From 539588817ac89e9c1bdaa4d03a428cd24d011059 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 30 Jan 2013 11:16:04 +0100
Subject: [PATCH] 3.0-stable patches

added patches:
	ath9k-fix-double-free-bug-on-beacon-generate-failure.patch
---
 ...-free-bug-on-beacon-generate-failure.patch | 32 +++++++++++++++++++
 queue-3.0/series                              |  1 +
 2 files changed, 33 insertions(+)
 create mode 100644 queue-3.0/ath9k-fix-double-free-bug-on-beacon-generate-failure.patch

diff --git a/queue-3.0/ath9k-fix-double-free-bug-on-beacon-generate-failure.patch b/queue-3.0/ath9k-fix-double-free-bug-on-beacon-generate-failure.patch
new file mode 100644
index 00000000000..7a10a72141b
--- /dev/null
+++ b/queue-3.0/ath9k-fix-double-free-bug-on-beacon-generate-failure.patch
@@ -0,0 +1,32 @@
+From 1adb2e2b5f85023d17eb4f95386a57029df27c88 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Wed, 9 Jan 2013 16:16:53 +0100
+Subject: ath9k: fix double-free bug on beacon generate failure
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 1adb2e2b5f85023d17eb4f95386a57029df27c88 upstream.
+
+When the next beacon is sent, the ath_buf from the previous run is reused.
+If getting a new beacon from mac80211 fails, bf->bf_mpdu is not reset, yet
+the skb is freed, leading to a double-free on the next beacon tx attempt,
+resulting in a system crash.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/beacon.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ath/ath9k/beacon.c
++++ b/drivers/net/wireless/ath/ath9k/beacon.c
+@@ -159,6 +159,7 @@ static struct ath_buf *ath_beacon_genera
+ 				 skb->len, DMA_TO_DEVICE);
+ 		dev_kfree_skb_any(skb);
+ 		bf->bf_buf_addr = 0;
++		bf->bf_mpdu = NULL;
+ 	}
+ 
+ 	/* Get a new beacon from mac80211 */
diff --git a/queue-3.0/series b/queue-3.0/series
index 01097411aad..f5f0e64a4c9 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -5,3 +5,4 @@ fs-cifs-cifs_dfs_ref.c-fix-potential-memory-leakage.patch
 arm-dma-fix-struct-page-iterator-in-dma_cache_maint-to-work-with-sparsemem.patch
 bluetooth-fix-sending-hci-commands-after-reset.patch
 ath9k_htc-fix-memory-leak.patch
+ath9k-fix-double-free-bug-on-beacon-generate-failure.patch
-- 
2.47.3