On Fri, 2012-09-07 at 16:54 +0200, Felix Fietkau wrote:
> + if (!skb->dev) {
> p2p_sdata = rcu_dereference(local->p2p_sdata);
> if (p2p_sdata) {
> - cfg80211_mgmt_tx_status(
> - &p2p_sdata->wdev, cookie, skb->data,
> - skb->len, acked, GFP_ATOMIC);
> + skb->dev = p2p_sdata->dev;
> + found = true;
What's the point of this? p2p_sdata->dev will be NULL, just like
skb->dev already is?
> }
> - rcu_read_unlock();
> }
> +
> + if (!found)
> + skb->dev = NULL;
> + else if (ieee80211_is_nullfunc(hdr->frame_control) ||
> + ieee80211_is_qos_nullfunc(hdr->frame_control)) {
> + cfg80211_probe_status(skb->dev, hdr->addr1,
> + cookie, acked, GFP_ATOMIC);
> + } else {
> + cfg80211_mgmt_tx_status(
> + skb->dev->ieee80211_ptr, cookie, skb->data,
> + skb->len, acked, GFP_ATOMIC);
And therefore this will crash.
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
