aboutsummaryrefslogtreecommitdiffstats
path: root/package/mac80211/patches
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2012-08-27 12:23:25 +0000
committerFelix Fietkau <nbd@openwrt.org>2012-08-27 12:23:25 +0000
commit1d7992a51601cae18b95856ec8eb989f5dd9fb91 (patch)
tree356e39f8fe7a02e14f7a525ae96907d2ebb37c4b /package/mac80211/patches
parent370e1187ddd95701d6b29aa2dbce3898705cc8f2 (diff)
downloadupstream-1d7992a51601cae18b95856ec8eb989f5dd9fb91.tar.gz
upstream-1d7992a51601cae18b95856ec8eb989f5dd9fb91.tar.bz2
upstream-1d7992a51601cae18b95856ec8eb989f5dd9fb91.zip
mac80211: fix a crash on accessing stale skb->dev references
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@33279 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/mac80211/patches')
-rw-r--r--package/mac80211/patches/580-mac80211_tx_status_crash.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/package/mac80211/patches/580-mac80211_tx_status_crash.patch b/package/mac80211/patches/580-mac80211_tx_status_crash.patch
new file mode 100644
index 0000000000..abcf56e1d5
--- /dev/null
+++ b/package/mac80211/patches/580-mac80211_tx_status_crash.patch
@@ -0,0 +1,32 @@
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -517,6 +517,8 @@ void ieee80211_tx_status(struct ieee8021
+
+ if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+ u64 cookie = (unsigned long)skb;
++ bool found = false;
++
+ acked = info->flags & IEEE80211_TX_STAT_ACK;
+
+ /*
+@@ -524,8 +526,18 @@ void ieee80211_tx_status(struct ieee8021
+ * we cannot use skb->dev->ieee80211_ptr
+ */
+
+- if (ieee80211_is_nullfunc(hdr->frame_control) ||
+- ieee80211_is_qos_nullfunc(hdr->frame_control))
++ list_for_each_entry_rcu(sdata, &local->interfaces, list) {
++ if (skb->dev != sdata->dev)
++ continue;
++
++ found = true;
++ break;
++ }
++
++ if (!found)
++ skb->dev = NULL;
++ else if (ieee80211_is_nullfunc(hdr->frame_control) ||
++ ieee80211_is_qos_nullfunc(hdr->frame_control))
+ cfg80211_probe_status(skb->dev, hdr->addr1,
+ cookie, acked, GFP_ATOMIC);
+ else