mac80211: check and dequeue skb in ieee80211_tx_prepare_skb()

The ieee80211_tx_prepare_skb() function currently entirely ignores
the fact that the SKB that is passed in might be split into more
than one due to fragmentation and doesn't check the list of skbs
that the TX handlers may create. In case this happens, it would
leak them.

Fix this and also don't leave the skb next/prev pointers dangling
pointing to the on-stack sk_buff_head.

Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index a23a84e93e80..7e7de811e6ad 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1420,6 +1420,7 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
         struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
         struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
         struct ieee80211_tx_data tx;
+        struct sk_buff *skb2;
 
         if (ieee80211_tx_prepare(sdata, &tx, skb) == TX_DROP)
                 return false;
@@ -1438,6 +1439,14 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
                         *sta = NULL;
         }
 
+        /* this function isn't suitable for fragmented data frames */
+        skb2 = __skb_dequeue(&tx.skbs);
+        if (WARN_ON(skb2 != skb || !skb_queue_empty(&tx.skbs))) {
+                ieee80211_free_txskb(hw, skb2);
+                ieee80211_purge_tx_queue(hw, &tx.skbs);
+                return false;
+        }
+
         return true;
 }
 EXPORT_SYMBOL(ieee80211_tx_prepare_skb);