On 2021-08-16 10:51, Ping-Ke Shih wrote: > From: Chih-Kang Chang <gary.chang@xxxxxxxxxxx> > > In ieee80211_amsdu_aggregate() set a pointer frag_tail point to the > end of skb_shinfo(head)->frag_list, and use it to bind other skb in > the end of this function. But when execute ieee80211_amsdu_aggregate() > ->ieee80211_amsdu_realloc_pad()->pskb_expand_head(), the address of > skb_shinfo(head)->frag_list will be changed. However, the > ieee80211_amsdu_aggregate() not update frag_tail after call > pskb_expand_head(). That will cause the second skb can't bind to the > head skb appropriately.So we update the address of frag_tail to fix it. I think instead of iterating over fragments a second time, we should move the ieee80211_amsdu_prepare_head call further up. - Felix
