--- /dev/null
+From 1adb2e2b5f85023d17eb4f95386a57029df27c88 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Wed, 9 Jan 2013 16:16:53 +0100
+Subject: ath9k: fix double-free bug on beacon generate failure
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 1adb2e2b5f85023d17eb4f95386a57029df27c88 upstream.
+
+When the next beacon is sent, the ath_buf from the previous run is reused.
+If getting a new beacon from mac80211 fails, bf->bf_mpdu is not reset, yet
+the skb is freed, leading to a double-free on the next beacon tx attempt,
+resulting in a system crash.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/beacon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ath/ath9k/beacon.c
++++ b/drivers/net/wireless/ath/ath9k/beacon.c
+@@ -159,6 +159,7 @@ static struct ath_buf *ath_beacon_genera
+ skb->len, DMA_TO_DEVICE);
+ dev_kfree_skb_any(skb);
+ bf->bf_buf_addr = 0;
++ bf->bf_mpdu = NULL;
+ }
+
+ /* Get a new beacon from mac80211 */
arm-dma-fix-struct-page-iterator-in-dma_cache_maint-to-work-with-sparsemem.patch
bluetooth-fix-sending-hci-commands-after-reset.patch
ath9k_htc-fix-memory-leak.patch
+ath9k-fix-double-free-bug-on-beacon-generate-failure.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
