From c3f463484bdd0acd15abd5f92399041f79592d06 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Thu, 21 Apr 2016 00:19:25 +0100 Subject: [PATCH] staging: rtl8192u: Fix crash due to pointers being "confusing" There's no net_device stashed in skb->cb, there's a net_device * there. To make it *really* clear, also change the write of the dev pointer into skb->cb from a memcpy() to an assignment. Fixes: 3fe563249374 ("staging: rtl8192u: r8192U_core.c: Cleaning up ...") Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8192u/r8192U_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c index dba52741a383..0a83e2d2eb8a 100644 --- a/drivers/staging/rtl8192u/r8192U_core.c +++ b/drivers/staging/rtl8192u/r8192U_core.c @@ -1043,7 +1043,7 @@ static void rtl8192_hard_data_xmit(struct sk_buff *skb, struct net_device *dev, spin_lock_irqsave(&priv->tx_lock, flags); - memcpy((unsigned char *)(skb->cb), &dev, sizeof(dev)); + *(struct net_device **)(skb->cb) = dev; tcb_desc->bTxEnableFwCalcDur = 1; skb_push(skb, priv->ieee80211->tx_headroom); ret = rtl8192_tx(dev, skb); @@ -1093,7 +1093,7 @@ static void rtl8192_tx_isr(struct urb *tx_urb) if (!skb) return; - dev = (struct net_device *)(skb->cb); + dev = *(struct net_device **)(skb->cb); tcb_desc = (cb_desc *)(skb->cb + MAX_DEV_ADDR_SIZE); queue_index = tcb_desc->queue_index; -- 2.20.1