diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2016-10-18 20:12:08 (GMT) |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-01-12 10:39:23 (GMT) |
| commit | cd84516473a78a6932b1e034e71742e14842e8dc (patch) | |
| tree | 85d57548ce1394f9379be2aa138c14ff3b9f0efd /net/mac80211/debugfs_sta.c | |
| parent | 1d9c33f1b45ccc1dfbf55c97d7e1d02155e05787 (diff) | |
| download | linux-cd84516473a78a6932b1e034e71742e14842e8dc.tar.xz | |
mac80211: fix tid_agg_rx NULL dereference
commit 1c3d185a9a0b136a58e73b02912d593d0303d1da upstream.
On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag,
we crash when the peer sends an AddBA request while we already
have a session open on the seame TID; this is because on those
drivers, the tid_agg_rx is left NULL even though the session is
valid, and the agg_session_valid bit is set.
To fix this, store the dialog tokens outside the tid_agg_rx to
be able to compare them to the received AddBA request.
Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update")
Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net/mac80211/debugfs_sta.c')
| -rw-r--r-- | net/mac80211/debugfs_sta.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c index a2fcdb4..14ec63a 100644 --- a/net/mac80211/debugfs_sta.c +++ b/net/mac80211/debugfs_sta.c @@ -205,7 +205,7 @@ static ssize_t sta_agg_status_read(struct file *file, char __user *userbuf, p += scnprintf(p, sizeof(buf) + buf - p, "%02d", i); p += scnprintf(p, sizeof(buf) + buf - p, "\t\t%x", !!tid_rx); p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.2x", - tid_rx ? tid_rx->dialog_token : 0); + tid_rx ? sta->ampdu_mlme.tid_rx_token[i] : 0); p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.3x", tid_rx ? tid_rx->ssn : 0); |