From ea447605bf53075dd48cf0d264b4c28d2affa702 Mon Sep 17 00:00:00 2001
From: Huashan Qu <hqu@codeaurora.org>
Date: Thu, 20 Apr 2017 19:15:59 +0800
Subject: qcacld-2.0: Flush scan_block_work when receive NETDEV_GOING_DOWN
 notifier

In some case, scan_block_work will be scheduled, but NETDEV_DOWN will
come before scan_block_work executed, it will lead to crash. Because
in this case it will call ___cfg80211_scan_done to free scan request in
cfg80211_netdev_notifier_call firstly, but it will access scan request
in wlan_hdd_cfg80211_scan_block_cb afterwards, so it will crash.

Add flush scan_block_work process when receive NETDEV_GOING_DOWN notifier.

Change-Id: Iada4b907f5fb03871406904340e21b6cdf89306f
CRs-Fixed: 2034794
---
 CORE/HDD/inc/wlan_hdd_cfg80211.h | 10 ++++++++++
 CORE/HDD/src/wlan_hdd_cfg80211.c |  7 +------
 CORE/HDD/src/wlan_hdd_main.c     |  3 +++
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/CORE/HDD/inc/wlan_hdd_cfg80211.h b/CORE/HDD/inc/wlan_hdd_cfg80211.h
index 3b2dbdfa9c60..0b505522f2cc 100644
--- a/CORE/HDD/inc/wlan_hdd_cfg80211.h
+++ b/CORE/HDD/inc/wlan_hdd_cfg80211.h
@@ -2743,4 +2743,14 @@ enum wlan_hdd_scan_type_for_randomization {
 };
 
 int wlan_hdd_try_disconnect(hdd_adapter_t *pAdapter);
+
+/**
+ * wlan_hdd_cfg80211_scan_block_cb() - scan block work handler
+ * @work: Pointer to work
+ *
+ * This function is used to do scan block work handler
+ *
+ * Return: None
+ */
+void wlan_hdd_cfg80211_scan_block_cb(struct work_struct *work);
 #endif
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 7545ba3b31c2..e03672dec466 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -20627,7 +20627,7 @@ static bool wlan_hdd_sap_skip_scan_check(hdd_context_t *hdd_ctx,
 }
 #endif
 
-static void wlan_hdd_cfg80211_scan_block_cb(struct work_struct *work)
+void wlan_hdd_cfg80211_scan_block_cb(struct work_struct *work)
 {
     hdd_adapter_t *adapter = container_of(work,
                                    hdd_adapter_t, scan_block_work);
@@ -20820,9 +20820,6 @@ int __wlan_hdd_cfg80211_scan( struct wiphy *wiphy,
 
             pAdapter->request = request;
 
-            vos_init_work(&pAdapter->scan_block_work,
-                                            wlan_hdd_cfg80211_scan_block_cb);
-
             schedule_work(&pAdapter->scan_block_work);
             return 0;
         }
@@ -20934,8 +20931,6 @@ int __wlan_hdd_cfg80211_scan( struct wiphy *wiphy,
        wlan_hdd_sap_skip_scan_check(pHddCtx, request)) {
         hddLog(LOGE, FL("sap scan skipped"));
         pAdapter->request = request;
-        vos_init_work(&pAdapter->scan_block_work,
-                  wlan_hdd_cfg80211_scan_block_cb);
         schedule_work(&pAdapter->scan_block_work);
         return 0;
     }
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index bdbed1821764..5d198a8c1582 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -1153,6 +1153,7 @@ static int __hdd_netdev_notifier_call(struct notifier_block * nb,
         }
         else
         {
+           vos_flush_work(&pAdapter->scan_block_work);
            VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
                "%s: Scan is not Pending from user" , __func__);
         }
@@ -11319,6 +11320,8 @@ hdd_adapter_t* hdd_open_adapter( hdd_context_t *pHddCtx, tANI_U8 session_type,
       }
    }
 
+    vos_init_work(&pAdapter->scan_block_work, wlan_hdd_cfg80211_scan_block_cb);
+
     cfgState = WLAN_HDD_GET_CFG_STATE_PTR( pAdapter );
     mutex_init(&cfgState->remain_on_chan_ctx_lock);
 
-- 
cgit v1.2.3