mac80211: fix A-MSDU packet handling with TCP retransmission

Improves local TCP throughput and fixes use-after-free bugs that could lead
to crashes.

Signed-off-by: Felix Fietkau <[email protected]>

package/kernel/mac80211/patches/subsys/351-mac80211-free-skb-fraglist-before-freeing-the-skb.patch

@@ -0,0 +1,31 @@
+From: Sara Sharon <[email protected]>
+Date: Thu, 11 Oct 2018 14:21:21 +0200
+Subject: [PATCH] mac80211: free skb fraglist before freeing the skb
+
+mac80211 uses the frag list to build AMSDU. When freeing
+the skb, it may not be really freed, since someone is still
+holding a reference to it.
+In that case, when TCP skb is being retransmitted, the
+pointer to the frag list is being reused, while the data
+in there is no longer valid.
+Since we will never get frag list from the network stack,
+as mac80211 doesn't advertise the capability, we can safely
+free and nullify it before releasing the SKB.
+
+Signed-off-by: Sara Sharon <[email protected]>
+---
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -561,6 +561,11 @@ static void ieee80211_report_used_skb(st
+ 	}
+ 
+ 	ieee80211_led_tx(local);
++
++	if (skb_has_frag_list(skb)) {
++		kfree_skb_list(skb_shinfo(skb)->frag_list);
++		skb_shinfo(skb)->frag_list = NULL;
++	}
+ }
+ 
+ /*

package/kernel/mac80211/patches/subsys/358-mac80211-add-NEED_ALIGNED4_SKBS-hw-flag.patch

@@ -96,7 +96,7 @@ Signed-off-by: Janusz Dziedzic <[email protected]>
  	struct rcu_head rcu_head;
 --- a/net/mac80211/status.c
 +++ b/net/mac80211/status.c
-@@ -653,9 +653,22 @@ void ieee80211_tx_monitor(struct ieee802
+@@ -658,9 +658,22 @@ void ieee80211_tx_monitor(struct ieee802
  	struct sk_buff *skb2;
  	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
  	struct ieee80211_sub_if_data *sdata;