linux/drivers
Reinette Chatre 073d5eab6f iwlwifi: fix internal scan race
It is possible for internal scan to race against itself if the device is
not returning the scan results from first requests. What happens in this
case is the cleanup done during the abort of the first internal scan also
cleans up part of the new scan, causing it to access memory it shouldn't.

Here are details:
* First internal scan is triggered and scan command sent to device.
* After seven seconds there is no scan results so the watchdog timer
  triggers a scan abort.
* The scan abort succeeds and a SCAN_COMPLETE_NOTIFICATION is received for
 failed scan.
* During processing of SCAN_COMPLETE_NOTIFICATION we clear STATUS_SCANNING
  and queue the "scan_completed" work.
** At this time, since the problem that caused the internal scan in first
   place is still present, a new internal scan is triggered.
The behavior at this point is a bit different between 2.6.34 and 2.6.35
since 2.6.35 has a lot of this synchronized. The rest of the race
description will thus be generalized.
** As part of preparing for the scan "is_internal_short_scan" is set to
true.
* At this point the completion work for fist scan is run. As part of this
  there is some locking missing around the "is_internal_short_scan"
  variable and it is set to "false".
** Now the second scan runs and it considers itself a real (not internal0
   scan and thus causes problems with wrong memory being accessed.

The fix is twofold.
* Since "is_internal_short_scan" should be protected by mutex, fix this in
  scan completion work so that changes to it can be serialized.
* Do not queue a new internal scan if one is in progress.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=15824

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-05-21 14:40:00 -04:00
..
accessibility
acpi Merge branch 'acpica' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6 2010-05-20 09:45:38 -07:00
amba
ata Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev 2010-05-20 09:27:37 -07:00
atm atm: select FW_LOADER in Kconfig for solos-pci 2010-05-17 17:44:36 -07:00
auxdisplay
base Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/suspend-2.6 2010-05-20 09:03:55 -07:00
block Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-05-20 09:20:59 -07:00
bluetooth Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-05-20 21:04:44 -07:00
cdrom
char Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2010-05-20 10:33:06 -07:00
clocksource Merge branch 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2010-05-19 17:10:57 -07:00
connector
cpufreq Merge branch 'x86-cpu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2010-05-18 08:49:13 -07:00
cpuidle
crypto
dca
dio
dma Merge git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6 2010-05-19 11:36:03 -07:00
edac
eisa
firewire Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-05-20 09:20:59 -07:00
firmware
gpio Merge branch 'topic/asoc' into for-linus 2010-05-20 12:00:43 +02:00
gpu Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-05-20 09:20:59 -07:00
hid USB: rename usb_buffer_alloc() and usb_buffer_free() users 2010-05-20 13:21:38 -07:00
hwmon
i2c Merge branch 'for-linus/i2c-2635' of git://git.fluff.org/bjdooks/linux 2010-05-20 09:41:17 -07:00
ide
idle
ieee1394
ieee802154
infiniband Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-05-20 21:04:44 -07:00
input Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6 2010-05-20 21:26:12 -07:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-05-20 21:04:44 -07:00
leds
lguest
macintosh
mca
md
media Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6 2010-05-20 21:26:12 -07:00
memstick
message
mfd Merge branch 'topic/asoc' into for-linus 2010-05-20 12:00:43 +02:00
misc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-05-20 09:20:59 -07:00
mmc Merge branch 'devel' of master.kernel.org:/home/rmk/linux-2.6-arm 2010-05-19 11:37:22 -07:00
mtd
net iwlwifi: fix internal scan race 2010-05-21 14:40:00 -04:00
nubus
of
oprofile
parisc
parport
pci Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-05-20 09:20:59 -07:00
pcmcia Merge git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6 2010-05-20 09:09:46 -07:00
platform
pnp
power
pps
ps3
rapidio
regulator Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-05-20 09:20:59 -07:00
rtc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-05-20 09:20:59 -07:00
s390 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-05-20 21:04:44 -07:00
sbus
scsi Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-05-20 21:04:44 -07:00
serial Merge git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6 2010-05-20 09:09:46 -07:00
sfi
sh
sn
spi Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-05-20 09:20:59 -07:00
ssb Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-05-20 21:04:44 -07:00
staging Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6 2010-05-20 21:26:12 -07:00
tc
telephony
thermal
uio
usb Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6 2010-05-20 21:26:12 -07:00
uwb
vhost
video Merge branch 'viafb-next' of git://git.lwn.net/linux-2.6 2010-05-20 13:34:17 -07:00
virtio
vlynq
w1
watchdog USB: rename usb_buffer_alloc() and usb_buffer_free() users 2010-05-20 13:21:38 -07:00
xen
zorro m68k: amiga - Zorro host bridge platform device conversion 2010-05-17 21:37:42 +02:00
Kconfig
Makefile