diff options
author | Christian Lamparter <chunkeey@web.de> | 2009-07-18 23:05:37 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-07-21 12:07:44 -0400 |
commit | 9e81eccf199d910e5ea8db377a43478e4eccd033 (patch) | |
tree | c425a97da799df89255b13314e4dd96ec40419db | |
parent | e56f0975360369347725c49654ecfe3792710429 (diff) |
cfg80211: double free in __cfg80211_scan_done
This patch fixes a double free corruption in __cfg80211_scan_done:
================================================
BUG kmalloc-512: Object already free
------------------------------------------------
INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
INFO: Freed in load_elf_binary+0x104e/0x19af age=5
INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488
Bytes b4 0xffff88007e8a9908: 00 00 00 00 00 00 00 00 5a 5a
[...]
Pid: 28705, comm: rmmod Tainted: P C 2.6.31-rc2-wl #1
Call Trace:
[<ffffffff810da9f4>] print_trailer+0x14e/0x16e
[<ffffffff810daa56>] object_err+0x42/0x61
[<ffffffff810dbcd9>] __slab_free+0x2af/0x396
[<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
[<ffffffff810dd5e3>] kfree+0x13c/0x17a
[<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
[<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
[<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
[<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
[...]
FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed
The code path which leads to the *funny* double free:
request = rdev->scan_req;
dev = dev_get_by_index(&init_net, request->ifidx);
/*
* the driver was unloaded recently and
* therefore dev_get_by_index will return NULL!
*/
if (!dev)
goto out;
[...]
rdev->scan_req = NULL; /* not executed... */
[...]
out:
kfree(request);
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/wireless/scan.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index f8e71b300001..9271118e1fc4 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c | |||
@@ -35,8 +35,6 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted) | |||
35 | else | 35 | else |
36 | nl80211_send_scan_done(wiphy_to_dev(request->wiphy), dev); | 36 | nl80211_send_scan_done(wiphy_to_dev(request->wiphy), dev); |
37 | 37 | ||
38 | wiphy_to_dev(request->wiphy)->scan_req = NULL; | ||
39 | |||
40 | #ifdef CONFIG_WIRELESS_EXT | 38 | #ifdef CONFIG_WIRELESS_EXT |
41 | if (!aborted) { | 39 | if (!aborted) { |
42 | memset(&wrqu, 0, sizeof(wrqu)); | 40 | memset(&wrqu, 0, sizeof(wrqu)); |
@@ -48,6 +46,7 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted) | |||
48 | dev_put(dev); | 46 | dev_put(dev); |
49 | 47 | ||
50 | out: | 48 | out: |
49 | wiphy_to_dev(request->wiphy)->scan_req = NULL; | ||
51 | kfree(request); | 50 | kfree(request); |
52 | } | 51 | } |
53 | EXPORT_SYMBOL(cfg80211_scan_done); | 52 | EXPORT_SYMBOL(cfg80211_scan_done); |