lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2026012704-lard-untimed-c88c@gregkh>
Date: Tue, 27 Jan 2026 15:15:24 +0100
From: Greg KH <gregkh@...uxfoundation.org>
To: Minu Jin <s9430939@...er.com>
Cc: bqn9090@...il.com, dan.carpenter@...aro.org,
	abrahamadekunle50@...il.com, straube.linux@...il.com,
	bryant.boatright@...ton.me, davidzalman.101@...il.com,
	linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH] staging: rtl8723bs: fix potential race in
 expire_timeout_chk

On Tue, Jan 27, 2026 at 10:10:35PM +0900, Minu Jin wrote:
> The expire_timeout_chk function currently do lock and unlock inside the
> loop before calling rtw_free_stainfo().
> 
> This can be risky as the list might be changed
> when the lock is briefly released.
> 
> To fix this, move expired sta_info entries into a local free_list while
> holding the lock, and then perform the actual freeing after the lock is
> released.
> 
> Signed-off-by: Minu Jin <s9430939@...er.com>
> ---
> Hi,
> 
> I noticed this lock-unlock pattern in expire_timeout_chk() while
> studying the code and it looked like a potential race condition.
> 
> I've refactored the code to use a local list so we can handle the
> cleanup after releasing the lock. What do you think about this approach?
> 
> Any feedback is appreciated.
> 
>  drivers/staging/rtl8723bs/core/rtw_ap.c | 19 ++++++++++++-------
>  1 file changed, 12 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8723bs/core/rtw_ap.c
> index 67197c7d4a4d..5947f6363ab0 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_ap.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
> @@ -179,6 +179,9 @@ void expire_timeout_chk(struct adapter *padapter)
>  	u8 chk_alive_num = 0;
>  	char chk_alive_list[NUM_STA];
>  	int i;
> +	struct list_head free_list;
> +
> +	INIT_LIST_HEAD(&free_list);
>  
>  	spin_lock_bh(&pstapriv->auth_list_lock);
>  
> @@ -190,19 +193,21 @@ void expire_timeout_chk(struct adapter *padapter)
>  		if (psta->expire_to > 0) {
>  			psta->expire_to--;
>  			if (psta->expire_to == 0) {
> -				list_del_init(&psta->auth_list);
> +				list_move(&psta->auth_list, &free_list);
>  				pstapriv->auth_list_cnt--;
> -
> -				spin_unlock_bh(&pstapriv->auth_list_lock);
> -
> -				rtw_free_stainfo(padapter, psta);
> -
> -				spin_lock_bh(&pstapriv->auth_list_lock);
>  			}
>  		}
>  	}
>  
>  	spin_unlock_bh(&pstapriv->auth_list_lock);
> +
> +	/* free free_list */
> +	list_for_each_safe(plist, tmp, &free_list) {
> +		psta = list_entry(plist, struct sta_info, auth_list);
> +		list_del_init(&psta->auth_list);
> +		rtw_free_stainfo(padapter, psta);
> +	}

Looks sane, can you test it to verify it works properly?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ