Re: [RFC PATCH] staging: rtl8723bs: fix potential race in expire_timeout_chk

[Minu Jin <s9430939@naver.com>]

On Tue, Jan 27, 2026 at 03:15:24PM +0100, Greg KH wrote:
> On Tue, Jan 27, 2026 at 10:10:35PM +0900, Minu Jin wrote:
> > The expire_timeout_chk function currently do lock and unlock inside the
> > loop before calling rtw_free_stainfo().
> > 
> > This can be risky as the list might be changed
> > when the lock is briefly released.
> > 
> > To fix this, move expired sta_info entries into a local free_list while
> > holding the lock, and then perform the actual freeing after the lock is
> > released.
> > 
> > Signed-off-by: Minu Jin <s9430939@naver.com>
> > ---
> > Hi,
> > 
> > I noticed this lock-unlock pattern in expire_timeout_chk() while
> > studying the code and it looked like a potential race condition.
> > 
> > I've refactored the code to use a local list so we can handle the
> > cleanup after releasing the lock. What do you think about this approach?
> > 
> > Any feedback is appreciated.
> > 
> >  drivers/staging/rtl8723bs/core/rtw_ap.c | 19 ++++++++++++-------
> >  1 file changed, 12 insertions(+), 7 deletions(-)
> > 
> > diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8723bs/core/rtw_ap.c
> > index 67197c7d4a4d..5947f6363ab0 100644
> > --- a/drivers/staging/rtl8723bs/core/rtw_ap.c
> > +++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
> > @@ -179,6 +179,9 @@ void expire_timeout_chk(struct adapter *padapter)
> >  	u8 chk_alive_num = 0;
> >  	char chk_alive_list[NUM_STA];
> >  	int i;
> > +	struct list_head free_list;
> > +
> > +	INIT_LIST_HEAD(&free_list);
> >  
> >  	spin_lock_bh(&pstapriv->auth_list_lock);
> >  
> > @@ -190,19 +193,21 @@ void expire_timeout_chk(struct adapter *padapter)
> >  		if (psta->expire_to > 0) {
> >  			psta->expire_to--;
> >  			if (psta->expire_to == 0) {
> > -				list_del_init(&psta->auth_list);
> > +				list_move(&psta->auth_list, &free_list);
> >  				pstapriv->auth_list_cnt--;
> > -
> > -				spin_unlock_bh(&pstapriv->auth_list_lock);
> > -
> > -				rtw_free_stainfo(padapter, psta);
> > -
> > -				spin_lock_bh(&pstapriv->auth_list_lock);
> >  			}
> >  		}
> >  	}
> >  
> >  	spin_unlock_bh(&pstapriv->auth_list_lock);
> > +
> > +	/* free free_list */
> > +	list_for_each_safe(plist, tmp, &free_list) {
> > +		psta = list_entry(plist, struct sta_info, auth_list);
> > +		list_del_init(&psta->auth_list);
> > +		rtw_free_stainfo(padapter, psta);
> > +	}
> 
> Looks sane, can you test it to verify it works properly?
> 
> thanks,
> 
> greg k-h

Hi Greg,

Thanks for the review.

I have verified the patch with Smatch and performed build tests
it does not produce any errors or warnings.

About the runtime test,
I have analyzed the logic as follows:

Within the first loop, expired entries are simply moved to a local free_list.
Since we no longer release and re-acquire the lock inside this loop,
the integrity of the shared auth_list is perfectly preserved while iterating.

The actual cleanup (rtw_free_stainfo) is performed only after all entries
have been isolated into the local list and the lock has been released.

While I don't have the physical hardware to verify this myself,
I noticed that Hans de Goede has a working test environment for this driver.

I've added him to the CC list and would be very grateful
if he or anyone else with the hardware could give this a quick test.

Minu Jin