On Wed, Jul 11, 2012 at 7:32 AM, Thomas Huehn
<thomas@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> info->control.sta may only be dereferenced during the drv_tx call otherwise
> could lead to use-after-free bugs
Don"t forget many ieee80211_sta_* functions have to be called under RCU
lock and the resulting pointer is only valid under RCU lock as well.
>
> diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c
> index df6c6f1..eec5cd1 100644
> --- a/drivers/net/wireless/mwl8k.c
> +++ b/drivers/net/wireless/mwl8k.c
> @@ -1667,7 +1667,8 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw,
>
> info = IEEE80211_SKB_CB(skb);
> if (ieee80211_is_data(wh->frame_control)) {
+ rcu_read_lock();
> - sta = info->control.sta;
> + sta = ieee80211_find_sta_by_ifaddr(hw, wh->addr1,
> + wh->addr2);
> if (sta) {
> sta_info = MWL8K_STA(sta);
> BUG_ON(sta_info == NULL);
> [...]
> }
+ rcu_read_unlock();
Regards,
Chr
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
