summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJérôme Pouiller <jerome.pouiller@silabs.com>2020-01-15 16:55:10 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2020-01-16 22:59:51 +0300
commit76b5c2ce468fc7fa5f4daf727bbefa6f8a2d7a02 (patch)
tree6ff639a883862d9ebe52abe59e0cf116fb2515f9
parent7d2d2bfdeb82c383f5cd8b93b1c234249c1a588c (diff)
downloadlinux-76b5c2ce468fc7fa5f4daf727bbefa6f8a2d7a02.tar.xz
staging: wfx: fix bss_loss
wfx_tx_confirm_cb() retrieves the station associated with a frame using the MAC address from the 802.11 header. In the other side wfx_tx() retrieves the station using sta field from the ieee80211_tx_control argument. In wfx_cqm_bssloss_sm(), wfx_tx() was called directly without valid sta field, but with a valid MAC address in 802.11 header. So there the processing of this packet was unbalanced and may produce weird bugs. Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com> Link: https://lore.kernel.org/r/20200115135338.14374-48-Jerome.Pouiller@silabs.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/staging/wfx/sta.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/staging/wfx/sta.c b/drivers/staging/wfx/sta.c
index aebce96dcd4a..1c10ebd11944 100644
--- a/drivers/staging/wfx/sta.c
+++ b/drivers/staging/wfx/sta.c
@@ -88,19 +88,25 @@ void wfx_cqm_bssloss_sm(struct wfx_vif *wvif, int init, int good, int bad)
// FIXME: call ieee80211_beacon_loss/ieee80211_connection_loss instead
if (tx) {
struct sk_buff *skb;
+ struct ieee80211_hdr *hdr;
+ struct ieee80211_tx_control control = { };
wvif->bss_loss_state++;
skb = ieee80211_nullfunc_get(wvif->wdev->hw, wvif->vif, false);
if (!skb)
goto end;
+ hdr = (struct ieee80211_hdr *)skb->data;
memset(IEEE80211_SKB_CB(skb), 0,
sizeof(*IEEE80211_SKB_CB(skb)));
IEEE80211_SKB_CB(skb)->control.vif = wvif->vif;
IEEE80211_SKB_CB(skb)->driver_rates[0].idx = 0;
IEEE80211_SKB_CB(skb)->driver_rates[0].count = 1;
IEEE80211_SKB_CB(skb)->driver_rates[1].idx = -1;
- wfx_tx(wvif->wdev->hw, NULL, skb);
+ rcu_read_lock(); // protect control.sta
+ control.sta = ieee80211_find_sta(wvif->vif, hdr->addr1);
+ wfx_tx(wvif->wdev->hw, &control, skb);
+ rcu_read_unlock();
}
end:
mutex_unlock(&wvif->bss_loss_lock);