mwifiex: scan delay timer cleanup in unload path

Return from scan delay timer routine if surprise_removed flag
is true. Also, cancel the timer in unload path.

This fixes a crash when scan delay timer accesses structures
that have been freed already.

Tested with "iwlist mlan0 scan & sleep 1; rmmod mwifiex_sdio"

BUG=None
TEST="iwlist mlan0 scan & sleep 1; rmmod mwifiex_sdio";
"echo scan > /sys/kernel/debug/kmemleak; cat /sys/kernel/debug/kmemleak"

Change-Id: Ia69b70ecc8b208fce4c2c3f39ec6e2d4042962f6
Reported-by: Daniel Drake <dsd@laptop.org> [OLPC]
Tested-by: Daniel Drake <dsd@laptop.org> [OLPC]
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Reviewed-on: https://gerrit.chromium.org/gerrit/50685
Reviewed-by: Paul Stewart <pstew@chromium.org>

diff --git a/drivers/net/wireless/mwifiex/init.c b/drivers/net/wireless/mwifiex/init.c
index b8ac2b4..0ca260b 100644 (file)
--- a/drivers/net/wireless/mwifiex/init.c
+++ b/drivers/net/wireless/mwifiex/init.c
@@ -64,6 +64,9 @@ static void scan_delay_timer_fn(unsigned long data)
        struct cmd_ctrl_node *cmd_node, *tmp_node;
        unsigned long flags;
 
+       if (adapter->surprise_removed)
+               return;
+
        if (adapter->scan_delay_cnt == MWIFIEX_MAX_SCAN_DELAY_CNT) {
                /*
                 * Abort scan operation by cancelling all pending scan
@@ -463,11 +466,18 @@ static void mwifiex_free_lock_list(struct mwifiex_adapter *adapter)
 static void
 mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter)
 {
+       int i;
+
        if (!adapter) {
                pr_err("%s: adapter is NULL\n", __func__);
                return;
        }
 
+       for (i = 0; i < adapter->priv_num; i++) {
+               if (adapter->priv[i])
+                       del_timer_sync(&adapter->priv[i]->scan_delay_timer);
+       }
+
        mwifiex_cancel_all_pending_cmd(adapter);
 
        /* Free lock variables */