mwifiex: sdio: fix use after free issue for save_adapter

[ Upstream commit 74c8719b8ee0922593a5cbec0bd6127d86d8a2f4 ] If we have sdio work requests received when sdio card reset is happening, we may end up accessing older save_adapter pointer later which is already freed during card reset. This patch solves the problem by cancelling those pending requests. Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Amitkumar Karwar <akarwar@marvell.com> 2016-12-01 19:23:31 +0530
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-11-30 08:39:12 +0000
commit: 5553271f778df8e87b1f08979df2fc26b9fbb6a8 (patch)
tree: b27fc2fac3def1053bace3cd69824afd2ab4f796 /drivers/net
parent: b1d4d0e1503ecbdc1f0f612f798b93864e666657 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/net/wireless/marvell/mwifiex/sdio.c b/drivers/net/wireless/marvell/mwifiex/sdio.c
index 8718950004f3..8d601dcf2948 100644
--- a/drivers/net/wireless/marvell/mwifiex/sdio.c
+++ b/drivers/net/wireless/marvell/mwifiex/sdio.c
@@ -2296,6 +2296,12 @@ static void mwifiex_recreate_adapter(struct sdio_mmc_card *card)
 	mmc_hw_reset(func->card->host);
 	sdio_release_host(func);
 
+	/* Previous save_adapter won't be valid after this. We will cancel
+	 * pending work requests.
+	 */
+	clear_bit(MWIFIEX_IFACE_WORK_DEVICE_DUMP, &iface_work_flags);
+	clear_bit(MWIFIEX_IFACE_WORK_CARD_RESET, &iface_work_flags);
+
 	mwifiex_sdio_probe(func, device_id);
 }
author	Amitkumar Karwar <akarwar@marvell.com>	2016-12-01 19:23:31 +0530
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-11-30 08:39:12 +0000
commit	5553271f778df8e87b1f08979df2fc26b9fbb6a8 (patch)
tree	b27fc2fac3def1053bace3cd69824afd2ab4f796 /drivers/net
parent	b1d4d0e1503ecbdc1f0f612f798b93864e666657 (diff)