mwifiex: scan delay timer cleanup in unload path

Return from scan delay timer routine if surprise_removed flag
is true. Also, cancel the timer in unload path.

This fixes a crash when scan delay timer accesses structures
that have been freed already.

Tested with "iwlist mlan0 scan & sleep 1; rmmod mwifiex_sdio"

Reported-by: Daniel Drake <dsd@laptop.org>
Tested-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/mwifiex/init.c b/drivers/net/wireless/mwifiex/init.c
index 58e151edfa094e6e0ee70e5f81b07982df6c6981..71bbf120468564cce21c7bc3c4358376b816b6c4 100644 (file)
--- a/drivers/net/wireless/mwifiex/init.c
+++ b/drivers/net/wireless/mwifiex/init.c
@@ -59,6 +59,9 @@ static void scan_delay_timer_fn(unsigned long data)
        struct cmd_ctrl_node *cmd_node, *tmp_node;
        unsigned long flags;
 
+       if (adapter->surprise_removed)
+               return;
+
        if (adapter->scan_delay_cnt == MWIFIEX_MAX_SCAN_DELAY_CNT) {
                /*
                 * Abort scan operation by cancelling all pending scan
@@ -458,11 +461,18 @@ static void mwifiex_free_lock_list(struct mwifiex_adapter *adapter)
 static void
 mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter)
 {
+       int i;
+
        if (!adapter) {
                pr_err("%s: adapter is NULL\n", __func__);
                return;
        }
 
+       for (i = 0; i < adapter->priv_num; i++) {
+               if (adapter->priv[i])
+                       del_timer_sync(&adapter->priv[i]->scan_delay_timer);
+       }
+
        mwifiex_cancel_all_pending_cmd(adapter);
 
        /* Free lock variables */