From 1aeb05f8743aac5eb696432fa9a23b30e35649a4 Mon Sep 17 00:00:00 2001 From: Yuseok Kim Date: Mon, 27 Aug 2018 16:33:25 +0900 Subject: [PATCH] [9610] wlbt: Fix skb pointer exception In order to prevent access to skb->len after mem allocation has been released, tx_bytes data is stored before slsi_mlme_send_frame_data()i is called. Change-Id: Ib7e32959c921b843180c7c6563ef57d7105f48b6 --- drivers/net/wireless/scsc/tx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/scsc/tx.c b/drivers/net/wireless/scsc/tx.c index 73c42fbf347f..431521777434 100755 --- a/drivers/net/wireless/scsc/tx.c +++ b/drivers/net/wireless/scsc/tx.c @@ -36,6 +36,7 @@ static int slsi_tx_eapol(struct slsi_dev *sdev, struct net_device *dev, struct s u16 proto = ntohs(skb->protocol); int ret = 0; u32 dwell_time = sdev->fw_dwell_time; + u64 tx_bytes_tmp = 0; slsi_spinlock_lock(&ndev_vif->peer_lock); peer = slsi_get_peer_from_mac(sdev, dev, eth_hdr(skb)->h_dest); @@ -85,10 +86,11 @@ static int slsi_tx_eapol(struct slsi_dev *sdev, struct net_device *dev, struct s } /* EAPOL/WAI frames are send via the MLME */ + tx_bytes_tmp = skb->len; // len copy to avoid null pointer of skb ret = slsi_mlme_send_frame_data(sdev, dev, skb, msg_type, 0, dwell_time, 0); if (!ret) { peer->sinfo.tx_packets++; - peer->sinfo.tx_bytes += skb->len; + peer->sinfo.tx_bytes += tx_bytes_tmp; //skb->len; } slsi_spinlock_unlock(&ndev_vif->peer_lock); return ret; -- 2.20.1