From patchwork Fri Sep 24 09:20:47 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Johannes Berg <johannes@sipsolutions.net>
X-Patchwork-Id: 204002
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id o8O9Kqx8006285
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri, 24 Sep 2010 09:20:52 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754449Ab0IXJUv (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Fri, 24 Sep 2010 05:20:51 -0400
Received: from he.sipsolutions.net ([78.46.109.217]:42406 "EHLO
	sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752897Ab0IXJUu (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Fri, 24 Sep 2010 05:20:50 -0400
Received: by sipsolutions.net with esmtpsa
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72)
	(envelope-from <johannes@sipsolutions.net>)
	id 1Oz4SW-000398-HI; Fri, 24 Sep 2010 11:20:48 +0200
Subject: [PATCH wireless-2.6] mac80211: fix use-after-free
From: Johannes Berg <johannes@sipsolutions.net>
To: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Cc: John Linville <linville@tuxdriver.com>
Date: Fri, 24 Sep 2010 11:20:47 +0200
Message-ID: <1285320047.3699.2.camel@jlt3.sipsolutions.net>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3 
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by
	milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]);
	Fri, 24 Sep 2010 09:20:52 +0000 (UTC)


--- iwlwifi-jo.orig/net/mac80211/rx.c	2010-09-24 11:13:33.000000000 +0200
+++ iwlwifi-jo/net/mac80211/rx.c	2010-09-24 11:14:28.000000000 +0200
@@ -2199,9 +2199,6 @@ static void ieee80211_rx_cooked_monitor(
 	struct net_device *prev_dev = NULL;
 	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
 
-	if (status->flag & RX_FLAG_INTERNAL_CMTR)
-		goto out_free_skb;
-
 	if (skb_headroom(skb) < sizeof(*rthdr) &&
 	    pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC))
 		goto out_free_skb;
@@ -2260,7 +2257,6 @@ static void ieee80211_rx_cooked_monitor(
 	} else
 		goto out_free_skb;
 
-	status->flag |= RX_FLAG_INTERNAL_CMTR;
 	return;
 
  out_free_skb: