summaryrefslogtreecommitdiffstats
path: root/net/wireless/nl80211.c
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2014-01-22 11:14:18 +0200
committerJohannes Berg <johannes.berg@intel.com>2014-02-06 09:55:19 +0100
commita617302c531eaf497ccd02a61d380efc119ba999 (patch)
tree823c1fcd1eee75b502a5ac2181481841a702778b /net/wireless/nl80211.c
parent8ffcc704c963b4157391bd87a4544cdfd18b574d (diff)
downloadlinux-a617302c531eaf497ccd02a61d380efc119ba999.tar.bz2
cfg80211: fix scan done race
When an interface/wdev is removed, any ongoing scan should be cancelled by the driver. This will make it call cfg80211, which only queues a work struct. If interface/wdev removal is quick enough, this can leave the scan request pending and processed only after the interface is gone, causing a use-after-free. Fix this by making sure the scan request is not pending after the interface is destroyed. We can't flush or cancel the work item due to locking concerns, but when it'll run it shouldn't find anything to do. This leaves a potential issue, if a new scan gets requested before the work runs, it prematurely stops the running scan, potentially causing another crash. I'll fix that in the next patch. This was particularly observed with P2P_DEVICE wdevs, likely because freeing them is quicker than freeing netdevs. Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Fixes: 4a58e7c38443 ("cfg80211: don't "leak" uncompleted scans") Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/nl80211.c')
0 files changed, 0 insertions, 0 deletions