提交 055249d2 编写于 作者: J Jouni Malinen 提交者: John W. Linville

mac80211: Fix panic on fragmentation with power saving

It was possible to hit a kernel panic on NULL pointer dereference in
dev_queue_xmit() when sending power save buffered frames to a STA that
woke up from sleep. This happened when the buffered frame was requeued
for transmission in ap_sta_ps_end(). In order to avoid the panic, copy
the skb->dev and skb->iif values from the first fragment to all other
fragments.
Signed-off-by: NJouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
上级 5ec905a8
...@@ -752,6 +752,8 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx) ...@@ -752,6 +752,8 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx)
skb_copy_queue_mapping(frag, first); skb_copy_queue_mapping(frag, first);
frag->do_not_encrypt = first->do_not_encrypt; frag->do_not_encrypt = first->do_not_encrypt;
frag->dev = first->dev;
frag->iif = first->iif;
pos += copylen; pos += copylen;
left -= copylen; left -= copylen;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册