The ieee80211_ioctl_giwrate() ioctl handler doesn't rcu_read_lock() its access to the sta table, fix it. Signed-off-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx> --- net/mac80211/ieee80211_ioctl.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) --- everything.orig/net/mac80211/ieee80211_ioctl.c 2008-04-04 17:48:11.000000000 +0200 +++ everything/net/mac80211/ieee80211_ioctl.c 2008-04-04 17:48:56.000000000 +0200 @@ -586,19 +586,25 @@ static int ieee80211_ioctl_giwrate(struc sdata = IEEE80211_DEV_TO_SUB_IF(dev); - if (sdata->vif.type == IEEE80211_IF_TYPE_STA) - sta = sta_info_get(local, sdata->u.sta.bssid); - else + if (sdata->vif.type != IEEE80211_IF_TYPE_STA) return -EOPNOTSUPP; - if (!sta) - return -ENODEV; sband = local->hw.wiphy->bands[local->hw.conf.channel->band]; - if (sta->txrate_idx < sband->n_bitrates) + rcu_read_lock(); + + sta = sta_info_get(local, sdata->u.sta.bssid); + + if (sta && sta->txrate_idx < sband->n_bitrates) rate->value = sband->bitrates[sta->txrate_idx].bitrate; else rate->value = 0; + + rcu_read_unlock(); + + if (!sta) + return -ENODEV; + rate->value *= 100000; return 0; -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
