A single fix to avoid loading an skb->cb pointer too early.

-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJYamWkAAoJEGt7eEactAAdVHwP/j12GsQyQQtJdGWW5e/mS5LD
 UMgPH93VQeSbSCobu2ik3zPQCB0A1k6RlOdeeoD+wnI6FDWQ7S5bkQCLJX1d4dJW
 XwAPTUoZaZ0Q50ETENtICs6eB+qq/F04+a+QGdISJTJhsUxOkmHeCnMh9veOcyEy
 qr+zXAMjwlCujk2Hye5kMh6dbYWVy2CoByCLp054OSPipXZgQKzME+YPaLZjSq85
 +/kC3IGKafrAkMPbZLbcXWuUOvdHqrmvC79xF/BfLpB7tKQyPVksnB294ptylAKa
 1XHDCKN8j/iVpNcAz4LBsFNz9aySRWwy3vdmpUKXo2wCV8LaGUAppALnlzeHnPWD
 6vJ0MfuaV5kEve6EBQOmnMR8sgaQzZd+zXush9Jk4V+vf85d6+URVdeV41fQQy7D
 9SpwbupbUEiYwqyAdT2xPjAIXijUmuLAAnX/h4LbuEM0YVWlhXD8KlMWLBmd6+2x
 WMKxygnzeEiYC3rEmcx4fcpw+62bpj7NpkfBRdoR/Zr8zqiW1lRPcjNXtycjpDan
 iQSqsEhAKwgadDitghxNgItX/ihu4rleyPovy2dElEP/CANtlPMUglMNmIUfmnGc
 D3tCIjqCWgbU9CHVZHfxr9mt/5XcbcDoU7TDSQboQTt80bqiaAqj8ZL03/ZUnVj6
 jzmNxfgm+GQq/GeU9dDl
 =EkBc
 -----END PGP SIGNATURE-----

Merge tag 'mac80211-for-davem-2017-01-02' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
A single fix to avoid loading an skb->cb pointer too early.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

net/mac80211/tx.c

@@ -3287,7 +3287,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata,
 	int extra_head = fast_tx->hdr_len - (ETH_HLEN - 2);
 	int hw_headroom = sdata->local->hw.extra_tx_headroom;
 	struct ethhdr eth;
-	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+	struct ieee80211_tx_info *info;
 	struct ieee80211_hdr *hdr = (void *)fast_tx->hdr;
 	struct ieee80211_tx_data tx;
 	ieee80211_tx_result r;
@@ -3351,6 +3351,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata,
 	memcpy(skb->data + fast_tx->da_offs, eth.h_dest, ETH_ALEN);
 	memcpy(skb->data + fast_tx->sa_offs, eth.h_source, ETH_ALEN);
 
+	info = IEEE80211_SKB_CB(skb);
 	memset(info, 0, sizeof(*info));
 	info->band = fast_tx->band;
 	info->control.vif = &sdata->vif;