On Sat, 2007-08-18 at 15:13 -0500, Larry Finger wrote:
> The rest of the call trace is available if needed. The crash occurred when
> ieee80211_key_free was
> trying to unlock the mutex key_idx. I added printk's to dump the pointer to
> sdata at the point where
> that mutex is initialized and where the key is freed. The mutex that errs was
> inited.
Ho humm, yes, I'm dumb, patch below but I'll fold it into my key patch.
Sorry about that, classic use-after-free condition here.
johannes
--- wireless-dev.orig/net/mac80211/key.c 2007-08-20 14:07:43.165963896
+0200
+++ wireless-dev/net/mac80211/key.c 2007-08-20 14:08:04.265963896 +0200
@@ -255,12 +255,16 @@ static void __ieee80211_key_free(struct
void ieee80211_key_free(struct ieee80211_key *key)
{
+ struct ieee80211_sub_if_data *sdata;
+
if (!key)
return;
- mutex_lock(&key->sdata->key_mtx);
+ sdata = key->sdata;
+
+ mutex_lock(&sdata->key_mtx);
__ieee80211_key_free(key);
- mutex_unlock(&key->sdata->key_mtx);
+ mutex_unlock(&sdata->key_mtx);
}
void ieee80211_set_default_key(struct ieee80211_sub_if_data *sdata, int idx)
_______________________________________________
Bcm43xx-dev mailing list
[email protected]
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
