From e85962926afac94c74d73a2332a8b7a42d3018a2 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Mon, 27 Aug 2012 12:23:25 +0000
Subject: [PATCH] mac80211: fix a crash on accessing stale skb->dev references

SVN-Revision: 33279
---
 .../580-mac80211_tx_status_crash.patch        | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 package/mac80211/patches/580-mac80211_tx_status_crash.patch

diff --git a/package/mac80211/patches/580-mac80211_tx_status_crash.patch b/package/mac80211/patches/580-mac80211_tx_status_crash.patch
new file mode 100644
index 0000000000..abcf56e1d5
--- /dev/null
+++ b/package/mac80211/patches/580-mac80211_tx_status_crash.patch
@@ -0,0 +1,32 @@
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -517,6 +517,8 @@ void ieee80211_tx_status(struct ieee8021
+ 
+ 	if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
+ 		u64 cookie = (unsigned long)skb;
++		bool found = false;
++
+ 		acked = info->flags & IEEE80211_TX_STAT_ACK;
+ 
+ 		/*
+@@ -524,8 +526,18 @@ void ieee80211_tx_status(struct ieee8021
+ 		 * we cannot use skb->dev->ieee80211_ptr
+ 		 */
+ 
+-		if (ieee80211_is_nullfunc(hdr->frame_control) ||
+-		    ieee80211_is_qos_nullfunc(hdr->frame_control))
++		list_for_each_entry_rcu(sdata, &local->interfaces, list) {
++			if (skb->dev != sdata->dev)
++				continue;
++
++			found = true;
++			break;
++		}
++
++		if (!found)
++			skb->dev = NULL;
++		else if (ieee80211_is_nullfunc(hdr->frame_control) ||
++			 ieee80211_is_qos_nullfunc(hdr->frame_control))
+ 			cfg80211_probe_status(skb->dev, hdr->addr1,
+ 					      cookie, acked, GFP_ATOMIC);
+ 		else
-- 
2.30.2