android_kernel_asus_sm8350/net at 9e81eccf199d910e5ea8db377a43478e4eccd033 - android_kernel_asus_sm8350 - Gitea: Git with a cup of tea

android/android_kernel_asus_sm8350

History

Christian Lamparter 9e81eccf19 cfg80211: double free in __cfg80211_scan_done

This patch fixes a double free corruption in __cfg80211_scan_done:

 ================================================
 BUG kmalloc-512: Object already free
 ------------------------------------------------

 INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
 INFO: Freed in load_elf_binary+0x104e/0x19af age=5
 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488

 Bytes b4 0xffff88007e8a9908:  00 00 00 00 00 00 00 00 5a 5a
 [...]
 Pid: 28705, comm: rmmod Tainted: P         C 2.6.31-rc2-wl #1
 Call Trace:
  [<ffffffff810da9f4>] print_trailer+0x14e/0x16e
  [<ffffffff810daa56>] object_err+0x42/0x61
  [<ffffffff810dbcd9>] __slab_free+0x2af/0x396
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffff810dd5e3>] kfree+0x13c/0x17a
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
  [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
  [...]
 FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed

The code path which leads to the *funny* double free:

       request = rdev->scan_req;
       dev = dev_get_by_index(&init_net, request->ifidx);
	/*
	 * the driver was unloaded recently and
	 * therefore dev_get_by_index will return NULL!
	 */
        if (!dev)
                goto out;
	[...]
	rdev->scan_req = NULL; /* not executed... */
	[...]
 out:
        kfree(request);

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

2009-07-21 12:07:44 -04:00

..

net/9p: Fix crash due to bad mount parameters.

2009-07-02 13:17:01 -07:00

net: remove COMPAT_NET_DEV_OPS

2009-05-25 01:53:53 -07:00

8021q: Vlan driver should use rcu_barrier() on unload instead of syncronize_net()

2009-06-10 01:11:22 -07:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

net: adding memory barrier to the poll and receive callbacks

2009-07-09 17:06:57 -07:00

net: Move rx skb_orphan call to where needed

2009-06-23 16:36:25 -07:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

bridge: Use rcu_barrier() instead of syncronize_net() on unload.

2009-06-26 13:51:32 -07:00

net/can: add module alias to can protocol drivers

2009-07-15 11:20:38 -07:00

Fix error return for setsockopt(SO_TIMESTAMPING)

2009-07-20 08:23:36 -07:00

DCB: fix kfree(skb)

2009-01-04 17:29:21 -08:00

net: adding memory barrier to the poll and receive callbacks

2009-07-09 17:06:57 -07:00

decnet: Use rcu_barrier() on module unload.

2009-06-26 13:51:27 -07:00

dsa: fix 88e6xxx statistics counter snapshotting

2009-07-05 18:03:35 -07:00

net: sk_wmem_alloc has initial value of one, not zero

2009-06-17 04:31:25 -07:00

net: remove COMPAT_NET_DEV_OPS

2009-05-25 01:53:53 -07:00

nl802154: add module license and description

2009-06-29 18:20:28 +04:00

tcp: Use correct peer adr when copying MD5 keys

2009-07-20 07:49:08 -07:00

tcp: Use correct peer adr when copying MD5 keys

2009-07-20 07:49:08 -07:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

net: Move rx skb_orphan call to where needed

2009-06-23 16:36:25 -07:00

net: adding memory barrier to the poll and receive callbacks

2009-07-09 17:06:57 -07:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

…

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

mac80211: use correct address for mesh Path Error

2009-07-21 12:07:40 -04:00

netfilter: nf_conntrack: nf_conntrack_alloc() fixes

2009-07-16 14:03:40 +02:00

netlabel: Use genl_register_family_with_ops()

2009-05-21 16:50:24 -07:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

Phonet: generate Netlink RTM_DELADDR when destroying a device

2009-06-25 02:58:16 -07:00

Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6

2009-05-18 21:08:20 -07:00

rfkill: fix rfkill_set_states() to set the hw state

2009-07-21 12:07:38 -04:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

net: adding memory barrier to the poll and receive callbacks

2009-07-09 17:06:57 -07:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

sctp: fix warning at inet_sock_destruct() while release sctp socket

2009-07-06 12:47:08 -07:00

sunrpc: Use rcu_barrier() on unload.

2009-06-26 13:51:34 -07:00

tipc: Use genl_register_family_with_ops()

2009-05-21 16:50:23 -07:00

net: adding memory barrier to the poll and receive callbacks

2009-07-09 17:06:57 -07:00

wanrouter: fix sparse warnings: context imbalance

2009-02-26 23:13:36 -08:00

wimax: fix warning caused by not checking retval of rfkill_set_hw_state()

2009-06-11 11:12:48 -07:00

cfg80211: double free in __cfg80211_scan_done

2009-07-21 12:07:44 -04:00

net: correct off-by-one write allocations reports

2009-06-18 00:29:12 -07:00

xfrm: use xfrm_addr_cmp() instead of compare addresses directly

2009-06-29 19:41:46 -07:00

compat.c

net: socket infrastructure for SO_TIMESTAMPING

2009-02-15 22:43:35 -08:00

Kconfig

net: add IEEE 802.15.4 socket family implementation

2009-06-09 05:25:32 -07:00

Makefile

net: add IEEE 802.15.4 socket family implementation

2009-06-09 05:25:32 -07:00

nonet.c

…

socket.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

2009-04-06 18:05:43 -07:00

sysctl_net.c

net: sysctl_net - use net_eq to compare nets

2009-03-16 16:23:30 +01:00

TUNABLE

…