linux-hardened/net/wireless
Eliad Peller 4a58e7c384 cfg80211: don't "leak" uncompleted scans
___cfg80211_scan_done() can be called in some cases
(e.g. on NETDEV_DOWN) before the low level driver
notified scan completion (which is indicated by
passing leak=true).

Clearing rdev->scan_req in this case is buggy, as
scan_done_wk might have already being queued/running
(and can't be flushed as it takes rtnl()).

If a new scan will be requested at this stage, the
scan_done_wk will try freeing it (instead of the
previous scan), and this will later result in
a use after free.

Simply remove the "leak" option, and replace it with
a standard WARN_ON.

An example backtrace after such crash:
Unable to handle kernel paging request at virtual address fffffee5
pgd = c0004000
[fffffee5] *pgd=9fdf6821, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] SMP ARM
PC is at cfg80211_scan_done+0x28/0xc4 [cfg80211]
LR is at __ieee80211_scan_completed+0xe4/0x2dc [mac80211]
[<bf0077b0>] (cfg80211_scan_done+0x28/0xc4 [cfg80211])
[<bf0973d4>] (__ieee80211_scan_completed+0xe4/0x2dc [mac80211])
[<bf0982cc>] (ieee80211_scan_work+0x94/0x4f0 [mac80211])
[<c005fd10>] (process_one_work+0x1b0/0x4a8)
[<c0060404>] (worker_thread+0x138/0x37c)
[<c0066d70>] (kthread+0xa4/0xb0)

Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-12-05 19:06:47 +01:00
..
.gitignore
ap.c cfg80211: move exported event functions into nl80211 2013-03-06 16:35:46 +01:00
chan.c cfg80211: allow beaconing after DFS CAC 2013-11-25 20:50:49 +01:00
core.c cfg80211: don't "leak" uncompleted scans 2013-12-05 19:06:47 +01:00
core.h cfg80211: don't "leak" uncompleted scans 2013-12-05 19:06:47 +01:00
db.txt
debugfs.c mac80211: fix some snprintf misuses 2013-10-01 12:16:51 +02:00
debugfs.h
ethtool.c ethtool: fix drvinfo strings set in drivers 2013-01-06 21:06:31 -08:00
ethtool.h
genregdb.awk cfg80211: fix parsing when db.txt ends on a rule 2013-11-25 20:50:58 +01:00
ibss.c cfg80211: consolidate passive-scan and no-ibss flags 2013-11-25 20:49:35 +01:00
Kconfig lib80211: hide Kconfig symbol 2012-11-16 14:29:09 -05:00
lib80211.c lib80211: remove exports for functions not called by other modules 2011-08-09 15:42:36 -04:00
lib80211_crypt_ccmp.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
lib80211_crypt_tkip.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
lib80211_crypt_wep.c hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
Makefile cfg80211: add tracing to rdev-ops 2012-10-18 10:53:37 +02:00
mesh.c nl80211: allow the use of DFS channel in mesh 2013-12-04 09:12:10 +01:00
mlme.c cfg80211: aggregate mgmt_tx parameters into a struct 2013-12-02 11:51:52 +01:00
nl80211.c cfg80211: in bitrate_mask, rename mcs to ht_mcs 2013-12-05 16:39:07 +01:00
nl80211.h cfg80211/mac80211: DFS setup chandef for cac event 2013-11-25 20:50:46 +01:00
radiotap.c wireless: radiotap: fix parsing buffer overrun 2013-10-14 09:47:00 +02:00
rdev-ops.h cfg80211: aggregate mgmt_tx parameters into a struct 2013-12-02 11:51:52 +01:00
reg.c cfg80211: add reg_get_dfs_region() 2013-12-03 13:53:40 +01:00
reg.h cfg80211: add reg_get_dfs_region() 2013-12-03 13:53:40 +01:00
regdb.h cfg80211: relicense reg.c reg.h and genregdb.awk to ISC 2012-01-04 14:30:41 -05:00
scan.c cfg80211: don't "leak" uncompleted scans 2013-12-05 19:06:47 +01:00
sme.c cfg80211: rename regulatory_hint_11d() to regulatory_hint_country_ie() 2013-10-09 09:37:57 +02:00
sysfs.c net: wireless: convert class code to use dev_groups 2013-07-25 16:34:40 -07:00
sysfs.h
trace.c cfg80211: add tracing to rdev-ops 2012-10-18 10:53:37 +02:00
trace.h cfg80211: aggregate mgmt_tx parameters into a struct 2013-12-02 11:51:52 +01:00
util.c nl80211/cfg80211: enable DFS for IBSS mode 2013-10-28 15:05:21 +01:00
wext-compat.c cfg80211: vastly simplify locking 2013-05-25 00:02:15 +02:00
wext-compat.h cfg80211: remove unused wext handler exports 2011-08-08 14:26:29 -04:00
wext-core.c wext: include wireless event id when it has a size problem 2012-09-05 16:12:44 +02:00
wext-priv.c wext: fix potential private ioctl memory content leak 2010-09-20 13:41:40 -04:00
wext-proc.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
wext-sme.c cfg80211: separate internal SME implementation 2013-06-04 13:03:11 +02:00
wext-spy.c wireless: Convert compare_ether_addr to ether_addr_equal 2012-05-09 20:49:19 -04:00