ath9k: fix access to a freed skb in ath_rx_tasklet()

Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/drivers/net/wireless/ath9k/recv.c b/drivers/net/wireless/ath9k/recv.c
index 71cb18d6757d..dd1f30156740 100644
--- a/drivers/net/wireless/ath9k/recv.c
+++ b/drivers/net/wireless/ath9k/recv.c
@@ -493,6 +493,7 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush)
         int hdrlen, padsize, retval;
         bool decrypt_error = false;
         u8 keyix;
+        __le16 fc;
 
         spin_lock_bh(&sc->rx.rxbuflock);
 
@@ -606,6 +607,7 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush)
                 /* see if any padding is done by the hw and remove it */
                 hdr = (struct ieee80211_hdr *)skb->data;
                 hdrlen = ieee80211_get_hdrlen_from_skb(skb);
+                fc = hdr->frame_control;
 
                 /* The MAC header is padded to have 32-bit boundary if the
                  * packet payload is non-zero. The general calculation for
@@ -690,7 +692,7 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush)
                         sc->rx.rxotherant = 0;
                 }
 
-                if (ieee80211_is_beacon(hdr->frame_control) &&
+                if (ieee80211_is_beacon(fc) &&
                                 (sc->sc_flags & SC_OP_WAIT_FOR_BEACON)) {
                         sc->sc_flags &= ~SC_OP_WAIT_FOR_BEACON;
                         ath9k_hw_setpower(sc->sc_ah, ATH9K_PM_NETWORK_SLEEP);