GAS: Remove all radio works before calling gas_query_deinit()
Remove all gas-query radio works before calling gas_query_deinit() as gas_query_deinit() flow frees the query context, which might be later be accessed from the radio work callback (and result with unexpected behavior, e.g., segmentation fault). Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This commit is contained in:
parent
1a5041791e
commit
57e832de37
1 changed files with 10 additions and 0 deletions
|
@ -493,6 +493,16 @@ static void wpa_supplicant_cleanup(struct wpa_supplicant *wpa_s)
|
||||||
|
|
||||||
wpas_mac_addr_rand_scan_clear(wpa_s, MAC_ADDR_RAND_ALL);
|
wpas_mac_addr_rand_scan_clear(wpa_s, MAC_ADDR_RAND_ALL);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Need to remove any pending gas-query radio work before the
|
||||||
|
* gas_query_deinit() call because gas_query::work has not yet been set
|
||||||
|
* for works that have not been started. gas_query_free() will be unable
|
||||||
|
* to cancel such pending radio works and once the pending gas-query
|
||||||
|
* radio work eventually gets removed, the deinit notification call to
|
||||||
|
* gas_query_start_cb() would result in dereferencing freed memory.
|
||||||
|
*/
|
||||||
|
if (wpa_s->radio)
|
||||||
|
radio_remove_works(wpa_s, "gas-query", 0);
|
||||||
gas_query_deinit(wpa_s->gas);
|
gas_query_deinit(wpa_s->gas);
|
||||||
wpa_s->gas = NULL;
|
wpa_s->gas = NULL;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue