It was possible to hit a kernel panic on NULL pointer dereference in
dev_queue_xmit() when sending power save buffered frames to a STA that
woke up from sleep. This happened when the buffered frame was requeued
for transmission in ap_sta_ps_end(). In order to avoid the panic, copy
the skb->dev and skb->iif values from the first fragment to all other
fragments.
Signed-off-by: Jouni Malinen <[email protected]>
---
net/mac80211/tx.c | 2 ++
1 file changed, 2 insertions(+)
--- kernel-debug.orig/net/mac80211/tx.c 2009-03-13 13:16:00.000000000 +0200
+++ kernel-debug/net/mac80211/tx.c 2009-03-13 13:39:01.000000000 +0200
@@ -784,6 +784,8 @@ ieee80211_tx_h_fragment(struct ieee80211
skb_copy_queue_mapping(frag, first);
frag->do_not_encrypt = first->do_not_encrypt;
+ frag->dev = first->dev;
+ frag->iif = first->iif;
pos += copylen;
left -= copylen;
--
Jouni Malinen PGP id EFC895FA