1 files changed, 14 insertions, 2 deletions

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 6e2a7bcd8cb8..be9abc2e6348 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1818,17 +1818,26 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
                 return RX_CONTINUE;
 
         if (ieee80211_is_back_req(bar->frame_control)) {
+                struct {
+                        __le16 control, start_seq_num;
+                } __packed bar_data;
+
                 if (!rx->sta)
                         return RX_DROP_MONITOR;
+
+                if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
+                                  &bar_data, sizeof(bar_data)))
+                        return RX_DROP_MONITOR;
+
                 spin_lock(&rx->sta->lock);
-                tid = le16_to_cpu(bar->control) >> 12;
+                tid = le16_to_cpu(bar_data.control) >> 12;
                 if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {
                         spin_unlock(&rx->sta->lock);
                         return RX_DROP_MONITOR;
                 }
                 tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
 
-                start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;
+                start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
 
                 /* reset session timer */
                 if (tid_agg_rx->timeout)
@@ -1935,6 +1944,9 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                 if (len < IEEE80211_MIN_ACTION_SIZE + 1)
                         break;
 
+                if (sdata->vif.type == NL80211_IFTYPE_STATION)
+                        return ieee80211_sta_rx_mgmt(sdata, rx->skb);
+
                 switch (mgmt->u.action.u.addba_req.action_code) {
                 case WLAN_ACTION_ADDBA_REQ:
                         if (len < (IEEE80211_MIN_ACTION_SIZE +