Commit 89e11801 authored by Thomas Huehn's avatar Thomas Huehn Committed by John W. Linville

mwl8k: fix possible race condition in info->control.sta use

info->control.sta may only be dereferenced during the drv_tx call otherwise
could lead to use-after-free bugs
Reported-by: default avatarFelix Fietkau <nbd@nbd.name>
Signed-off-by: default avatarThomas Huehn <thomas@net.t-labs.tu-berlin.de>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 7c41f315
...@@ -1665,7 +1665,9 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw, int index, int limit, int force) ...@@ -1665,7 +1665,9 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw, int index, int limit, int force)
info = IEEE80211_SKB_CB(skb); info = IEEE80211_SKB_CB(skb);
if (ieee80211_is_data(wh->frame_control)) { if (ieee80211_is_data(wh->frame_control)) {
sta = info->control.sta; rcu_read_lock();
sta = ieee80211_find_sta_by_ifaddr(hw, wh->addr1,
wh->addr2);
if (sta) { if (sta) {
sta_info = MWL8K_STA(sta); sta_info = MWL8K_STA(sta);
BUG_ON(sta_info == NULL); BUG_ON(sta_info == NULL);
...@@ -1682,6 +1684,7 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw, int index, int limit, int force) ...@@ -1682,6 +1684,7 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw, int index, int limit, int force)
sta_info->is_ampdu_allowed = true; sta_info->is_ampdu_allowed = true;
} }
} }
rcu_read_unlock();
} }
ieee80211_tx_info_clear_status(info); ieee80211_tx_info_clear_status(info);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment