wil6210: fix protection of wil->scan_request
authorLior David <qca_liord@qca.qualcomm.com>
Mon, 22 Aug 2016 09:42:19 +0000 (12:42 +0300)
committerKalle Valo <kvalo@qca.qualcomm.com>
Wed, 31 Aug 2016 07:31:03 +0000 (10:31 +0300)
Currently the places that check wil->scan_request and
call cfg80211_scan_done are not consistently protected,
so there is a risk that cfg80211_scan_done will be called
with NULL scan_request, causing a kernel crash.
Fix this by using p2p_wdev_mutex in few other places
that access scan_request. This makes sense since
scan_request may point to p2p_wdev, and it is not worth
the extra complexity of adding a new mutex.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
drivers/net/wireless/ath/wil6210/cfg80211.c
drivers/net/wireless/ath/wil6210/main.c
drivers/net/wireless/ath/wil6210/wil6210.h
drivers/net/wireless/ath/wil6210/wmi.c

index ffacc76487273b2095d87742e01ab3f7154ea700..d117240d9a7303d1d0a6a83e73607b6353fcdaef 100644 (file)
@@ -354,10 +354,13 @@ static int wil_cfg80211_scan(struct wiphy *wiphy,
        wil_dbg_misc(wil, "%s(), wdev=0x%p iftype=%d\n",
                     __func__, wdev, wdev->iftype);
 
+       mutex_lock(&wil->p2p_wdev_mutex);
        if (wil->scan_request) {
                wil_err(wil, "Already scanning\n");
+               mutex_unlock(&wil->p2p_wdev_mutex);
                return -EAGAIN;
        }
+       mutex_unlock(&wil->p2p_wdev_mutex);
 
        /* check we are client side */
        switch (wdev->iftype) {
index d0b180cc3c6026321c6e1563db88078ff525704a..7b7619c1f9f3d887cff51a5c347f69102498a810 100644 (file)
@@ -852,6 +852,7 @@ int wil_reset(struct wil6210_priv *wil, bool load_fw)
        bitmap_zero(wil->status, wil_status_last);
        mutex_unlock(&wil->wmi_mutex);
 
+       mutex_lock(&wil->p2p_wdev_mutex);
        if (wil->scan_request) {
                struct cfg80211_scan_info info = {
                        .aborted = true,
@@ -863,6 +864,7 @@ int wil_reset(struct wil6210_priv *wil, bool load_fw)
                cfg80211_scan_done(wil->scan_request, &info);
                wil->scan_request = NULL;
        }
+       mutex_unlock(&wil->p2p_wdev_mutex);
 
        wil_mask_irq(wil);
 
@@ -1055,6 +1057,7 @@ int __wil_down(struct wil6210_priv *wil)
 
        wil_p2p_stop_radio_operations(wil);
 
+       mutex_lock(&wil->p2p_wdev_mutex);
        if (wil->scan_request) {
                struct cfg80211_scan_info info = {
                        .aborted = true,
@@ -1066,6 +1069,7 @@ int __wil_down(struct wil6210_priv *wil)
                cfg80211_scan_done(wil->scan_request, &info);
                wil->scan_request = NULL;
        }
+       mutex_unlock(&wil->p2p_wdev_mutex);
 
        wil_reset(wil, false);
 
index 60876912095787c9a1810473f4406709cdfb43a2..1eb7fe772273062c3518c6f33fb853cecc9cfd87 100644 (file)
@@ -657,7 +657,7 @@ struct wil6210_priv {
 
        /* P2P_DEVICE vif */
        struct wireless_dev *p2p_wdev;
-       struct mutex p2p_wdev_mutex; /* protect @p2p_wdev */
+       struct mutex p2p_wdev_mutex; /* protect @p2p_wdev and @scan_request */
        struct wireless_dev *radio_wdev;
 
        /* High Access Latency Policy voting */
index 4d92541913c0227ed1d639c3ec33caf41d4dafce..0b109b2a31ac516877a66c8a8eccc42aec116d0e 100644 (file)
@@ -424,6 +424,7 @@ static void wmi_evt_tx_mgmt(struct wil6210_priv *wil, int id, void *d, int len)
 static void wmi_evt_scan_complete(struct wil6210_priv *wil, int id,
                                  void *d, int len)
 {
+       mutex_lock(&wil->p2p_wdev_mutex);
        if (wil->scan_request) {
                struct wmi_scan_complete_event *data = d;
                struct cfg80211_scan_info info = {
@@ -435,14 +436,13 @@ static void wmi_evt_scan_complete(struct wil6210_priv *wil, int id,
                             wil->scan_request, info.aborted);
 
                del_timer_sync(&wil->scan_timer);
-               mutex_lock(&wil->p2p_wdev_mutex);
                cfg80211_scan_done(wil->scan_request, &info);
                wil->radio_wdev = wil->wdev;
-               mutex_unlock(&wil->p2p_wdev_mutex);
                wil->scan_request = NULL;
        } else {
                wil_err(wil, "SCAN_COMPLETE while not scanning\n");
        }
+       mutex_unlock(&wil->p2p_wdev_mutex);
 }
 
 static void wmi_evt_connect(struct wil6210_priv *wil, int id, void *d, int len)