From owner-freebsd-wireless@FreeBSD.ORG Fri May 10 09:40:02 2013 Return-Path: Delivered-To: freebsd-wireless@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0767F78A for ; Fri, 10 May 2013 09:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id D2A36D9C for ; Fri, 10 May 2013 09:40:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r4A9e1Wv086137 for ; Fri, 10 May 2013 09:40:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r4A9e1fS086135; Fri, 10 May 2013 09:40:01 GMT (envelope-from gnats) Date: Fri, 10 May 2013 09:40:01 GMT Message-Id: <201305100940.r4A9e1fS086135@freefall.freebsd.org> To: freebsd-wireless@FreeBSD.org Cc: From: dfilter@FreeBSD.ORG (dfilter service) Subject: Re: kern/178470: commit references a PR X-BeenThere: freebsd-wireless@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: dfilter service List-Id: "Discussions of 802.11 stack, tools device driver development." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 May 2013 09:40:02 -0000 The following reply was made to PR kern/178470; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/178470: commit references a PR Date: Fri, 10 May 2013 09:38:06 +0000 (UTC) Author: adrian Date: Fri May 10 09:37:58 2013 New Revision: 250442 URL: http://svnweb.freebsd.org/changeset/base/250442 Log: Fix a VAP BSS node reference in the HT code to actually take a reference before using said node. The "blessed" way here is to take a node reference before referencing anything inside the node, otherwise the node can be freed between the time the pointer is copied/dereferenced and the time the node contents are used. This mirrors fixes that I've done elsewhere in the net80211/driver stack. PR: kern/178470 Modified: head/sys/net80211/ieee80211_ht.c Modified: head/sys/net80211/ieee80211_ht.c ============================================================================== --- head/sys/net80211/ieee80211_ht.c Fri May 10 08:46:10 2013 (r250441) +++ head/sys/net80211/ieee80211_ht.c Fri May 10 09:37:58 2013 (r250442) @@ -2773,11 +2773,15 @@ ieee80211_ht_update_beacon(struct ieee80 struct ieee80211_beacon_offsets *bo) { #define PROTMODE (IEEE80211_HTINFO_OPMODE|IEEE80211_HTINFO_NONHT_PRESENT) - const struct ieee80211_channel *bsschan = vap->iv_bss->ni_chan; + struct ieee80211_node *ni; + const struct ieee80211_channel *bsschan; struct ieee80211com *ic = vap->iv_ic; struct ieee80211_ie_htinfo *ht = (struct ieee80211_ie_htinfo *) bo->bo_htinfo; + ni = ieee80211_ref_node(vap->iv_bss); + bsschan = ni->ni_chan; + /* XXX only update on channel change */ ht->hi_ctrlchannel = ieee80211_chan2ieee(ic, bsschan); if (vap->iv_flags_ht & IEEE80211_FHT_RIFS) @@ -2796,6 +2800,8 @@ ieee80211_ht_update_beacon(struct ieee80 /* protection mode */ ht->hi_byte2 = (ht->hi_byte2 &~ PROTMODE) | ic->ic_curhtprotmode; + ieee80211_free_node(ni); + /* XXX propagate to vendor ie's */ #undef PROTMODE } _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"