From 1e81b043ef7ad3b4ae67beef6a90181e0cdc77a8 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes@sipsolutions.net>
Date: Mon, 27 Jul 2009 10:33:31 +0200
Subject: [PATCH] --- yaml --- r: 159280 b: refs/heads/master c:
 a7bc376c858e0e724b8cb2db09b6874562d377ca h: refs/heads/master v: v3

---
 [refs]                    |  2 +-
 trunk/net/mac80211/tx.c   |  5 +++++
 trunk/net/mac80211/util.c | 13 +++++++++++++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index 966bf7168468..e6e373340821 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: f9d6b402603a63b5e5b56bd7a79fa72a818be55b
+refs/heads/master: a7bc376c858e0e724b8cb2db09b6874562d377ca
diff --git a/trunk/net/mac80211/tx.c b/trunk/net/mac80211/tx.c
index 9e5dff1c8f27..4e1b2ba122cd 100644
--- a/trunk/net/mac80211/tx.c
+++ b/trunk/net/mac80211/tx.c
@@ -1889,6 +1889,11 @@ void ieee80211_tx_pending(unsigned long data)
 			struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
 			struct ieee80211_sub_if_data *sdata;
 
+			if (WARN_ON(!info->control.vif)) {
+				kfree_skb(skb);
+				continue;
+			}
+
 			sdata = vif_to_sdata(info->control.vif);
 			dev_hold(sdata->dev);
 			spin_unlock_irqrestore(&local->queue_stop_reason_lock,
diff --git a/trunk/net/mac80211/util.c b/trunk/net/mac80211/util.c
index 7fc55846d601..8502936e5314 100644
--- a/trunk/net/mac80211/util.c
+++ b/trunk/net/mac80211/util.c
@@ -336,6 +336,12 @@ void ieee80211_add_pending_skb(struct ieee80211_local *local,
 	struct ieee80211_hw *hw = &local->hw;
 	unsigned long flags;
 	int queue = skb_get_queue_mapping(skb);
+	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+
+	if (WARN_ON(!info->control.vif)) {
+		kfree(skb);
+		return;
+	}
 
 	spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
 	__ieee80211_stop_queue(hw, queue, IEEE80211_QUEUE_STOP_REASON_SKB_ADD);
@@ -358,6 +364,13 @@ int ieee80211_add_pending_skbs(struct ieee80211_local *local,
 			IEEE80211_QUEUE_STOP_REASON_SKB_ADD);
 
 	while ((skb = skb_dequeue(skbs))) {
+		struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+
+		if (WARN_ON(!info->control.vif)) {
+			kfree(skb);
+			continue;
+		}
+
 		ret++;
 		queue = skb_get_queue_mapping(skb);
 		__skb_queue_tail(&local->pending[queue], skb);