• Johannes Berg's avatar
    cfg80211: fix scan done race · a617302c
    Johannes Berg authored
    When an interface/wdev is removed, any ongoing scan should be
    cancelled by the driver. This will make it call cfg80211, which
    only queues a work struct. If interface/wdev removal is quick
    enough, this can leave the scan request pending and processed
    only after the interface is gone, causing a use-after-free.
    
    Fix this by making sure the scan request is not pending after
    the interface is destroyed. We can't flush or cancel the work
    item due to locking concerns, but when it'll run it shouldn't
    find anything to do. This leaves a potential issue, if a new
    scan gets requested before the work runs, it prematurely stops
    the running scan, potentially causing another crash. I'll fix
    that in the next patch.
    
    This was particularly observed with P2P_DEVICE wdevs, likely
    because freeing them is quicker than freeing netdevs.
    Reported-by: default avatarAndrei Otcheretianski <andrei.otcheretianski@intel.com>
    Fixes: 4a58e7c3 ("cfg80211: don't "leak" uncompleted scans")
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    a617302c
core.c 25.5 KB