| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aXjwRsm7NhRpyWJH@JMW-Ubuntu>
Date: Wed, 28 Jan 2026 02:05:10 +0900
From: Minu Jin <s9430939@...er.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: bqn9090@...il.com, dan.carpenter@...aro.org,
abrahamadekunle50@...il.com, straube.linux@...il.com,
bryant.boatright@...ton.me, davidzalman.101@...il.com,
linux-staging@...ts.linux.dev, linux-kernel@...r.kernel.org,
hansg@...nel.org
Subject: Re: [RFC PATCH] staging: rtl8723bs: fix potential race in
expire_timeout_chk
On Tue, Jan 27, 2026 at 03:15:24PM +0100, Greg KH wrote:
> On Tue, Jan 27, 2026 at 10:10:35PM +0900, Minu Jin wrote:
> > The expire_timeout_chk function currently do lock and unlock inside the
> > loop before calling rtw_free_stainfo().
> >
> > This can be risky as the list might be changed
> > when the lock is briefly released.
> >
> > To fix this, move expired sta_info entries into a local free_list while
> > holding the lock, and then perform the actual freeing after the lock is
> > released.
> >
> > Signed-off-by: Minu Jin <s9430939@...er.com>
> > ---
> > Hi,
> >
> > I noticed this lock-unlock pattern in expire_timeout_chk() while
> > studying the code and it looked like a potential race condition.
> >
> > I've refactored the code to use a local list so we can handle the
> > cleanup after releasing the lock. What do you think about this approach?
> >
> > Any feedback is appreciated.
> >
> > drivers/staging/rtl8723bs/core/rtw_ap.c | 19 ++++++++++++-------
> > 1 file changed, 12 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8723bs/core/rtw_ap.c
> > index 67197c7d4a4d..5947f6363ab0 100644
> > --- a/drivers/staging/rtl8723bs/core/rtw_ap.c
> > +++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
> > @@ -179,6 +179,9 @@ void expire_timeout_chk(struct adapter *padapter)
> > u8 chk_alive_num = 0;
> > char chk_alive_list[NUM_STA];
> > int i;
> > + struct list_head free_list;
> > +
> > + INIT_LIST_HEAD(&free_list);
> >
> > spin_lock_bh(&pstapriv->auth_list_lock);
> >
> > @@ -190,19 +193,21 @@ void expire_timeout_chk(struct adapter *padapter)
> > if (psta->expire_to > 0) {
> > psta->expire_to--;
> > if (psta->expire_to == 0) {
> > - list_del_init(&psta->auth_list);
> > + list_move(&psta->auth_list, &free_list);
> > pstapriv->auth_list_cnt--;
> > -
> > - spin_unlock_bh(&pstapriv->auth_list_lock);
> > -
> > - rtw_free_stainfo(padapter, psta);
> > -
> > - spin_lock_bh(&pstapriv->auth_list_lock);
> > }
> > }
> > }
> >
> > spin_unlock_bh(&pstapriv->auth_list_lock);
> > +
> > + /* free free_list */
> > + list_for_each_safe(plist, tmp, &free_list) {
> > + psta = list_entry(plist, struct sta_info, auth_list);
> > + list_del_init(&psta->auth_list);
> > + rtw_free_stainfo(padapter, psta);
> > + }
>
> Looks sane, can you test it to verify it works properly?
>
> thanks,
>
> greg k-h
Hi Greg,
Thanks for the review.
I have verified the patch with Smatch and performed build tests
it does not produce any errors or warnings.
About the runtime test,
I have analyzed the logic as follows:
Within the first loop, expired entries are simply moved to a local free_list.
Since we no longer release and re-acquire the lock inside this loop,
the integrity of the shared auth_list is perfectly preserved while iterating.
The actual cleanup (rtw_free_stainfo) is performed only after all entries
have been isolated into the local list and the lock has been released.
While I don't have the physical hardware to verify this myself,
I noticed that Hans de Goede has a working test environment for this driver.
I've added him to the CC list and would be very grateful
if he or anyone else with the hardware could give this a quick test.
Minu Jin
Powered by blists - more mailing lists