qcacmn: Use after free when clean up scan queue

When invoked wlan_cfg80211_cleanup_scan_queue, it will try to clean up pending scan requests in queue from kernel. However, when the netdevice is down, this request could be already freed by kernel. To fix this issue, also add the pointer to netdevice in scan_req so what we can check the status of netdevice in scan_req instead of cfg80211_scan_request which might already be freed for this case. Change-Id: I6189c52b638bc4f408e4d4c694c178c7d2f3de52 CRs-Fixed: 2164404
2018-01-02 16:21:45 +08:00
parent 2280e86440
commit a00b71b980
2 changed files with 27 additions and 22 deletions
--- a/os_if/linux/scan/inc/wlan_cfg80211_scan.h
+++ b/os_if/linux/scan/inc/wlan_cfg80211_scan.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved.
 *
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
@@ -103,6 +103,7 @@ enum scan_source {
 * @scan_request: scan request holder
 * @scan_id: scan identifier used across host layers which is generated at WMI
 * @source: scan request originator (NL/Vendor scan)
+ * @dev: net device (same as what is in scan_request)
 *
 * Scan request linked list element
 */
@@ -111,6 +112,7 @@ struct scan_req {
 	struct cfg80211_scan_request *scan_request;
 	uint32_t scan_id;
 	uint8_t source;
+	struct net_device *dev;
 };

 /**