android_kernel_xiaomi_sm8350/net
Christian Lamparter 9e81eccf19 cfg80211: double free in __cfg80211_scan_done
This patch fixes a double free corruption in __cfg80211_scan_done:

 ================================================
 BUG kmalloc-512: Object already free
 ------------------------------------------------

 INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
 INFO: Freed in load_elf_binary+0x104e/0x19af age=5
 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488

 Bytes b4 0xffff88007e8a9908:  00 00 00 00 00 00 00 00 5a 5a
 [...]
 Pid: 28705, comm: rmmod Tainted: P         C 2.6.31-rc2-wl #1
 Call Trace:
  [<ffffffff810da9f4>] print_trailer+0x14e/0x16e
  [<ffffffff810daa56>] object_err+0x42/0x61
  [<ffffffff810dbcd9>] __slab_free+0x2af/0x396
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffff810dd5e3>] kfree+0x13c/0x17a
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
  [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
  [...]
 FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed

The code path which leads to the *funny* double free:

       request = rdev->scan_req;
       dev = dev_get_by_index(&init_net, request->ifidx);
	/*
	 * the driver was unloaded recently and
	 * therefore dev_get_by_index will return NULL!
	 */
        if (!dev)
                goto out;
	[...]
	rdev->scan_req = NULL; /* not executed... */
	[...]
 out:
        kfree(request);

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:44 -04:00
..
9p net/9p: Fix crash due to bad mount parameters. 2009-07-02 13:17:01 -07:00
802 net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
8021q 8021q: Vlan driver should use rcu_barrier() on unload instead of syncronize_net() 2009-06-10 01:11:22 -07:00
appletalk net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
atm net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
ax25 net: Move rx skb_orphan call to where needed 2009-06-23 16:36:25 -07:00
bluetooth net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
bridge bridge: Use rcu_barrier() instead of syncronize_net() on unload. 2009-06-26 13:51:32 -07:00
can net/can: add module alias to can protocol drivers 2009-07-15 11:20:38 -07:00
core Fix error return for setsockopt(SO_TIMESTAMPING) 2009-07-20 08:23:36 -07:00
dcb
dccp net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
decnet decnet: Use rcu_barrier() on module unload. 2009-06-26 13:51:27 -07:00
dsa dsa: fix 88e6xxx statistics counter snapshotting 2009-07-05 18:03:35 -07:00
econet net: sk_wmem_alloc has initial value of one, not zero 2009-06-17 04:31:25 -07:00
ethernet net: remove COMPAT_NET_DEV_OPS 2009-05-25 01:53:53 -07:00
ieee802154 nl802154: add module license and description 2009-06-29 18:20:28 +04:00
ipv4 tcp: Use correct peer adr when copying MD5 keys 2009-07-20 07:49:08 -07:00
ipv6 tcp: Use correct peer adr when copying MD5 keys 2009-07-20 07:49:08 -07:00
ipx net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
irda net: Move rx skb_orphan call to where needed 2009-06-23 16:36:25 -07:00
iucv net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
key net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
lapb
llc net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
mac80211 mac80211: use correct address for mesh Path Error 2009-07-21 12:07:40 -04:00
netfilter netfilter: nf_conntrack: nf_conntrack_alloc() fixes 2009-07-16 14:03:40 +02:00
netlabel netlabel: Use genl_register_family_with_ops() 2009-05-21 16:50:24 -07:00
netlink net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
netrom net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
packet net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
phonet Phonet: generate Netlink RTM_DELADDR when destroying a device 2009-06-25 02:58:16 -07:00
rds Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-05-18 21:08:20 -07:00
rfkill rfkill: fix rfkill_set_states() to set the hw state 2009-07-21 12:07:38 -04:00
rose net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
rxrpc net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
sched net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
sctp sctp: fix warning at inet_sock_destruct() while release sctp socket 2009-07-06 12:47:08 -07:00
sunrpc sunrpc: Use rcu_barrier() on unload. 2009-06-26 13:51:34 -07:00
tipc tipc: Use genl_register_family_with_ops() 2009-05-21 16:50:23 -07:00
unix net: adding memory barrier to the poll and receive callbacks 2009-07-09 17:06:57 -07:00
wanrouter
wimax wimax: fix warning caused by not checking retval of rfkill_set_hw_state() 2009-06-11 11:12:48 -07:00
wireless cfg80211: double free in __cfg80211_scan_done 2009-07-21 12:07:44 -04:00
x25 net: correct off-by-one write allocations reports 2009-06-18 00:29:12 -07:00
xfrm xfrm: use xfrm_addr_cmp() instead of compare addresses directly 2009-06-29 19:41:46 -07:00
compat.c
Kconfig net: add IEEE 802.15.4 socket family implementation 2009-06-09 05:25:32 -07:00
Makefile net: add IEEE 802.15.4 socket family implementation 2009-06-09 05:25:32 -07:00
nonet.c
socket.c
sysctl_net.c
TUNABLE