mac80211: fix a crash on accessing stale skb->dev references

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@33279 3c298f89-4303-0410-b956-a3cf2f4a3e73

1 files changed, 32 insertions, 0 deletions

diff --git a/package/mac80211/patches/580-mac80211_tx_status_crash.patch b/package/mac80211/patches/580-mac80211_tx_status_crash.patch
new file mode 100644
index 000000000..abcf56e1d
--- /dev/null
+++ b/package/mac80211/patches/580-mac80211_tx_status_crash.patch
@@ -0,0 +1,32 @@
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -517,6 +517,8 @@ void ieee80211_tx_status(struct ieee8021
+ 
+ 	if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+ 		u64 cookie = (unsigned long)skb;
++		bool found = false;
++
+ 		acked = info->flags & IEEE80211_TX_STAT_ACK;
+ 
+ 		/*
+@@ -524,8 +526,18 @@ void ieee80211_tx_status(struct ieee8021
+ 		 * we cannot use skb->dev->ieee80211_ptr
+ 		 */
+ 
+-		if (ieee80211_is_nullfunc(hdr->frame_control) ||
+-		    ieee80211_is_qos_nullfunc(hdr->frame_control))
++		list_for_each_entry_rcu(sdata, &local->interfaces, list) {
++			if (skb->dev != sdata->dev)
++				continue;
++
++			found = true;
++			break;
++		}
++
++		if (!found)
++			skb->dev = NULL;
++		else if (ieee80211_is_nullfunc(hdr->frame_control) ||
++			 ieee80211_is_qos_nullfunc(hdr->frame_control))
+ 			cfg80211_probe_status(skb->dev, hdr->addr1,
+ 					      cookie, acked, GFP_ATOMIC);
+ 		else