On Thu, Dec 5, 2013 at 5:45 PM, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote:
> On Thu, 2013-12-05 at 17:39 +0200, Eliad Peller wrote:
>> On Thu, Dec 5, 2013 at 4:43 PM, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote:
>> > On Thu, 2013-12-05 at 16:36 +0200, Eliad Peller wrote:
>> >> On Thu, Dec 5, 2013 at 4:31 PM, Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote:
>> >> > On Thu, 2013-12-05 at 11:21 +0200, Eliad Peller wrote:
>> >> >
>> >> >> @@ -219,8 +221,13 @@ void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, bool leak)
>> >> >> * the scan request or not ... if it accesses the dev
>> >> >> * in there (it shouldn't anyway) then it may crash.
>> >> >> */
>> >> >> - if (!leak)
>> >> >> - kfree(request);
>> >> >> + if (leak) {
>> >> >> + request->pending_cleanup = true;
>> >> >> + return;
>> >> >
>> >> > This seems insufficient, if the driver never indicates completion, we'd
>> >> > never clear rdev->scan_req?
>> >> >
>> >> right, but i think it somehow makes sense (i.e. the driver must
>> >> indicate completion...)?
>> >
>> > But the whole thing was intended to catch buggy drivers :)
>> >
>> yeah, you have a point here :)
>> anyway, i guess it's either leaking scan_req and hoping the driver
>> really forgot about it, or keeping it and hoping the driver will
>> finally indicate completion.
>>
>> since i don't think this is a real-world scenario, i'm ok with
>> dropping this patch.
>
> Well, it can be made to crash, so ...
>
> Can we maybe avoid the crash in a different way? Disallow a new scan
> somehow?
Maybe we should drop the whole netdev-notified doing ___cfg80211_scan_done?
I mean if a workaround for buggy drivers is causing bugs for
legitimate drivers..
Something simple for buggy drivers would be doing this in the notifier
- BUG_ON(!rdev->scan_req->notified)
Just my 2c.
Arik
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
