cfg80211_dev_free() calls cfg80211_put_bss() directly on all the remaining bss entries, skipping the proper bss entry cleanup that usually made by __cfg80211_unlink_bss(), and leaving the bss_list and the rb_tree with dangling pointers. Fix it by calling cfg80211_unlink_bss() instead. Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Eliad Peller <eliad@xxxxxxxxxx> --- net/wireless/core.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/wireless/core.c b/net/wireless/core.c index 4e86a86..232c385 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -729,7 +729,7 @@ void cfg80211_dev_free(struct cfg80211_registered_device *rdev) mutex_destroy(&rdev->devlist_mtx); mutex_destroy(&rdev->sched_scan_mtx); list_for_each_entry_safe(scan, tmp, &rdev->bss_list, list) - cfg80211_put_bss(&scan->pub); + cfg80211_unlink_bss(&rdev->wiphy, &scan->pub); kfree(rdev); } -- 1.7.6.401.g6a319 -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
