From: Felix Fietkau <nbd@openwrt.org>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: Stephen Blackheath <tramp.enshrine.stephen@blacksapphire.com>,
"John W. Linville" <linville@tuxdriver.com>,
Ben Martel <benm@symmetric.co.nz>,
linux-wireless <linux-wireless@vger.kernel.org>
Subject: [PATCH] mac80211 fix regression introduced by "mac80211: free up 2 bytes in skb->cb"
Date: Tue, 14 Oct 2008 23:57:43 +0200 [thread overview]
Message-ID: <48F515D7.9030002@openwrt.org> (raw)
In-Reply-To: <1223990364.10113.28.camel@johannes.berg>
The hw_key pointer is used (and obviously NULL) after skb->cb is
memset to 0. This patch grabs the iv_len before the memset call.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Stephen Blackheath <tramp.enshrine.stephen@blacksapphire.com>
diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
index 1676ac4..451d410 100644
--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
@@ -374,7 +374,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
struct queue_entry *entry = rt2x00queue_get_entry(queue, Q_INDEX);
struct txentry_desc txdesc;
struct skb_frame_desc *skbdesc;
- unsigned int iv_len;
+ unsigned int iv_len = 0;
if (unlikely(rt2x00queue_full(queue)))
return -EINVAL;
@@ -395,6 +395,9 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
entry->skb = skb;
rt2x00queue_create_tx_descriptor(entry, &txdesc);
+ if (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)
+ iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
+
/*
* All information is retreived from the skb->cb array,
* now we should claim ownership of the driver part of that
@@ -410,9 +413,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
* the frame so we can provide it to the driver seperately.
*/
if (test_bit(ENTRY_TXD_ENCRYPT, &txdesc.flags) &&
- !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags) &&
- (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)) {
- iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
+ !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags)) {
rt2x00crypto_tx_remove_iv(skb, iv_len);
}
next prev parent reply other threads:[~2008-10-14 21:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <48F416A3.3060205@blacksapphire.com>
2008-10-14 13:19 ` Problem with "mac80211: free up 2 bytes in skb->cb" Johannes Berg
2008-10-14 21:57 ` Felix Fietkau [this message]
2008-10-14 22:00 ` [PATCH] mac80211 fix regression introduced by " Johannes Berg
2008-10-14 22:05 ` Felix Fietkau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48F515D7.9030002@openwrt.org \
--to=nbd@openwrt.org \
--cc=benm@symmetric.co.nz \
--cc=johannes@sipsolutions.net \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=tramp.enshrine.stephen@blacksapphire.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.