staging: r8712u: Fix potential crash issue
authorLarry Finger <Larry.Finger@lwfinger.net>
Tue, 31 Aug 2010 15:15:26 +0000 (10:15 -0500)
committerGreg Kroah-Hartman <gregkh@suse.de>
Tue, 31 Aug 2010 17:59:53 +0000 (10:59 -0700)
When the driver received the Addba request frame from AP, a crash could
occur.

Signed-off-by: Albert Wang <albert_wang@realtek.com.tw>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/staging/rtl8712/rtl871x_mlme.c

index fb3508a012c9f62eac6e328a3738d85799d9dbdf..98ba7602e25035f6f131d4d5d9bf6d5f17ee991c 100644 (file)
@@ -1036,21 +1036,19 @@ void r8712_got_addbareq_event_callback(struct _adapter *adapter, u8 *pbuf)
        struct  sta_info *psta;
        struct  sta_priv *pstapriv = &adapter->stapriv;
        struct  recv_reorder_ctrl *precvreorder_ctrl = NULL;
-       struct  __queue *ppending_recvframe_queue = NULL;
-       unsigned long irql;
 
        printk(KERN_INFO "r8712u: [%s] mac = %pM, seq = %d, tid = %d\n",
             __func__, pAddbareq_pram->MacAddress,
            pAddbareq_pram->StartSeqNum, pAddbareq_pram->tid);
        psta = r8712_get_stainfo(pstapriv, pAddbareq_pram->MacAddress);
-       precvreorder_ctrl = &psta->recvreorder_ctrl[pAddbareq_pram->tid];
-       ppending_recvframe_queue = &precvreorder_ctrl->pending_recvframe_queue;
-       spin_lock_irqsave(&ppending_recvframe_queue->lock, irql);
-       r8712_recv_indicatepkts_in_order(adapter, precvreorder_ctrl, true);
-       spin_unlock_irqrestore(&ppending_recvframe_queue->lock, irql);
-       /* set the indicate_seq to 0xffff so that the rx reorder can store
-        *  any following data packet.*/
-       precvreorder_ctrl->indicate_seq = 0xffff;
+       if (psta) {
+               precvreorder_ctrl =
+                        &psta->recvreorder_ctrl[pAddbareq_pram->tid];
+               /* set the indicate_seq to 0xffff so that the rx reorder
+                * can store any following data packet.
+                */
+               precvreorder_ctrl->indicate_seq = 0xffff;
+       }
 }
 
 void r8712_wpspbc_event_callback(struct _adapter *adapter, u8 *pbuf)