diff options
| author | John W. Linville <linville@tuxdriver.com> | 2012-12-06 14:55:57 -0500 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2012-12-06 14:55:57 -0500 |
| commit | 55cb0797fa779e36f62876a8aa44cbf3984e8d59 (patch) | |
| tree | ea84d334ec666e558d3e4c6dd259a8f239374432 /net | |
| parent | 795e9364215dc98b1dea888ebae22383ecbbb92a (diff) | |
| parent | 289814918ce3af1296ac7d9b05508bde64e97348 (diff) | |
Merge tag 'nfc-fixes-3.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0
This is an NFC LLCP fix for 3.7 and contains only one patch.
It fixes a potential crash when receiving an LLCP HDLC frame acking a frame
that is not the last sent one. In that case we may dereference an already
freed pointer.
Diffstat (limited to 'net')
| -rw-r--r-- | net/mac80211/offchannel.c | 2 | ||||
| -rw-r--r-- | net/nfc/llcp/llcp.c | 5 |
2 files changed, 4 insertions, 3 deletions
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c index 5abddfe3e101..a5379aea7d09 100644 --- a/net/mac80211/offchannel.c +++ b/net/mac80211/offchannel.c | |||
| @@ -462,8 +462,6 @@ void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata) | |||
| 462 | list_move_tail(&roc->list, &tmp_list); | 462 | list_move_tail(&roc->list, &tmp_list); |
| 463 | roc->abort = true; | 463 | roc->abort = true; |
| 464 | } | 464 | } |
| 465 | |||
| 466 | ieee80211_start_next_roc(local); | ||
| 467 | mutex_unlock(&local->mtx); | 465 | mutex_unlock(&local->mtx); |
| 468 | 466 | ||
| 469 | list_for_each_entry_safe(roc, tmp, &tmp_list, list) { | 467 | list_for_each_entry_safe(roc, tmp, &tmp_list, list) { |
diff --git a/net/nfc/llcp/llcp.c b/net/nfc/llcp/llcp.c index 2df87056c6df..ec43914c92a9 100644 --- a/net/nfc/llcp/llcp.c +++ b/net/nfc/llcp/llcp.c | |||
| @@ -985,15 +985,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local, | |||
| 985 | /* Remove skbs from the pending queue */ | 985 | /* Remove skbs from the pending queue */ |
| 986 | if (llcp_sock->send_ack_n != nr) { | 986 | if (llcp_sock->send_ack_n != nr) { |
| 987 | struct sk_buff *s, *tmp; | 987 | struct sk_buff *s, *tmp; |
| 988 | u8 n; | ||
| 988 | 989 | ||
| 989 | llcp_sock->send_ack_n = nr; | 990 | llcp_sock->send_ack_n = nr; |
| 990 | 991 | ||
| 991 | /* Remove and free all skbs until ns == nr */ | 992 | /* Remove and free all skbs until ns == nr */ |
| 992 | skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) { | 993 | skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) { |
| 994 | n = nfc_llcp_ns(s); | ||
| 995 | |||
| 993 | skb_unlink(s, &llcp_sock->tx_pending_queue); | 996 | skb_unlink(s, &llcp_sock->tx_pending_queue); |
| 994 | kfree_skb(s); | 997 | kfree_skb(s); |
| 995 | 998 | ||
| 996 | if (nfc_llcp_ns(s) == nr) | 999 | if (n == nr) |
| 997 | break; | 1000 | break; |
| 998 | } | 1001 | } |
| 999 | 1002 | ||