mwl8k: fix possible race condition in info->control.sta usemaster-2012-07-11

info->control.sta may only be dereferenced during the drv_tx call otherwise could lead to use-after-free bugs Reported-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Thomas Huehn <thomas@net.t-labs.tu-berlin.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Thomas Huehn <thomas@net.t-labs.tu-berlin.de> 2012-07-11 13:21:41 +0200
committer: John W. Linville <linville@tuxdriver.com> 2012-07-11 16:24:55 -0400
commit: 89e1180121f281af16855d4954b9fe3d7354fe73 (patch)
tree: 938aa107885c2a1664e8fdcd21f174b98ea2c162
parent: 7c41f3159ca4f04dfc22c791fd96d3d057dcaf90 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c
index cf7bdc66f822..224e03ade145 100644
--- a/drivers/net/wireless/mwl8k.c
+++ b/drivers/net/wireless/mwl8k.c
@@ -1665,7 +1665,9 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw, int index, int limit, int force)
 
 		info = IEEE80211_SKB_CB(skb);
 		if (ieee80211_is_data(wh->frame_control)) {
-			sta = info->control.sta;
+			rcu_read_lock();
+			sta = ieee80211_find_sta_by_ifaddr(hw, wh->addr1,
+							   wh->addr2);
 			if (sta) {
 				sta_info = MWL8K_STA(sta);
 				BUG_ON(sta_info == NULL);
@@ -1682,6 +1684,7 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw, int index, int limit, int force)
 					sta_info->is_ampdu_allowed = true;
 				}
 			}
+			rcu_read_unlock();
 		}
 
 		ieee80211_tx_info_clear_status(info);
author	Thomas Huehn <thomas@net.t-labs.tu-berlin.de>	2012-07-11 13:21:41 +0200
committer	John W. Linville <linville@tuxdriver.com>	2012-07-11 16:24:55 -0400
commit	89e1180121f281af16855d4954b9fe3d7354fe73 (patch)
tree	938aa107885c2a1664e8fdcd21f174b98ea2c162
parent	7c41f3159ca4f04dfc22c791fd96d3d057dcaf90 (diff)