From 57e832de37ea0a82e650d8230457e0868a01b72e Mon Sep 17 00:00:00 2001 From: Ilan Peer Date: Mon, 1 Jun 2015 13:38:10 +0300 Subject: [PATCH] GAS: Remove all radio works before calling gas_query_deinit() Remove all gas-query radio works before calling gas_query_deinit() as gas_query_deinit() flow frees the query context, which might be later be accessed from the radio work callback (and result with unexpected behavior, e.g., segmentation fault). Signed-off-by: Ilan Peer --- wpa_supplicant/wpa_supplicant.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 05f480896..e833c3aca 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -493,6 +493,16 @@ static void wpa_supplicant_cleanup(struct wpa_supplicant *wpa_s) wpas_mac_addr_rand_scan_clear(wpa_s, MAC_ADDR_RAND_ALL); + /* + * Need to remove any pending gas-query radio work before the + * gas_query_deinit() call because gas_query::work has not yet been set + * for works that have not been started. gas_query_free() will be unable + * to cancel such pending radio works and once the pending gas-query + * radio work eventually gets removed, the deinit notification call to + * gas_query_start_cb() would result in dereferencing freed memory. + */ + if (wpa_s->radio) + radio_remove_works(wpa_s, "gas-query", 0); gas_query_deinit(wpa_s->gas); wpa_s->gas = NULL;