This is an NFC LLCP fix for 3.7 and contains only one patch.
It fixes a potential crash when receiving an LLCP HDLC frame acking a frame that is not the last sent one. In that case we may dereference an already freed pointer. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAABAgAGBQJQt0kOAAoJEIqAPN1PVmxKpxoQAJwbaylVz/miDjJLPekDhQ+z YkDmtBWJD9oy5GS/EUZPRIIEj+Ftaao0lAJDP4couYiZPQbrRBY1llBOxcIzkCqR fsAaD8jnPRGHwWtdqws8txFePh4Hn5WXHmJbcsOyVGt4gmy/xT06gme4p3VdIQIP XIkbss5mz29OdQwOLHzH4zva7JtZm9XOEWYWAbbFsrgNxXLBt7GhfF92TT29K4Wt UxFalwMYrpowY+BCBWzS1H31wVvNaDcsBRSO0hqvUZb7DgWM2b25B4Xnx3LiyLHR 9A17LWYso6mRhQPSqqhT5wWlKNT1G5VKZ8/X0i69ZLXi040NzpvMbvq41RhM9SwN bmWZNUWGrGkQJY6VPAdXeraoSmSNwOD4KnLXNV8rWmmg+NSzf8ZPWNCcxNEdIMnK oBe7vvk3j5z6QGNPeMB5C3hfpyRwyvRTqC9O5/dO7DOYD0lb0O6tuj1/MzhsOR2L pzBUjkvfJBA0FXdeDD7gFwR062uJZL4hinRpFPj4qTtFWPYypirWdnRpCSZbvbeW ZB3k7+8oNOGhn1TYPUmWsN1GNk2EJ4ZSpAf7BUI5Vb1KmcSpUQA6BN6yPlS/WQ4U eowwW+sUYPu5LixMCO/LtuUllJ/RCTzdQJH6j/hZlEqmfYs00emKNa08tk15XjGF zn2jXJjTykbYiVRirBR5 =tpAI -----END PGP SIGNATURE----- Merge tag 'nfc-fixes-3.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0 This is an NFC LLCP fix for 3.7 and contains only one patch. It fixes a potential crash when receiving an LLCP HDLC frame acking a frame that is not the last sent one. In that case we may dereference an already freed pointer.
This commit is contained in:
commit
55cb0797fa
@ -1012,12 +1012,12 @@ static void iwl_calc_basic_rates(struct iwl_priv *priv,
|
||||
* As a consequence, it's not as complicated as it sounds, just add
|
||||
* any lower rates to the ACK rate bitmap.
|
||||
*/
|
||||
if (IWL_RATE_11M_INDEX < lowest_present_ofdm)
|
||||
ofdm |= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE;
|
||||
if (IWL_RATE_5M_INDEX < lowest_present_ofdm)
|
||||
ofdm |= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE;
|
||||
if (IWL_RATE_2M_INDEX < lowest_present_ofdm)
|
||||
ofdm |= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE;
|
||||
if (IWL_RATE_11M_INDEX < lowest_present_cck)
|
||||
cck |= IWL_RATE_11M_MASK >> IWL_FIRST_CCK_RATE;
|
||||
if (IWL_RATE_5M_INDEX < lowest_present_cck)
|
||||
cck |= IWL_RATE_5M_MASK >> IWL_FIRST_CCK_RATE;
|
||||
if (IWL_RATE_2M_INDEX < lowest_present_cck)
|
||||
cck |= IWL_RATE_2M_MASK >> IWL_FIRST_CCK_RATE;
|
||||
/* 1M already there or needed so always add */
|
||||
cck |= IWL_RATE_1M_MASK >> IWL_FIRST_CCK_RATE;
|
||||
|
||||
|
@ -462,8 +462,6 @@ void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata)
|
||||
list_move_tail(&roc->list, &tmp_list);
|
||||
roc->abort = true;
|
||||
}
|
||||
|
||||
ieee80211_start_next_roc(local);
|
||||
mutex_unlock(&local->mtx);
|
||||
|
||||
list_for_each_entry_safe(roc, tmp, &tmp_list, list) {
|
||||
|
@ -985,15 +985,18 @@ static void nfc_llcp_recv_hdlc(struct nfc_llcp_local *local,
|
||||
/* Remove skbs from the pending queue */
|
||||
if (llcp_sock->send_ack_n != nr) {
|
||||
struct sk_buff *s, *tmp;
|
||||
u8 n;
|
||||
|
||||
llcp_sock->send_ack_n = nr;
|
||||
|
||||
/* Remove and free all skbs until ns == nr */
|
||||
skb_queue_walk_safe(&llcp_sock->tx_pending_queue, s, tmp) {
|
||||
n = nfc_llcp_ns(s);
|
||||
|
||||
skb_unlink(s, &llcp_sock->tx_pending_queue);
|
||||
kfree_skb(s);
|
||||
|
||||
if (nfc_llcp_ns(s) == nr)
|
||||
if (n == nr)
|
||||
break;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user