android_kernel_xiaomi_sm8350/net/wireless
Christian Lamparter 9e81eccf19 cfg80211: double free in __cfg80211_scan_done
This patch fixes a double free corruption in __cfg80211_scan_done:

 ================================================
 BUG kmalloc-512: Object already free
 ------------------------------------------------

 INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
 INFO: Freed in load_elf_binary+0x104e/0x19af age=5
 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488

 Bytes b4 0xffff88007e8a9908:  00 00 00 00 00 00 00 00 5a 5a
 [...]
 Pid: 28705, comm: rmmod Tainted: P         C 2.6.31-rc2-wl #1
 Call Trace:
  [<ffffffff810da9f4>] print_trailer+0x14e/0x16e
  [<ffffffff810daa56>] object_err+0x42/0x61
  [<ffffffff810dbcd9>] __slab_free+0x2af/0x396
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffff810dd5e3>] kfree+0x13c/0x17a
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
  [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
  [...]
 FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed

The code path which leads to the *funny* double free:

       request = rdev->scan_req;
       dev = dev_get_by_index(&init_net, request->ifidx);
	/*
	 * the driver was unloaded recently and
	 * therefore dev_get_by_index will return NULL!
	 */
        if (!dev)
                goto out;
	[...]
	rdev->scan_req = NULL; /* not executed... */
	[...]
 out:
        kfree(request);

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:44 -04:00
..
core.c cfg80211: fix rfkill locking problem 2009-06-10 13:28:41 -04:00
core.h cfg80211: add rfkill support 2009-06-03 14:06:14 -04:00
debugfs.c cfg80211: add debugfs HT40 allow map 2009-05-20 14:46:23 -04:00
debugfs.h mac80211/cfg80211: move wiphy specific debugfs entries to cfg80211 2009-05-20 14:46:23 -04:00
ibss.c cfg80211: put wext data into substructure 2009-05-11 15:24:07 -04:00
Kconfig cfg80211: add rfkill support 2009-06-03 14:06:14 -04:00
lib80211_crypt_ccmp.c lib80211: silence excessive crypto debugging messages 2009-03-16 18:01:58 -04:00
lib80211_crypt_tkip.c lib80211: silence excessive crypto debugging messages 2009-03-16 18:01:58 -04:00
lib80211_crypt_wep.c
lib80211.c
Makefile mac80211/cfg80211: move wiphy specific debugfs entries to cfg80211 2009-05-20 14:46:23 -04:00
mlme.c nl80211: Add event for authentication/association timeout 2009-04-22 16:57:21 -04:00
nl80211.c nl80211: Memory leak fixed 2009-07-21 12:07:42 -04:00
nl80211.h nl80211: Add event for authentication/association timeout 2009-04-22 16:57:21 -04:00
radiotap.c
reg.c cfg80211: fix for duplicate response for driver reg request 2009-06-10 13:28:37 -04:00
reg.h cfg80211: make __regulatory_hint() static 2009-02-27 14:52:59 -05:00
scan.c cfg80211: double free in __cfg80211_scan_done 2009-07-21 12:07:44 -04:00
sysfs.c cfg80211: rename cfg80211_registered_device's idx to wiphy_idx 2009-02-27 14:52:54 -05:00
sysfs.h
util.c cfg80211: make ieee80211_get_mesh_hdrlen() static 2009-06-03 14:06:15 -04:00
wext-compat.c cfg80211: add rfkill support 2009-06-03 14:06:14 -04:00
wext.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-05-25 01:42:21 -07:00