The scan req of a registered device may have been released, so it should be checked to be valid before comparing it with the current req. Reported-by: syzbot+189dcafc06865d38178d@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?extid=189dcafc06865d38178d Signed-off-by: Lizhi Xu <lizhi.xu@xxxxxxxxxxxxx> --- net/wireless/scan.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index e8a4fe44ec2d..bfd40797e608 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1176,10 +1176,14 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request, struct cfg80211_scan_info *info) { struct cfg80211_scan_info old_info = request->info; + struct cfg80211_scan_request *rdev_req, *rdev_int_req; + + rdev_req = wiphy_to_rdev(request->wiphy)->scan_req; + rdev_int_req = wiphy_to_rdev(request->wiphy)->int_scan_req; trace_cfg80211_scan_done(request, info); - WARN_ON(request != wiphy_to_rdev(request->wiphy)->scan_req && - request != wiphy_to_rdev(request->wiphy)->int_scan_req); + WARN_ON((rdev_req && request != rdev_req) && + (rdev_int_req && request != rdev_int_req)); request->info = *info; -- 2.43.0
