zd_op_tx() must not return an arbitrary error value since that can
leave mac80211 trying to retransmit the frame and with the extra data
pushed into the beginning of the skb on every attempt, this will end up
causing a kernel panic (skb_under_panic from skb_push call). This can
happen, e.g., when ejecting the device when associated.
Signed-off-by: Jouni Malinen <[email protected]>
---
drivers/net/wireless/zd1211rw/zd_mac.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- wireless-testing.orig/drivers/net/wireless/zd1211rw/zd_mac.c 2009-02-28 00:24:24.000000000 +0200
+++ wireless-testing/drivers/net/wireless/zd1211rw/zd_mac.c 2009-03-16 21:44:07.000000000 +0200
@@ -575,13 +575,17 @@ static int zd_op_tx(struct ieee80211_hw
r = fill_ctrlset(mac, skb);
if (r)
- return r;
+ goto fail;
info->rate_driver_data[0] = hw;
r = zd_usb_tx(&mac->chip.usb, skb);
if (r)
- return r;
+ goto fail;
+ return 0;
+
+fail:
+ dev_kfree_skb(skb);
return 0;
}
--
Jouni Malinen PGP id EFC895FA
On Mon, 2009-03-16 at 21:47 +0200, Jouni Malinen wrote:
> zd_op_tx() must not return an arbitrary error value since that can
> leave mac80211 trying to retransmit the frame and with the extra data
> pushed into the beginning of the skb on every attempt, this will end up
> causing a kernel panic (skb_under_panic from skb_push call). This can
> happen, e.g., when ejecting the device when associated.
>
> Signed-off-by: Jouni Malinen <[email protected]>
Should be for the various stable versions too. All of them, most likely.
johannes
> ---
> drivers/net/wireless/zd1211rw/zd_mac.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> --- wireless-testing.orig/drivers/net/wireless/zd1211rw/zd_mac.c 2009-02-28 00:24:24.000000000 +0200
> +++ wireless-testing/drivers/net/wireless/zd1211rw/zd_mac.c 2009-03-16 21:44:07.000000000 +0200
> @@ -575,13 +575,17 @@ static int zd_op_tx(struct ieee80211_hw
>
> r = fill_ctrlset(mac, skb);
> if (r)
> - return r;
> + goto fail;
>
> info->rate_driver_data[0] = hw;
>
> r = zd_usb_tx(&mac->chip.usb, skb);
> if (r)
> - return r;
> + goto fail;
> + return 0;
> +
> +fail:
> + dev_kfree_skb(skb);
> return 0;
> }
>
>
Hello Jouni,
Thanks! :)
Regards
Alina
--=20
Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonansc=
hluss f=FCr nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=3DOM.AD.PD003K1=
1308T4569a