Hi Christian,
You have a very valid point here.
I will send a v3.
Greetings Thomas
Christian Lamparter schrieb:
> On Wed, Jul 11, 2012 at 7:32 AM, Thomas Huehn
> <thomas@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>> info->control.sta may only be dereferenced during the drv_tx call otherwise
>> could lead to use-after-free bugs
>
> Don"t forget many ieee80211_sta_* functions have to be called under RCU
> lock and the resulting pointer is only valid under RCU lock as well.
>
>> diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c
>> index df6c6f1..eec5cd1 100644
>> --- a/drivers/net/wireless/mwl8k.c
>> +++ b/drivers/net/wireless/mwl8k.c
>> @@ -1667,7 +1667,8 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw,
>>
>> info = IEEE80211_SKB_CB(skb);
>> if (ieee80211_is_data(wh->frame_control)) {
>
> + rcu_read_lock();
>
>> - sta = info->control.sta;
>> + sta = ieee80211_find_sta_by_ifaddr(hw, wh->addr1,
>> + wh->addr2);
>> if (sta) {
>> sta_info = MWL8K_STA(sta);
>> BUG_ON(sta_info == NULL);
>> [...]
>> }
>
> + rcu_read_unlock();
>
> Regards,
> Chr
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
