From 33ed0312fa4ed1960cec4b1010d6babaab5fb7df Mon Sep 17 00:00:00 2001 From: Mohit Khanna Date: Tue, 16 Jan 2018 16:04:05 -0800 Subject: [PATCH] qcacmn: set mpdu next to null during msdu stitching In monitor mode, when we try to stitch msdus together into an ampdu to be sent to the stack (dp_rx_mon_restitch_mpdu_from_msdus), we aggregate them together via frag_list. In the current code, for the first msdu in which the frag_list is populated (if there are more than one msdus to be sent to stack), the next pointer (skb->next) is not set to NULL. This causes the HDD code to process the next pointer leading to issues double free issues. Set the next pointer for the first msdu(with frag_list) to NULL. Change-Id: I60d1d463c7bbb602e4b199fbb691340ad6247bc5 CRs-Fixed: 2173405 --- dp/wifi3.0/dp_rx_mon_dest.c | 1 + 1 file changed, 1 insertion(+) diff --git a/dp/wifi3.0/dp_rx_mon_dest.c b/dp/wifi3.0/dp_rx_mon_dest.c index 7e29ded2ed..1edf340fcf 100644 --- a/dp/wifi3.0/dp_rx_mon_dest.c +++ b/dp/wifi3.0/dp_rx_mon_dest.c @@ -416,6 +416,7 @@ qdf_nbuf_t dp_rx_mon_restitch_mpdu_from_msdus(struct dp_soc *soc, frag_list_sum_len -= HAL_RX_FCS_LEN; qdf_nbuf_append_ext_list(mpdu_buf, head_frag_list, frag_list_sum_len); + qdf_nbuf_set_next(mpdu_buf, NULL); } goto mpdu_stitch_done;