From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Aniket Nagarnaik <aniketn@marvell.com>,
	Amitkumar Karwar <akarwar@marvell.com>,
	Kalle Valo <kvalo@codeaurora.org>
Subject: [PATCH 4.3 069/125] mwifiex: fix NULL pointer dereference during hidden SSID scan
Date: Mon,  7 Dec 2015 10:01:22 -0500
Message-Id: <20151207145755.680752072@linuxfoundation.org>
In-Reply-To: <20151207145752.225938417@linuxfoundation.org>
References: <20151207145752.225938417@linuxfoundation.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

4.3-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Aniket Nagarnaik <aniketn@marvell.com>

commit 17e524b1b60f4390d24a51d9524d1648cf5d1447 upstream.

This NULL pointer dereference is observed during suspend resume
stress test. All pending commands are cancelled when system goes
into suspend state. There a corner case in which host may receive
response for last scan command after this and try to trigger extra
active scan for hidden SSIDs.

The issue is fixed by adding a NULL check to skip that extra scan.

Fixes: 2375fa2b36feaf34 (mwifiex: fix unable to connect hidden SSID..)
Signed-off-by: Aniket Nagarnaik <aniketn@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/mwifiex/scan.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/mwifiex/scan.c
+++ b/drivers/net/wireless/mwifiex/scan.c
@@ -1889,7 +1889,7 @@ mwifiex_active_scan_req_for_passive_chan
 	u8 id = 0;
 	struct mwifiex_user_scan_cfg  *user_scan_cfg;
 
-	if (adapter->active_scan_triggered) {
+	if (adapter->active_scan_triggered || !priv->scan_request) {
 		adapter->active_scan_triggered = false;
 		return 0;
 	}