| Message ID | 20120706192034.GA1879@tuxdriver.com |
|---|---|
| State | Changes Requested, archived |
| Delegated to: | David Miller |
| Headers | show |
From: "John W. Linville" <linville@tuxdriver.com> Date: Fri, 6 Jul 2012 15:20:35 -0400 > Please let me know if there are problems! This indentation is not correct: commit 01f9cb073c827c60c43f769763b49a2026f1a897 Author: Thomas Huehn <thomas@net.t-labs.tu-berlin.de> Date: Thu Jun 28 14:39:51 2012 -0700 mwl8k: fix possible race condition in info->control.sta use ... + sta = ieee80211_find_sta_by_ifaddr(hw, wh->addr1, + wh->addr2); -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Jul 09, 2012 at 12:31:55AM -0700, David Miller wrote: > From: "John W. Linville" <linville@tuxdriver.com> > Date: Fri, 6 Jul 2012 15:20:35 -0400 > > > Please let me know if there are problems! > > This indentation is not correct: > > commit 01f9cb073c827c60c43f769763b49a2026f1a897 > Author: Thomas Huehn <thomas@net.t-labs.tu-berlin.de> > Date: Thu Jun 28 14:39:51 2012 -0700 > > mwl8k: fix possible race condition in info->control.sta use > ... > + sta = ieee80211_find_sta_by_ifaddr(hw, wh->addr1, > + wh->addr2); OK, I'll drop this patch and send a new pull request with a couple more fixes as well. John
diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c index cf7bdc6..1404373 100644 --- a/drivers/net/wireless/mwl8k.c +++ b/drivers/net/wireless/mwl8k.c @@ -1665,7 +1665,8 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw, int index, int limit, int force) info = IEEE80211_SKB_CB(skb); if (ieee80211_is_data(wh->frame_control)) { - sta = info->control.sta; + sta = ieee80211_find_sta_by_ifaddr(hw, wh->addr1, + wh->addr2); if (sta) { sta_info = MWL8K_STA(sta); BUG_ON(sta_info == NULL); diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index a4bb856..0db5d34 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2174,15 +2174,13 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata, sdata->name, mgmt->sa, status_code); ieee80211_destroy_assoc_data(sdata, false); } else { - printk(KERN_DEBUG "%s: associated\n", sdata->name); - if (!ieee80211_assoc_success(sdata, *bss, mgmt, len)) { /* oops -- internal error -- send timeout for now */ - ieee80211_destroy_assoc_data(sdata, true); - sta_info_destroy_addr(sdata, mgmt->bssid); + ieee80211_destroy_assoc_data(sdata, false); cfg80211_put_bss(*bss); return RX_MGMT_CFG80211_ASSOC_TIMEOUT; } + printk(KERN_DEBUG "%s: associated\n", sdata->name); /* * destroy assoc_data afterwards, as otherwise an idle diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c index 2d1acc6..f9e51ef 100644 --- a/net/mac80211/rc80211_minstrel_ht.c +++ b/net/mac80211/rc80211_minstrel_ht.c @@ -809,7 +809,7 @@ minstrel_ht_alloc_sta(void *priv, struct ieee80211_sta *sta, gfp_t gfp) max_rates = sband->n_bitrates; } - msp = kzalloc(sizeof(struct minstrel_ht_sta), gfp); + msp = kzalloc(sizeof(*msp), gfp); if (!msp) return NULL; diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c index 17a707d..e06d458 100644 --- a/net/nfc/llcp/sock.c +++ b/net/nfc/llcp/sock.c @@ -292,7 +292,7 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *addr, pr_debug("%p\n", sk); - if (llcp_sock == NULL) + if (llcp_sock == NULL || llcp_sock->dev == NULL) return -EBADFD; addr->sa_family = AF_NFC;
commit 50787c0dfcffe9be908994bdd7bb28b1a49192b5 Dave, Please accept these fixes for the 3.5 stream... Eliad Peller provides a mac80211 fix to properly clean-up after an association failure. Sasha Levin offers an NFC fix to prevent a NULL pointer derference in llcp_sock_getname. Thomas Huehn provides an mwl8k fix for a race that can result in a use-after-free bug. Also, he provides a mac80211 fix to correct some kzalloc arguments, and another fix to address an issue found with that fix after I had already committed the original patch. Please let me know if there are problems! Thanks, John --- The following changes since commit 9e85a6f9dc231f3ed3c1dc1b12217505d970142a: Merge tag 'clk-fixes-for-linus' of git://git.linaro.org/people/mturquette/linux (2012-07-03 18:06:49 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless.git for-davem for you to fetch changes up to 50787c0dfcffe9be908994bdd7bb28b1a49192b5: Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem (2012-07-06 14:48:50 -0400) ---------------------------------------------------------------- Eliad Peller (1): mac80211: destroy assoc_data correctly if assoc fails John W. Linville (1): Merge branch 'master' of git://git.kernel.org/.../linville/wireless into for-davem Sasha Levin (1): NFC: Prevent NULL deref when getting socket name Thomas Huehn (3): mac80211: correct size the argument to kzalloc in minstrel_ht mwl8k: fix possible race condition in info->control.sta use mac80211: fix kzalloc memory corruption introduced in minstrel_ht drivers/net/wireless/mwl8k.c | 3 ++- net/mac80211/mlme.c | 6 ++---- net/mac80211/rc80211_minstrel_ht.c | 2 +- net/nfc/llcp/sock.c | 2 +- 4 files changed, 6 insertions(+), 7 deletions(-)