Skip to content

Commit

Permalink
mac80211: Fix panic on fragmentation with power saving
Browse files Browse the repository at this point in the history 
It was possible to hit a kernel panic on NULL pointer dereference in
dev_queue_xmit() when sending power save buffered frames to a STA that
woke up from sleep. This happened when the buffered frame was requeued
for transmission in ap_sta_ps_end(). In order to avoid the panic, copy
the skb->dev and skb->iif values from the first fragment to all other
fragments.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
  • Loading branch information
Jouni Malinen authored and John W. Linville committed Mar 16, 2009
1 parent 5ec905a commit 055249d
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions net/mac80211/tx.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -752,6 +752,8 @@ ieee80211_tx_h_fragment(struct ieee80211_tx_data *tx)
skb_copy_queue_mapping(frag, first);

frag->do_not_encrypt = first->do_not_encrypt;
frag->dev = first->dev;
frag->iif = first->iif;

pos += copylen;
left -= copylen;
Expand Down

0 comments on commit 055249d

Please sign in to comment.