hostap: Do not free priv until timer handler has actually stopped using it

Function del_timer() does not guarantee that timer was really deleted. If the timer handler is beeing executed at the moment, the function does nothing. So, it's possible to use already freed memory in the handler: [ref: Documentation/DocBook/kernel-locking.tmpl] This was found using grep and compile-tested only. Please, consider applying or something similar to it. Signed-off-by: N Kirill Tkhai <ktkhai@parallels.com> CC: Jouni Malinen <j@w1.fi> CC: John W. Linville <linville@tuxdriver.com> Signed-off-by: N John W. Linville <linville@tuxdriver.com>

hostap: Do not free priv until timer handler has actually stopped using it
Function del_timer() does not guarantee that timer was really deleted. If the timer handler is beeing executed at the moment, the function does nothing. So, it's possible to use already freed memory in the handler: [ref: Documentation/DocBook/kernel-locking.tmpl] This was found using grep and compile-tested only. Please, consider applying or something similar to it. Signed-off-by: N Kirill Tkhai <ktkhai@parallels.com> CC: Jouni Malinen <j@w1.fi> CC: John W. Linville <linville@tuxdriver.com> Signed-off-by: N John W. Linville <linville@tuxdriver.com>
72471c0d · Kirill Tkhai · John W. Linville · d421c62e · 72471c0d
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/net/wireless/hostap/hostap_ap.c drivers/net/wireless/hostap/hostap_ap.c +1 -1

未找到文件。
--- a/drivers/net/wireless/hostap/hostap_ap.c
+++ b/drivers/net/wireless/hostap/hostap_ap.c
@@ -147,7 +147,7 @@ static void ap_free_sta(struct ap_data *ap, struct sta_info *sta)

 	if (!sta->ap && sta->u.sta.challenge)
 		kfree(sta->u.sta.challenge);
-	del_timer(&sta->timer);
+	del_timer_sync(&sta->timer);
 #endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */

 	kfree(sta);