From 8713a7ccd88d93d9f8a72436088d6627c82490db Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 14 Oct 2008 23:57:43 +0200 Subject: [PATCH] rt2x00: fix regression introduced by "mac80211: free up 2 bytes in skb->cb" The hw_key pointer is used (and obviously NULL) after skb->cb is memset to 0. This patch grabs the iv_len before the memset call. Signed-off-by: Felix Fietkau Signed-off-by: Stephen Blackheath Acked-by: Johannes Berg Signed-off-by: John W. Linville --- drivers/net/wireless/rt2x00/rt2x00queue.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c index 1676ac484790..451d410ecdae 100644 --- a/drivers/net/wireless/rt2x00/rt2x00queue.c +++ b/drivers/net/wireless/rt2x00/rt2x00queue.c @@ -374,7 +374,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb) struct queue_entry *entry = rt2x00queue_get_entry(queue, Q_INDEX); struct txentry_desc txdesc; struct skb_frame_desc *skbdesc; - unsigned int iv_len; + unsigned int iv_len = 0; if (unlikely(rt2x00queue_full(queue))) return -EINVAL; @@ -395,6 +395,9 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb) entry->skb = skb; rt2x00queue_create_tx_descriptor(entry, &txdesc); + if (IEEE80211_SKB_CB(skb)->control.hw_key != NULL) + iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len; + /* * All information is retreived from the skb->cb array, * now we should claim ownership of the driver part of that @@ -410,9 +413,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb) * the frame so we can provide it to the driver seperately. */ if (test_bit(ENTRY_TXD_ENCRYPT, &txdesc.flags) && - !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags) && - (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)) { - iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len; + !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags)) { rt2x00crypto_tx_remove_iv(skb, iv_len); } -- 2.20.1