From: John W. Linville <linville@redhat.com> Date: Wed, 15 Apr 2009 14:33:30 -0400 Subject: [wireless] mac80211: avoid null deref Message-id: 20090415183330.GB31588@redhat.com O-Subject: [RHEL5 PATCH resend w/ extra space added...] mac80211: avoid null deref at end of ieee80211_scan_completed Bugzilla: 482990 RH-Acked-by: David Miller <davem@redhat.com> RH-Acked-by: Prarit Bhargava <prarit@redhat.com> (Repost with extra space added in the relocated 'if' clause...) The patch merged to fix bug 482990 uncovered a possible NULL pointer dereference. Luckily (for the rest of us) Lubomir hit it and suggested a fix. After some negotiation, we settled on the patch below. BZ482990 Tested by Lubomir with positive results. diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 538f34c..b34148c 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3868,13 +3868,15 @@ void ieee80211_scan_completed(struct ieee80211_hw *hw) rcu_read_unlock(); done: - sdata = IEEE80211_DEV_TO_SUB_IF(dev); - if (sdata->vif.type == IEEE80211_IF_TYPE_IBSS) { - struct ieee80211_if_sta *ifsta = &sdata->u.sta; - if (!(ifsta->flags & IEEE80211_STA_BSSID_SET) || - (!ifsta->state == IEEE80211_IBSS_JOINED && - !ieee80211_sta_active_ibss(dev))) - ieee80211_sta_find_ibss(dev, ifsta); + if (dev) { + sdata = IEEE80211_DEV_TO_SUB_IF(dev); + if (sdata->vif.type == IEEE80211_IF_TYPE_IBSS) { + struct ieee80211_if_sta *ifsta = &sdata->u.sta; + if (!(ifsta->flags & IEEE80211_STA_BSSID_SET) || + (!ifsta->state == IEEE80211_IBSS_JOINED && + !ieee80211_sta_active_ibss(dev))) + ieee80211_sta_find_ibss(dev, ifsta); + } } } EXPORT_SYMBOL(ieee80211_scan_completed);