diff options
| author | Eliad Peller <eliad@wizery.com> | 2013-12-05 18:30:17 +0200 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2013-12-05 19:06:47 +0100 |
| commit | 4a58e7c38443154fce1b47910e1a9184f65c5d72 (patch) | |
| tree | 312b02efaf0de0522cca0eebfac2b5b861430d68 /net/wireless/core.h | |
| parent | a2b70e833e189a4aefb2d3b668e3d7046dcc45c2 (diff) | |
| download | op-kernel-dev-4a58e7c38443154fce1b47910e1a9184f65c5d72.zip op-kernel-dev-4a58e7c38443154fce1b47910e1a9184f65c5d72.tar.gz | |
cfg80211: don't "leak" uncompleted scans
___cfg80211_scan_done() can be called in some cases
(e.g. on NETDEV_DOWN) before the low level driver
notified scan completion (which is indicated by
passing leak=true).
Clearing rdev->scan_req in this case is buggy, as
scan_done_wk might have already being queued/running
(and can't be flushed as it takes rtnl()).
If a new scan will be requested at this stage, the
scan_done_wk will try freeing it (instead of the
previous scan), and this will later result in
a use after free.
Simply remove the "leak" option, and replace it with
a standard WARN_ON.
An example backtrace after such crash:
Unable to handle kernel paging request at virtual address fffffee5
pgd = c0004000
[fffffee5] *pgd=9fdf6821, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] SMP ARM
PC is at cfg80211_scan_done+0x28/0xc4 [cfg80211]
LR is at __ieee80211_scan_completed+0xe4/0x2dc [mac80211]
[<bf0077b0>] (cfg80211_scan_done+0x28/0xc4 [cfg80211])
[<bf0973d4>] (__ieee80211_scan_completed+0xe4/0x2dc [mac80211])
[<bf0982cc>] (ieee80211_scan_work+0x94/0x4f0 [mac80211])
[<c005fd10>] (process_one_work+0x1b0/0x4a8)
[<c0060404>] (worker_thread+0x138/0x37c)
[<c0066d70>] (kthread+0xa4/0xb0)
Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/core.h')
| -rw-r--r-- | net/wireless/core.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/wireless/core.h b/net/wireless/core.h index ac77644..453c6ed 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -361,7 +361,7 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev, struct key_params *params, int key_idx, bool pairwise, const u8 *mac_addr); void __cfg80211_scan_done(struct work_struct *wk); -void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, bool leak); +void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev); void __cfg80211_sched_scan_results(struct work_struct *wk); int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev, bool driver_initiated); |
