diff options
author | Jouni Malinen <j@w1.fi> | 2009-03-13 07:59:39 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-03-16 18:01:59 -0400 |
commit | 055249d20de06c290fe7625be0a7164bef3958f5 (patch) | |
tree | 01e03e8e32022dc01400f51befb8c843f4ea1bad | |
parent | 5ec905a8df3fa877566ba98298433fbfb3d688cc (diff) |
mac80211: Fix panic on fragmentation with power saving
It was possible to hit a kernel panic on NULL pointer dereference in
dev_queue_xmit() when sending power save buffered frames to a STA that
woke up from sleep. This happened when the buffered frame was requeued
for transmission in ap_sta_ps_end(). In order to avoid the panic, copy
the skb->dev and skb->iif values from the first fragment to all other
fragments.
Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/mac80211/tx.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index 94de5033f0b6..37e3d5ef7e3f 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c | |||
@@ -752,6 +752,8 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx) | |||
752 | skb_copy_queue_mapping(frag, first); | 752 | skb_copy_queue_mapping(frag, first); |
753 | 753 | ||
754 | frag->do_not_encrypt = first->do_not_encrypt; | 754 | frag->do_not_encrypt = first->do_not_encrypt; |
755 | frag->dev = first->dev; | ||
756 | frag->iif = first->iif; | ||
755 | 757 | ||
756 | pos += copylen; | 758 | pos += copylen; |
757 | left -= copylen; | 759 | left -= copylen; |