summaryrefslogtreecommitdiff
path: root/net/mac80211/debugfs_sta.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2016-10-18 23:12:08 +0300
committerJohannes Berg <johannes.berg@intel.com>2016-10-19 13:11:49 +0300
commit1c3d185a9a0b136a58e73b02912d593d0303d1da (patch)
treed7d51bc5b0057c491393372bb1b21c1479abb99b /net/mac80211/debugfs_sta.c
parenta1264c3d6c04f0e4e9d447caaa249d6288b01520 (diff)
downloadlinux-1c3d185a9a0b136a58e73b02912d593d0303d1da.tar.xz
mac80211: fix tid_agg_rx NULL dereference
On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag, we crash when the peer sends an AddBA request while we already have a session open on the seame TID; this is because on those drivers, the tid_agg_rx is left NULL even though the session is valid, and the agg_session_valid bit is set. To fix this, store the dialog tokens outside the tid_agg_rx to be able to compare them to the received AddBA request. Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update") Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/mac80211/debugfs_sta.c')
-rw-r--r--net/mac80211/debugfs_sta.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index a2fcdb47a0e6..14ec63a02669 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -205,7 +205,7 @@ static ssize_t sta_agg_status_read(struct file *file, char __user *userbuf,
p += scnprintf(p, sizeof(buf) + buf - p, "%02d", i);
p += scnprintf(p, sizeof(buf) + buf - p, "\t\t%x", !!tid_rx);
p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.2x",
- tid_rx ? tid_rx->dialog_token : 0);
+ tid_rx ? sta->ampdu_mlme.tid_rx_token[i] : 0);
p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.3x",
tid_rx ? tid_rx->ssn : 0);