mwifiex: scan delay timer cleanup in unload path
Return from scan delay timer routine if surprise_removed flag is true. Also, cancel the timer in unload path. This fixes a crash when scan delay timer accesses structures that have been freed already. Tested with "iwlist mlan0 scan & sleep 1; rmmod mwifiex_sdio" Reported-by: Daniel Drake <dsd@laptop.org> Tested-by: Daniel Drake <dsd@laptop.org> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Amitkumar Karwar
John W. Linville
parent
c56ecf5a7f
commit
06041118ef
1 changed files with 10 additions and 0 deletions
|
|
@ -59,6 +59,9 @@ static void scan_delay_timer_fn(unsigned long data)
|
|||
struct cmd_ctrl_node *cmd_node, *tmp_node;
|
||||
unsigned long flags;
|
||||
|
||||
if (adapter->surprise_removed)
|
||||
return;
|
||||
|
||||
if (adapter->scan_delay_cnt == MWIFIEX_MAX_SCAN_DELAY_CNT) {
|
||||
/*
|
||||
* Abort scan operation by cancelling all pending scan
|
||||
|
|
@ -458,11 +461,18 @@ static void mwifiex_free_lock_list(struct mwifiex_adapter *adapter)
|
|||
static void
|
||||
mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (!adapter) {
|
||||
pr_err("%s: adapter is NULL\n", __func__);
|
||||
return;
|
||||
}
|
||||
|
||||
for (i = 0; i < adapter->priv_num; i++) {
|
||||
if (adapter->priv[i])
|
||||
del_timer_sync(&adapter->priv[i]->scan_delay_timer);
|
||||
}
|
||||
|
||||
mwifiex_cancel_all_pending_cmd(adapter);
|
||||
|
||||
/* Free lock variables */
|
||||
|
|
|
|||
Loading…
Reference in a new issue