From: Amitkumar Karwar Date: Sat, 18 May 2013 00:50:19 +0000 (-0700) Subject: mwifiex: scan delay timer cleanup in unload path X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=06041118ef0908b9cae7657a7b734699bcf61a6c;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git mwifiex: scan delay timer cleanup in unload path Return from scan delay timer routine if surprise_removed flag is true. Also, cancel the timer in unload path. This fixes a crash when scan delay timer accesses structures that have been freed already. Tested with "iwlist mlan0 scan & sleep 1; rmmod mwifiex_sdio" Reported-by: Daniel Drake Tested-by: Daniel Drake Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/mwifiex/init.c b/drivers/net/wireless/mwifiex/init.c index 58e151edfa09..71bbf1204685 100644 --- a/drivers/net/wireless/mwifiex/init.c +++ b/drivers/net/wireless/mwifiex/init.c @@ -59,6 +59,9 @@ static void scan_delay_timer_fn(unsigned long data) struct cmd_ctrl_node *cmd_node, *tmp_node; unsigned long flags; + if (adapter->surprise_removed) + return; + if (adapter->scan_delay_cnt == MWIFIEX_MAX_SCAN_DELAY_CNT) { /* * Abort scan operation by cancelling all pending scan @@ -458,11 +461,18 @@ static void mwifiex_free_lock_list(struct mwifiex_adapter *adapter) static void mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter) { + int i; + if (!adapter) { pr_err("%s: adapter is NULL\n", __func__); return; } + for (i = 0; i < adapter->priv_num; i++) { + if (adapter->priv[i]) + del_timer_sync(&adapter->priv[i]->scan_delay_timer); + } + mwifiex_cancel_all_pending_cmd(adapter); /* Free lock variables */