diff options
author | Felix Fietkau <nbd@openwrt.org> | 2012-08-27 12:23:25 +0000 |
---|---|---|
committer | Felix Fietkau <nbd@openwrt.org> | 2012-08-27 12:23:25 +0000 |
commit | e85962926afac94c74d73a2332a8b7a42d3018a2 (patch) | |
tree | 573b14bd91b54234950e8388f270feef14b35742 | |
parent | 4a04899c5ef1dd8b57db931300a8936d607ba229 (diff) | |
download | upstream-e85962926afac94c74d73a2332a8b7a42d3018a2.tar.gz upstream-e85962926afac94c74d73a2332a8b7a42d3018a2.tar.bz2 upstream-e85962926afac94c74d73a2332a8b7a42d3018a2.zip |
mac80211: fix a crash on accessing stale skb->dev references
SVN-Revision: 33279
-rw-r--r-- | package/mac80211/patches/580-mac80211_tx_status_crash.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/package/mac80211/patches/580-mac80211_tx_status_crash.patch b/package/mac80211/patches/580-mac80211_tx_status_crash.patch new file mode 100644 index 0000000000..abcf56e1d5 --- /dev/null +++ b/package/mac80211/patches/580-mac80211_tx_status_crash.patch @@ -0,0 +1,32 @@ +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -517,6 +517,8 @@ void ieee80211_tx_status(struct ieee8021 + + if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) { + u64 cookie = (unsigned long)skb; ++ bool found = false; ++ + acked = info->flags & IEEE80211_TX_STAT_ACK; + + /* +@@ -524,8 +526,18 @@ void ieee80211_tx_status(struct ieee8021 + * we cannot use skb->dev->ieee80211_ptr + */ + +- if (ieee80211_is_nullfunc(hdr->frame_control) || +- ieee80211_is_qos_nullfunc(hdr->frame_control)) ++ list_for_each_entry_rcu(sdata, &local->interfaces, list) { ++ if (skb->dev != sdata->dev) ++ continue; ++ ++ found = true; ++ break; ++ } ++ ++ if (!found) ++ skb->dev = NULL; ++ else if (ieee80211_is_nullfunc(hdr->frame_control) || ++ ieee80211_is_qos_nullfunc(hdr->frame_control)) + cfg80211_probe_status(skb->dev, hdr->addr1, + cookie, acked, GFP_ATOMIC); + else |