mac80211: fix ieee80211_get_buffered_bc
authorTomas Winkler <tomas.winkler@intel.com>
Tue, 27 May 2008 14:50:51 +0000 (17:50 +0300)
committerJohn W. Linville <linville@tuxdriver.com>
Tue, 3 Jun 2008 19:00:16 +0000 (15:00 -0400)
fix bss not initialized in ieee80211_get_buffered_bc
and unbalanced locking

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/mac80211/tx.c

index dac44cbd036fef629616241e46d234c69532cec7..16af30811f988dddf164b9003c303f7b6778876b 100644 (file)
@@ -1947,7 +1947,7 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
                          struct ieee80211_vif *vif)
 {
        struct ieee80211_local *local = hw_to_local(hw);
-       struct sk_buff *skb;
+       struct sk_buff *skb = NULL;
        struct sta_info *sta;
        ieee80211_tx_handler *handler;
        struct ieee80211_tx_data tx;
@@ -1960,7 +1960,7 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
 
        sdata = vif_to_sdata(vif);
        bdev = sdata->dev;
-
+       bss = &sdata->u.ap;
 
        if (!bss)
                return NULL;
@@ -1968,19 +1968,16 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
        rcu_read_lock();
        beacon = rcu_dereference(bss->beacon);
 
-       if (sdata->vif.type != IEEE80211_IF_TYPE_AP || !beacon ||
-           !beacon->head) {
-               rcu_read_unlock();
-               return NULL;
-       }
+       if (sdata->vif.type != IEEE80211_IF_TYPE_AP || !beacon || !beacon->head)
+               goto out;
 
        if (bss->dtim_count != 0)
-               return NULL; /* send buffered bc/mc only after DTIM beacon */
+               goto out; /* send buffered bc/mc only after DTIM beacon */
 
        while (1) {
                skb = skb_dequeue(&bss->ps_bc_buf);
                if (!skb)
-                       return NULL;
+                       goto out;
                local->total_ps_buffered--;
 
                if (!skb_queue_empty(&bss->ps_bc_buf) && skb->len >= 2) {
@@ -2023,6 +2020,7 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
                skb = NULL;
        }
 
+out:
        rcu_read_unlock();
 
        return skb;