wl1271: Fix scan race condition

In the scan state machine, the wl1271_mutex is unlocked first then relocked,
and then the scan state variables are modified.

This makes it possible for ieee80211_scan_complete to be called twice in some
scenarios, as the scan completion event from the firmware may be processed
while the mutex is unlocked.

To fix the issue, move the ieee80211_scan_complete call last in the function.
This is generally safer, but there still may be issues is functions calling
the scan state machine rely on states checked before the unlocking of the
global mutex.

(forward ported from 2.6.32 -- this is not strictly needed anymore, because
the mutex doesn't need to be unlocked anymore, but I'm applying this change
anyway, so that the call to ieee80211_scan_complete is in the same place)

Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com>
Reviewed-by: Saravanan Dhanabal <ext-saravanan.dhanabal@nokia.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>

drivers/net/wireless/wl12xx/wl1271_main.c

@@ -1015,10 +1015,10 @@ static void wl1271_op_remove_interface(struct ieee80211_hw *hw,
 		ieee80211_enable_dyn_ps(wl->vif);
 
 	if (wl->scan.state != WL1271_SCAN_STATE_IDLE) {
-		ieee80211_scan_completed(wl->hw, true);
 		wl->scan.state = WL1271_SCAN_STATE_IDLE;
 		kfree(wl->scan.scanned_ch);
 		wl->scan.scanned_ch = NULL;
+		ieee80211_scan_completed(wl->hw, true);
 	}
 
 	wl->state = WL1271_STATE_OFF;

drivers/net/wireless/wl12xx/wl1271_scan.c

@@ -215,12 +215,11 @@ void wl1271_scan_stm(struct wl1271 *wl)
 		break;
 
 	case WL1271_SCAN_STATE_DONE:
-		ieee80211_scan_completed(wl->hw, false);
-
 		kfree(wl->scan.scanned_ch);
 		wl->scan.scanned_ch = NULL;
 
 		wl->scan.state = WL1271_SCAN_STATE_IDLE;
+		ieee80211_scan_completed(wl->hw, false);
 		break;
 
 	default: