ath9k: fix a stale bf->bf_next pointer, potentially leading to double-free errors...

author Felix Fietkau <nbd@openwrt.org>

Thu, 25 Oct 2012 21:42:19 +0000 (21:42 +0000)

committer Felix Fietkau <nbd@openwrt.org>

Thu, 25 Oct 2012 21:42:19 +0000 (21:42 +0000)
author Felix Fietkau <nbd@openwrt.org>
Thu, 25 Oct 2012 21:42:19 +0000 (21:42 +0000)
committer Felix Fietkau <nbd@openwrt.org>
Thu, 25 Oct 2012 21:42:19 +0000 (21:42 +0000)
diff --git a/package/mac80211/patches/568-ath9k_fix_stale_pointer.patch b/package/mac80211/patches/568-ath9k_fix_stale_pointer.patch

new file mode 100644 (file)

index 0000000..95ed687
--- /dev/null
+++ b/package/mac80211/patches/568-ath9k_fix_stale_pointer.patch
@@ -0,0 +1,18 @@
+--- a/drivers/net/wireless/ath/ath9k/xmit.c
++++ b/drivers/net/wireless/ath/ath9k/xmit.c
+@@ -312,6 +312,7 @@ static struct ath_buf *ath_tx_get_buffer
+       }
+ 
+       bf = list_first_entry(&sc->tx.txbuf, struct ath_buf, list);
++      bf->bf_next = NULL;
+       list_del(&bf->list);
+ 
+       spin_unlock_bh(&sc->tx.txbuflock);
+@@ -1774,6 +1775,7 @@ static void ath_tx_send_normal(struct at
+       list_add_tail(&bf->list, &bf_head);
+       bf->bf_state.bf_type = 0;
+ 
++      bf->bf_next = NULL;
+       bf->bf_lastbf = bf;
+       ath_tx_fill_desc(sc, bf, txq, fi->framelen);
+       ath_tx_txqaddbuf(sc, txq, &bf_head, false);
author	Felix Fietkau <nbd@openwrt.org>
	Thu, 25 Oct 2012 21:42:19 +0000 (21:42 +0000)
committer	Felix Fietkau <nbd@openwrt.org>
	Thu, 25 Oct 2012 21:42:19 +0000 (21:42 +0000)