mwifiex: dump station can panic if device is reset
cfg80211_dump_station semantics are such that the entry point is invoked
repeatedly for each station in the list, and the driver returns ENOENT
once all the station entries have been visited. This forces the entry
point to maintain state, which is currently implemented with a static
local variable.
If the driver is reset while in the middle of dumping stations, a stale
pointer will be referenced the next time dump_station is called, resulting
in an oops with a misleading stack:
Call Trace:
[<e063090c>] wifiex_del_virtual_intf+0x403c/0x44ac [mwifiex]
[<80426d00>] serial8250_handle_irq.part.21+0x100/0x124
And rarely, a more accurate oops:
Call Trace:
[<e062d1c0>] mwifiex_cfg80211_dump_station+0xc0/0x130 [mwifiex]
[<e050e130>] nl80211_dump_station+0xe0/0x310 [cfg80211]
[<80640ac4>] genl_lock_dumpit+0x4c/0x74
[<8063d2dc>] netlink_dump+0x148/0x2b8
[<8063da2c>] __netlink_dump_start+0x1e4/0x260
[<80641804>] genl_rcv_msg+0x354/0x3e8
[<80640634>] netlink_rcv_skb+0x110/0x138
[<80641498>] genl_rcv+0x40/0x58
[<8063fb70>] netlink_unicast+0x1fc/0x34c
[<80640270>] netlink_sendmsg+0x430/0x4f4
[<805eb244>] ___sys_sendmsg+0x11c/0x254
[<805ec32c>] __sys_sendmsg+0x58/0xa0
[<80016e54>] syscall_common+0x30/0x54
The fix moves the state variable into mwifiex_private.
See b/27275899
Change-Id: I9f944b63581567603d7f9d8d51a9620ee18ee186
2 files changed
