection
X-KSE-Antiphishing-Info: Clean
X-KSE-Antiphishing-ScanningType: Deterministic
X-KSE-Antiphishing-Method: None
X-KSE-Antiphishing-Bases: 08/30/2021 07:07:00
X-KSE-AttachmentFiltering-Interceptor-Info: no applicable attachment filtering
 rules found
X-KSE-Antivirus-Interceptor-Info: scan successful
X-KSE-Antivirus-Info: =?big5?B?Q2xlYW4sIGJhc2VzOiAyMDIxLzgvMzAgpFekyCAwNDoyMTowMA==?=
X-KSE-BulkMessagesFiltering-Scan-Result: protection disabled
X-KSE-ServerInfo: RTEXH36503.realtek.com.tw, 9
X-KSE-Attachment-Filter-Triggered-Rules: Clean
X-KSE-Attachment-Filter-Triggered-Filters: Clean
X-KSE-BulkMessagesFiltering-Scan-Result: protection disabled
X-KSE-AntiSpam-Outbound-Interceptor-Info: scan successful
X-KSE-AntiSpam-Version: 5.9.20, Database issued on: 08/30/2021 07:14:53
X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED
X-KSE-AntiSpam-Method: none
X-KSE-AntiSpam-Rate: 0
X-KSE-AntiSpam-Info: Lua profiles 165837 [Aug 30 2021]
X-KSE-AntiSpam-Info: Version: 5.9.20.0
X-KSE-AntiSpam-Info: Envelope from: pkshih@realtek.com
X-KSE-AntiSpam-Info: LuaCore: 457 457 f9912fc467375383fbac52a53ade5bbe1c769e2a
X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to}
X-KSE-AntiSpam-Info: 127.0.0.199:7.1.2;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;realtek.com:7.1.1
X-KSE-AntiSpam-Info: Rate: 0
X-KSE-AntiSpam-Info: Status: not_detected
X-KSE-AntiSpam-Info: Method: none
X-KSE-AntiSpam-Info: Auth:dkim=none
X-KSE-Antiphishing-Info: Clean
X-KSE-Antiphishing-ScanningType: Heuristic
X-KSE-Antiphishing-Method: None
X-KSE-Antiphishing-Bases: 08/30/2021 07:18:00
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

From: Chih-Kang Chang <gary.chang@realtek.com>

In ieee80211_amsdu_aggregate() set a pointer frag_tail point to the
end of skb_shinfo(head)->frag_list, and use it to bind other skb in
the end of this function. But when execute ieee80211_amsdu_aggregate()
->ieee80211_amsdu_realloc_pad()->pskb_expand_head(), the address of
skb_shinfo(head)->frag_list will be changed. However, the
ieee80211_amsdu_aggregate() not update frag_tail after call
pskb_expand_head(). That will cause the second skb can't bind to the
head skb appropriately.So we update the address of frag_tail to fix it.

Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
Signed-off-by: Chih-Kang Chang <gary.chang@realtek.com>
Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
---
v3: fix coding style of comment indentation.
v2: an alternative fix to prevent iterating fragment twice.
---
 net/mac80211/tx.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 2d1193ed3eb5..63ae6c044cf5 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3380,6 +3380,13 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
 	if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
 		goto out;
 
+	/* While n == 2, frag_tail should be the address of head's frag_list.
+	 * However, head probably re-alloc after ieee80211_amsdu_prepare_head.
+	 * So, re-assign frag_tail again to make sure the correctness.
+	 */
+	if (n == 2)
+		frag_tail = &skb_shinfo(head)->frag_list;
+
 	/*
 	 * Pad out the previous subframe to a multiple of 4 by adding the
 	 * padding to the next one, that's being added. Note that head->len
-- 
2.25.1