It was possible to hit a kernel panic on NULL pointer dereference in dev_queue_xmit() when sending power save buffered frames to a STA that woke up from sleep. This happened when the buffered frame was requeued for transmission in ap_sta_ps_end(). In order to avoid the panic, copy the skb->dev and skb->iif values from the first fragment to all other fragments. Signed-off-by: Jouni Malinen <jouni.malinen@xxxxxxxxxxx> --- net/mac80211/tx.c | 2 ++ 1 file changed, 2 insertions(+) --- kernel-debug.orig/net/mac80211/tx.c 2009-03-13 13:16:00.000000000 +0200 +++ kernel-debug/net/mac80211/tx.c 2009-03-13 13:39:01.000000000 +0200 @@ -784,6 +784,8 @@ ieee80211_tx_h_fragment(struct ieee80211 skb_copy_queue_mapping(frag, first); frag->do_not_encrypt = first->do_not_encrypt; + frag->dev = first->dev; + frag->iif = first->iif; pos += copylen; left -= copylen; -- Jouni Malinen PGP id EFC895FA -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
