tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

staging: rtl8723bs: fix potential race in expire_timeout_chk

The expire_timeout_chk function currently do lock and unlock inside the
loop before calling rtw_free_stainfo().

This can be risky as the list might be changed
when the lock is briefly released.

To fix this, move expired sta_info entries into a local free_list while
holding the lock, and then perform the actual freeing after the lock is
released.

Signed-off-by: Minu Jin <s9430939@naver.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/20260131171153.3729458-1-s9430939@naver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Minu Jin and committed by
Greg Kroah-Hartman 02df7c63 8ae0398e

+9 -7
+9 -7
drivers/staging/rtl8723bs/core/rtw_ap.c
··· 178 178 struct sta_priv *pstapriv = &padapter->stapriv; 179 179 u8 chk_alive_num = 0; 180 180 char chk_alive_list[NUM_STA]; 181 + struct sta_info *psta_tmp; 182 + LIST_HEAD(free_list); 181 183 int i; 182 184 183 185 spin_lock_bh(&pstapriv->auth_list_lock); ··· 192 190 if (psta->expire_to > 0) { 193 191 psta->expire_to--; 194 192 if (psta->expire_to == 0) { 195 - list_del_init(&psta->auth_list); 193 + list_move(&psta->auth_list, &free_list); 196 194 pstapriv->auth_list_cnt--; 197 - 198 - spin_unlock_bh(&pstapriv->auth_list_lock); 199 - 200 - rtw_free_stainfo(padapter, psta); 201 - 202 - spin_lock_bh(&pstapriv->auth_list_lock); 203 195 } 204 196 } 205 197 } 206 198 207 199 spin_unlock_bh(&pstapriv->auth_list_lock); 200 + 201 + list_for_each_entry_safe(psta, psta_tmp, &free_list, auth_list) { 202 + list_del_init(&psta->auth_list); 203 + rtw_free_stainfo(padapter, psta); 204 + } 205 + 208 206 psta = NULL; 209 207 210 208 spin_lock_bh(&pstapriv->asoc_list_lock);