From 6405943bd698a5ddb1a67ccb13f1b159a96fe097 Mon Sep 17 00:00:00 2001 From: Bing Zhao Date: Thu, 9 May 2013 11:52:50 -0700 Subject: [PATCH] mwifiex: scan delay timer cleanup in unload path Return from scan delay timer routine if surprise_removed flag is true. Also, cancel the timer in unload path. This fixes a crash when scan delay timer accesses structures that have been freed already. Tested with "iwlist mlan0 scan & sleep 1; rmmod mwifiex_sdio" BUG=None TEST="iwlist mlan0 scan & sleep 1; rmmod mwifiex_sdio"; "echo scan > /sys/kernel/debug/kmemleak; cat /sys/kernel/debug/kmemleak" Change-Id: Ia69b70ecc8b208fce4c2c3f39ec6e2d4042962f6 Reported-by: Daniel Drake [OLPC] Tested-by: Daniel Drake [OLPC] Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Reviewed-on: https://gerrit.chromium.org/gerrit/50685 Reviewed-by: Paul Stewart --- drivers/net/wireless/mwifiex/init.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/wireless/mwifiex/init.c b/drivers/net/wireless/mwifiex/init.c index b8ac2b421fbc..0ca260b8408c 100644 --- a/drivers/net/wireless/mwifiex/init.c +++ b/drivers/net/wireless/mwifiex/init.c @@ -64,6 +64,9 @@ static void scan_delay_timer_fn(unsigned long data) struct cmd_ctrl_node *cmd_node, *tmp_node; unsigned long flags; + if (adapter->surprise_removed) + return; + if (adapter->scan_delay_cnt == MWIFIEX_MAX_SCAN_DELAY_CNT) { /* * Abort scan operation by cancelling all pending scan @@ -463,11 +466,18 @@ static void mwifiex_free_lock_list(struct mwifiex_adapter *adapter) static void mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter) { + int i; + if (!adapter) { pr_err("%s: adapter is NULL\n", __func__); return; } + for (i = 0; i < adapter->priv_num; i++) { + if (adapter->priv[i]) + del_timer_sync(&adapter->priv[i]->scan_delay_timer); + } + mwifiex_cancel_all_pending_cmd(adapter); /* Free lock variables */ -- 2.20.1