Merge tag 'nfc-fixes-3.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This is an NFC LLCP fix for 3.7 and contains only one patch.

It fixes a potential crash when receiving an LLCP HDLC frame acking a frame
that is not the last sent one. In that case we may dereference an already
freed pointer.

John W. Linville 13 years ago 55cb0797 795e9364

+10 -9

3 changed files

expand all

drivers

net

wireless

iwlwifi

dvm

rxon.c

net

mac80211

offchannel.c

nfc

llcp

llcp.c

+6 -6

drivers/net/wireless/iwlwifi/dvm/rxon.c

··· 1012 1012 * As a consequence, it's not as complicated as it sounds, just add 1013 1013 * any lower rates to the ACK rate bitmap. 1014 1014 */ 1015 - if (IWL_RATE_11M_INDEX < lowest_present_ofdm) 1016 - ofdm |= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE; 1017 - if (IWL_RATE_5M_INDEX < lowest_present_ofdm) 1018 - ofdm |= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE; 1019 - if (IWL_RATE_2M_INDEX < lowest_present_ofdm) 1020 - ofdm |= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE; 1015 + if (IWL_RATE_11M_INDEX < lowest_present_cck) 1016 + cck |= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE; 1017 + if (IWL_RATE_5M_INDEX < lowest_present_cck) 1018 + cck |= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE; 1019 + if (IWL_RATE_2M_INDEX < lowest_present_cck) 1020 + cck |= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE; 1021 1021 /* 1M already there or needed so always add */ 1022 1022 cck |= IWL_RATE_1M_MASK >> IWL_FIRST_CCK_RATE; 1023 1023

-2

net/mac80211/offchannel.c

··· 462 462 list_move_tail(&roc->list, &tmp_list); 463 463 roc->abort = true; 464 464 } 465 - 466 - ieee80211_start_next_roc(local); 467 465 mutex_unlock(&local->mtx); 468 466 469 467 list_for_each_entry_safe(roc, tmp, &tmp_list, list) {

+4 -1

net/nfc/llcp/llcp.c

··· 985 985 /* Remove skbs from the pending queue */ 986 986 if (llcp_sock->send_ack_n != nr) { 987 987 struct sk_buff *s, *tmp; 988 + u8 n; 988 989 989 990 llcp_sock->send_ack_n = nr; 990 991 991 992 /* Remove and free all skbs until ns == nr */ 992 993 skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) { 994 + n = nfc_llcp_ns(s); 995 + 993 996 skb_unlink(s, &llcp_sock->tx_pending_queue); 994 997 kfree_skb(s); 995 998 996 - if (nfc_llcp_ns(s) == nr) 999 + if (n == nr) 997 1000 break; 998 1001 } 999 1002