mac80211: fix a crash on accessing stale skb->dev references
authorFelix Fietkau <nbd@openwrt.org>
Mon, 27 Aug 2012 12:23:25 +0000 (12:23 +0000)
committerFelix Fietkau <nbd@openwrt.org>
Mon, 27 Aug 2012 12:23:25 +0000 (12:23 +0000)
SVN-Revision: 33279

package/mac80211/patches/580-mac80211_tx_status_crash.patch [new file with mode: 0644]

diff --git a/package/mac80211/patches/580-mac80211_tx_status_crash.patch b/package/mac80211/patches/580-mac80211_tx_status_crash.patch
new file mode 100644 (file)
index 0000000..abcf56e
--- /dev/null
@@ -0,0 +1,32 @@
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -517,6 +517,8 @@ void ieee80211_tx_status(struct ieee8021
+       if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+               u64 cookie = (unsigned long)skb;
++              bool found = false;
++
+               acked = info->flags & IEEE80211_TX_STAT_ACK;
+               /*
+@@ -524,8 +526,18 @@ void ieee80211_tx_status(struct ieee8021
+                * we cannot use skb->dev->ieee80211_ptr
+                */
+-              if (ieee80211_is_nullfunc(hdr->frame_control) ||
+-                  ieee80211_is_qos_nullfunc(hdr->frame_control))
++              list_for_each_entry_rcu(sdata, &local->interfaces, list) {
++                      if (skb->dev != sdata->dev)
++                              continue;
++
++                      found = true;
++                      break;
++              }
++
++              if (!found)
++                      skb->dev = NULL;
++              else if (ieee80211_is_nullfunc(hdr->frame_control) ||
++                       ieee80211_is_qos_nullfunc(hdr->frame_control))
+                       cfg80211_probe_status(skb->dev, hdr->addr1,
+                                             cookie, acked, GFP_ATOMIC);
+               else