aboutsummaryrefslogtreecommitdiffstats
path: root/net/wireless/scan.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes@sipsolutions.net>2009-08-20 21:36:16 +0200
committerJohn W. Linville <linville@tuxdriver.com>2009-08-28 14:40:25 -0400
commit01a0ac417ce9b4f1216a266f2fd454cffefc5aee (patch)
tree3bc13cf46eebc77a44e65b16132d26f71b131f50 /net/wireless/scan.c
parent40ba60ddfeff8ef42fb33c0bdacfbb5f83e96b32 (diff)
downloadkernel_samsung_tuna-01a0ac417ce9b4f1216a266f2fd454cffefc5aee.zip
kernel_samsung_tuna-01a0ac417ce9b4f1216a266f2fd454cffefc5aee.tar.gz
kernel_samsung_tuna-01a0ac417ce9b4f1216a266f2fd454cffefc5aee.tar.bz2
cfg80211: check lost scans later, fix bug
When we lose a scan, cfg80211 tries to clean up after the driver. However, it currently does this too early, it does this in GOING_DOWN already instead of DOWN, so it may happen with mac80211. Besides fixing this, also make it more robust by leaking the scan request so if the driver later actually finishes the scan, it won't crash. Also check in ___cfg80211_scan_done whether a scan request is still pending and exit if not. Reported-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Tested-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/wireless/scan.c')
-rw-r--r--net/wireless/scan.c21
1 files changed, 18 insertions, 3 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index fe575a2..7043de6 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -18,7 +18,7 @@
#define IEEE80211_SCAN_RESULT_EXPIRE (15 * HZ)
-void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev)
+void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, bool leak)
{
struct cfg80211_scan_request *request;
struct net_device *dev;
@@ -26,8 +26,13 @@ void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev)
union iwreq_data wrqu;
#endif
+ ASSERT_RDEV_LOCK(rdev);
+
request = rdev->scan_req;
+ if (!request)
+ return;
+
dev = request->dev;
/*
@@ -53,7 +58,17 @@ void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev)
dev_put(dev);
rdev->scan_req = NULL;
- kfree(request);
+
+ /*
+ * OK. If this is invoked with "leak" then we can't
+ * free this ... but we've cleaned it up anyway. The
+ * driver failed to call the scan_done callback, so
+ * all bets are off, it might still be trying to use
+ * the scan request or not ... if it accesses the dev
+ * in there (it shouldn't anyway) then it may crash.
+ */
+ if (!leak)
+ kfree(request);
}
void __cfg80211_scan_done(struct work_struct *wk)
@@ -64,7 +79,7 @@ void __cfg80211_scan_done(struct work_struct *wk)
scan_done_wk);
cfg80211_lock_rdev(rdev);
- ___cfg80211_scan_done(rdev);
+ ___cfg80211_scan_done(rdev, false);
cfg80211_unlock_rdev(rdev);
}