On Thu, 2013-12-05 at 18:30 +0200, Eliad Peller wrote: > ___cfg80211_scan_done() can be called in some cases > (e.g. on NETDEV_DOWN) before the low level driver > notified scan completion (which is indicated by > passing leak=true). > > Clearing rdev->scan_req in this case is buggy, as > scan_done_wk might have already being queued/running > (and can't be flushed as it takes rtnl()). > > If a new scan will be requested at this stage, the > scan_done_wk will try freeing it (instead of the > previous scan), and this will later result in > a use after free. > > Simply remove the "leak" option, and replace it with > a standard WARN_ON. Applied. I guess buggy drivers will then crash, but that's hardly news. johannes -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
