diff options
author | Jouni Malinen <j@w1.fi> | 2009-03-13 13:59:39 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-03-16 18:01:59 -0400 |
commit | 055249d20de06c290fe7625be0a7164bef3958f5 (patch) | |
tree | 01e03e8e32022dc01400f51befb8c843f4ea1bad | |
parent | 5ec905a8df3fa877566ba98298433fbfb3d688cc (diff) | |
download | linux-stable-055249d20de06c290fe7625be0a7164bef3958f5.tar.gz linux-stable-055249d20de06c290fe7625be0a7164bef3958f5.tar.bz2 linux-stable-055249d20de06c290fe7625be0a7164bef3958f5.zip |
mac80211: Fix panic on fragmentation with power saving
It was possible to hit a kernel panic on NULL pointer dereference in
dev_queue_xmit() when sending power save buffered frames to a STA that
woke up from sleep. This happened when the buffered frame was requeued
for transmission in ap_sta_ps_end(). In order to avoid the panic, copy
the skb->dev and skb->iif values from the first fragment to all other
fragments.
Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/mac80211/tx.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 94de5033f0b6..37e3d5ef7e3f 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -752,6 +752,8 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx) skb_copy_queue_mapping(frag, first); frag->do_not_encrypt = first->do_not_encrypt; + frag->dev = first->dev; + frag->iif = first->iif; pos += copylen; left -= copylen; |