Merge tag 'nfc-fixes-3.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0

This is an NFC LLCP fix for 3.7 and contains only one patch. It fixes a potential crash when receiving an LLCP HDLC frame acking a frame that is not the last sent one. In that case we may dereference an already freed pointer.

Merge tag 'nfc-fixes-3.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0
This is an NFC LLCP fix for 3.7 and contains only one patch. It fixes a potential crash when receiving an LLCP HDLC frame acking a frame that is not the last sent one. In that case we may dereference an already freed pointer.
John W. Linville
2 parents 795e936421 289814918c
Showing 3 changed files Side-by-side Diff
drivers/net/wireless/iwlwifi/dvm/rxon.c
net/mac80211/offchannel.c
net/nfc/llcp/llcp.c
@@ -1012,12 +1012,12 @@
 	 * As a consequence, it's not as complicated as it sounds, just add
 	 * any lower rates to the ACK rate bitmap.
 	 */
-	if (IWL_RATE_11M_INDEX < lowest_present_ofdm)
-		ofdm |= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE;
-	if (IWL_RATE_5M_INDEX < lowest_present_ofdm)
-		ofdm |= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE;
-	if (IWL_RATE_2M_INDEX < lowest_present_ofdm)
-		ofdm |= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE;
+	if (IWL_RATE_11M_INDEX < lowest_present_cck)
+		cck |= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE;
+	if (IWL_RATE_5M_INDEX < lowest_present_cck)
+		cck |= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE;
+	if (IWL_RATE_2M_INDEX < lowest_present_cck)
+		cck |= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE;
 	/* 1M already there or needed so always add */
 	cck |= IWL_RATE_1M_MASK >> IWL_FIRST_CCK_RATE;
  
@@ -462,8 +462,6 @@
 		list_move_tail(&roc->list, &tmp_list);
 		roc->abort = true;
 	}
-
-	ieee80211_start_next_roc(local);
 	mutex_unlock(&local->mtx);
  
 	list_for_each_entry_safe(roc, tmp, &tmp_list, list) {
@@ -985,15 +985,18 @@
 	/* Remove skbs from the pending queue */
 	if (llcp_sock->send_ack_n != nr) {
 		struct sk_buff *s, *tmp;
+		u8 n;
  
 		llcp_sock->send_ack_n = nr;
  
 		/* Remove and free all skbs until ns == nr */
 		skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
+			n = nfc_llcp_ns(s);
+
 			skb_unlink(s, &llcp_sock->tx_pending_queue);
 			kfree_skb(s);
  
-			if (nfc_llcp_ns(s) == nr)
+			if (n == nr)
 				break;
 		}
...	...	@@ -1012,12 +1012,12 @@
1012	1012	* As a consequence, it's not as complicated as it sounds, just add
1013	1013	* any lower rates to the ACK rate bitmap.
1014	1014	*/
1015		- if (IWL_RATE_11M_INDEX < lowest_present_ofdm)
1016		- ofdm \|= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE;
1017		- if (IWL_RATE_5M_INDEX < lowest_present_ofdm)
1018		- ofdm \|= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE;
1019		- if (IWL_RATE_2M_INDEX < lowest_present_ofdm)
1020		- ofdm \|= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE;
	1015	+ if (IWL_RATE_11M_INDEX < lowest_present_cck)
	1016	+ cck \|= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE;
	1017	+ if (IWL_RATE_5M_INDEX < lowest_present_cck)
	1018	+ cck \|= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE;
	1019	+ if (IWL_RATE_2M_INDEX < lowest_present_cck)
	1020	+ cck \|= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE;
1021	1021	/* 1M already there or needed so always add */
1022	1022	cck \|= IWL_RATE_1M_MASK >> IWL_FIRST_CCK_RATE;
1023	1023
...	...	@@ -462,8 +462,6 @@
462	462	list_move_tail(&roc->list, &tmp_list);
463	463	roc->abort = true;
464	464	}
465		-
466		- ieee80211_start_next_roc(local);
467	465	mutex_unlock(&local->mtx);
468	466
469	467	list_for_each_entry_safe(roc, tmp, &tmp_list, list) {
...	...	@@ -985,15 +985,18 @@
985	985	/* Remove skbs from the pending queue */
986	986	if (llcp_sock->send_ack_n != nr) {
987	987	struct sk_buff s, tmp;
	988	+ u8 n;
988	989
989	990	llcp_sock->send_ack_n = nr;
990	991
991	992	/* Remove and free all skbs until ns == nr */
992	993	skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
	994	+ n = nfc_llcp_ns(s);
	995	+
993	996	skb_unlink(s, &llcp_sock->tx_pending_queue);
994	997	kfree_skb(s);
995	998
996		- if (nfc_llcp_ns(s) == nr)
	999	+ if (n == nr)
997	1000	break;
998	1001	}
999	1002