CHROMIUM: mwifiex: Abort scan when interface is down

When the interface is marked down, scans should be aborted,
otherwise we risk memory leaks and code paths that may cause
a crash.

Signed-off-by: Paul Stewart <pstew@chromium.org>
BUG=chrome-os-partner:15390
TEST="iw mlan0 scan trigger; ifconfig mlan0 down"

Change-Id: I7a9010ce3086a19fbcd143db60dee27290f1e78b
Reviewed-on: https://gerrit.chromium.org/gerrit/36151
Reviewed-by: Bing Zhao <bzhao@marvell.com>
Reviewed-by: mukesh agrawal <quiche@chromium.org>
Commit-Ready: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>

diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index 9c63461..4f787b5 100644 (file)
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -1334,6 +1334,11 @@ mwifiex_cfg80211_scan(struct wiphy *wiphy, struct net_device *dev,
                return -EBUSY;
        }
 
+       if (priv->user_scan_cfg) {
+               dev_err(priv->adapter->dev, "cmd: Scan already in process..\n");
+               return -EBUSY;
+       }
+
        priv->user_scan_cfg = kzalloc(sizeof(struct mwifiex_user_scan_cfg),
                                      GFP_KERNEL);
        if (!priv->user_scan_cfg) {

diff --git a/drivers/net/wireless/mwifiex/init.c b/drivers/net/wireless/mwifiex/init.c
index 8868046..cf2c41e 100644 (file)
--- a/drivers/net/wireless/mwifiex/init.c
+++ b/drivers/net/wireless/mwifiex/init.c
@@ -85,16 +85,16 @@ static void scan_delay_timer_fn(unsigned long data)
                spin_unlock_irqrestore(&adapter->mwifiex_cmd_lock, flags);
 
                if (priv->user_scan_cfg) {
-                       if (!priv->scan_request->aborted) {
+                       if (priv->scan_request) {
                                dev_dbg(priv->adapter->dev,
                                        "info: aborting scan\n");
                                cfg80211_scan_done(priv->scan_request, 1);
+                               priv->scan_request = NULL;
                        } else {
                                dev_dbg(priv->adapter->dev,
                                        "info: scan already aborted\n");
                        }
 
-                       priv->scan_request = NULL;
                        kfree(priv->user_scan_cfg);
                        priv->user_scan_cfg = NULL;
                }

diff --git a/drivers/net/wireless/mwifiex/main.c b/drivers/net/wireless/mwifiex/main.c
index 6a3325d..a59509b 100644 (file)
--- a/drivers/net/wireless/mwifiex/main.c
+++ b/drivers/net/wireless/mwifiex/main.c
@@ -447,6 +447,14 @@ mwifiex_open(struct net_device *dev)
 static int
 mwifiex_close(struct net_device *dev)
 {
+       struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
+
+       if (priv->scan_request) {
+               dev_dbg(priv->adapter->dev, "aborting scan on ndo_stop\n");
+               cfg80211_scan_done(priv->scan_request, 1);
+               priv->scan_request = NULL;
+       }
+
        return 0;
 }
 

diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
index 62179e3..50a3312 100644 (file)
--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1747,26 +1747,25 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
                }
 
                if (priv->user_scan_cfg) {
-                       if (!priv->scan_request->aborted) {
+                       if (priv->scan_request) {
                                dev_dbg(priv->adapter->dev,
                                        "info: notifying scan done\n");
                                cfg80211_scan_done(priv->scan_request, 0);
+                               priv->scan_request = NULL;
                        } else {
                                dev_dbg(priv->adapter->dev,
                                        "info: scan already aborted\n");
                        }
 
-                       priv->scan_request = NULL;
                        kfree(priv->user_scan_cfg);
                        priv->user_scan_cfg = NULL;
                }
        } else {
-               if (priv->scan_request && priv->scan_request->aborted) {
+               if (priv->user_scan_cfg && !priv->scan_request) {
                        spin_unlock_irqrestore(&adapter->scan_pending_q_lock,
                                               flags);
                        adapter->scan_delay_cnt = MWIFIEX_MAX_SCAN_DELAY_CNT;
-                       mod_timer(&priv->scan_delay_timer, jiffies +
-                                 msecs_to_jiffies(MWIFIEX_SCAN_DELAY_MSEC));
+                       mod_timer(&priv->scan_delay_timer, jiffies);
                        dev_dbg(priv->adapter->dev,
                                "info: %s: triggerring scan abort\n", __func__);
                } else if (!mwifiex_wmm_lists_empty(adapter) &&