Prev: [01/38] PARISC: led.c - fix potential stack overflow in led_proc_write()
Next: [06/38] amd64_edac: Correct scrub rate setting
From: Greg KH on 6 Aug 2010 14:50
2.6.35-stable review patch. If anyone has any objections, please let us know.

------------------

From: Felix Fietkau <nbd(a)openwrt.org>

commit 73e194639d90594d06d0c10019c0ab4638869135 upstream.

When ath_tx_complete_aggr() is called, it's responsible for returning
all buffers in the linked list. This was not done when the STA lookup
failed, leading to a race condition that could leak a few buffers when
a STA just disconnected.
Fix this by immediately returning all buffers to the free list in this case.

Signed-off-by: Felix Fietkau <nbd(a)openwrt.org>
Signed-off-by: John W. Linville <linville(a)tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)suse.de>

---
drivers/net/wireless/ath/ath9k/xmit.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -329,6 +329,7 @@ static void ath_tx_complete_aggr(struct
int isaggr, txfail, txpending, sendbar = 0, needreset = 0, nbad = 0;
bool rc_update = true;
struct ieee80211_tx_rate rates[4];
+ unsigned long flags;

skb = bf->bf_mpdu;
hdr = (struct ieee80211_hdr *)skb->data;
@@ -344,6 +345,10 @@ static void ath_tx_complete_aggr(struct
sta = ieee80211_find_sta_by_hw(hw, hdr->addr1);
if (!sta) {
rcu_read_unlock();
+
+ spin_lock_irqsave(&sc->tx.txbuflock, flags);
+ list_splice_tail_init(bf_q, &sc->tx.txbuf);
+ spin_unlock_irqrestore(&sc->tx.txbuflock, flags);
return;
}



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
 | 
Pages: 1
Prev: [01/38] PARISC: led.c - fix potential stack overflow in led_proc_write()
Next: [06/38] amd64_edac: Correct scrub rate setting