cfg80211: fix locking in action frame TX

Accesses to "wdev->current_bss" must be
locked with the wdev lock, which action
frame transmission is missing.

Cc: stable@kernel.org [2.6.33+]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index e74a1a2..d1a3fb9 100644 (file)
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -843,13 +843,19 @@ int cfg80211_mlme_action(struct cfg80211_registered_device *rdev,
                return -EINVAL;
        if (mgmt->u.action.category != WLAN_CATEGORY_PUBLIC) {
                /* Verify that we are associated with the destination AP */
+               wdev_lock(wdev);
+
                if (!wdev->current_bss ||
                    memcmp(wdev->current_bss->pub.bssid, mgmt->bssid,
                           ETH_ALEN) != 0 ||
                    (wdev->iftype == NL80211_IFTYPE_STATION &&
                     memcmp(wdev->current_bss->pub.bssid, mgmt->da,
-                           ETH_ALEN) != 0))
+                           ETH_ALEN) != 0)) {
+                       wdev_unlock(wdev);
                        return -ENOTCONN;
+               }
+
+               wdev_unlock(wdev);
        }
 
        if (memcmp(mgmt->sa, dev->dev_addr, ETH_ALEN) != 0)