aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2009-03-13 13:59:39 +0200
committerJohn W. Linville <linville@tuxdriver.com>2009-03-16 18:01:59 -0400
commit055249d20de06c290fe7625be0a7164bef3958f5 (patch)
tree01e03e8e32022dc01400f51befb8c843f4ea1bad
parent5ec905a8df3fa877566ba98298433fbfb3d688cc (diff)
downloadkernel_samsung_aries-055249d20de06c290fe7625be0a7164bef3958f5.zip
kernel_samsung_aries-055249d20de06c290fe7625be0a7164bef3958f5.tar.gz
kernel_samsung_aries-055249d20de06c290fe7625be0a7164bef3958f5.tar.bz2
mac80211: Fix panic on fragmentation with power saving
It was possible to hit a kernel panic on NULL pointer dereference in dev_queue_xmit() when sending power save buffered frames to a STA that woke up from sleep. This happened when the buffered frame was requeued for transmission in ap_sta_ps_end(). In order to avoid the panic, copy the skb->dev and skb->iif values from the first fragment to all other fragments. Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/mac80211/tx.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 94de503..37e3d5e 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -752,6 +752,8 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx)
skb_copy_queue_mapping(frag, first);
frag->do_not_encrypt = first->do_not_encrypt;
+ frag->dev = first->dev;
+ frag->iif = first->iif;
pos += copylen;
left -= copylen;