From 2cd95027786caec7f2d81dfd11c7e0cd418d497a Mon Sep 17 00:00:00 2001 From: Andriy Voskoboinyk Date: Tue, 19 Apr 2016 20:19:21 +0000 Subject: [PATCH] net80211: do not reschedule scan_curchan_task() if the scan was canceled. This should fix possible use-after-free in the scheduled task. PR: 208605 --- sys/net80211/ieee80211_scan_sw.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/net80211/ieee80211_scan_sw.c b/sys/net80211/ieee80211_scan_sw.c index 58759805ade..6c9bcdbfa84 100644 --- a/sys/net80211/ieee80211_scan_sw.c +++ b/sys/net80211/ieee80211_scan_sw.c @@ -736,8 +736,11 @@ end: /* clear mindwell lock and initial channel change flush */ ss_priv->ss_iflags &= ~ISCAN_REP; - if (ss_priv->ss_iflags & (ISCAN_CANCEL|ISCAN_ABORT)) + if (ss_priv->ss_iflags & (ISCAN_CANCEL|ISCAN_ABORT)) { + taskqueue_cancel_timeout(ic->ic_tq, &ss_priv->ss_scan_curchan, + NULL); goto end; + } IEEE80211_DPRINTF(ss->ss_vap, IEEE80211_MSG_SCAN, "%s: waiting\n", __func__);