From: Dan Carpenter <dan.carpenter@linaro.org>
To: Minu Jin <s9430939@naver.com>
Cc: gregkh@linuxfoundation.org, bqn9090@gmail.com,
abrahamadekunle50@gmail.com, straube.linux@gmail.com,
bryant.boatright@proton.me, davidzalman.101@gmail.com,
linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH] staging: rtl8723bs: fix potential race in expire_timeout_chk
Date: Wed, 28 Jan 2026 14:38:48 +0300 [thread overview]
Message-ID: <aXn1SHbJAwiaqEOZ@stanley.mountain> (raw)
In-Reply-To: <20260127131035.731607-1-s9430939@naver.com>
On Tue, Jan 27, 2026 at 10:10:35PM +0900, Minu Jin wrote:
> The expire_timeout_chk function currently do lock and unlock inside the
> loop before calling rtw_free_stainfo().
>
> This can be risky as the list might be changed
> when the lock is briefly released.
>
> To fix this, move expired sta_info entries into a local free_list while
> holding the lock, and then perform the actual freeing after the lock is
> released.
>
> Signed-off-by: Minu Jin <s9430939@naver.com>
> ---
> Hi,
>
> I noticed this lock-unlock pattern in expire_timeout_chk() while
> studying the code and it looked like a potential race condition.
>
> I've refactored the code to use a local list so we can handle the
> cleanup after releasing the lock. What do you think about this approach?
>
> Any feedback is appreciated.
>
> drivers/staging/rtl8723bs/core/rtw_ap.c | 19 ++++++++++++-------
> 1 file changed, 12 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8723bs/core/rtw_ap.c
> index 67197c7d4a4d..5947f6363ab0 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_ap.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
> @@ -179,6 +179,9 @@ void expire_timeout_chk(struct adapter *padapter)
> u8 chk_alive_num = 0;
> char chk_alive_list[NUM_STA];
> int i;
> + struct list_head free_list;
> +
> + INIT_LIST_HEAD(&free_list);
A couple minor style nits. Use LIST_HEAD(free_list) to do this in the
initializer.
>
> spin_lock_bh(&pstapriv->auth_list_lock);
>
> @@ -190,19 +193,21 @@ void expire_timeout_chk(struct adapter *padapter)
> if (psta->expire_to > 0) {
> psta->expire_to--;
> if (psta->expire_to == 0) {
> - list_del_init(&psta->auth_list);
> + list_move(&psta->auth_list, &free_list);
> pstapriv->auth_list_cnt--;
> -
> - spin_unlock_bh(&pstapriv->auth_list_lock);
> -
> - rtw_free_stainfo(padapter, psta);
> -
> - spin_lock_bh(&pstapriv->auth_list_lock);
> }
> }
> }
>
> spin_unlock_bh(&pstapriv->auth_list_lock);
> +
> + /* free free_list */
Delete this comment. It's obvious.
> + list_for_each_safe(plist, tmp, &free_list) {
Use list_for_each_entry_safe().
regards,
dan carpenter
> + psta = list_entry(plist, struct sta_info, auth_list);
> + list_del_init(&psta->auth_list);
> + rtw_free_stainfo(padapter, psta);
> + }
> +
> psta = NULL;
prev parent reply other threads:[~2026-01-28 11:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 13:10 [RFC PATCH] staging: rtl8723bs: fix potential race in expire_timeout_chk Minu Jin
2026-01-27 14:15 ` Greg KH
2026-01-27 17:05 ` Minu Jin
2026-01-28 11:38 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXn1SHbJAwiaqEOZ@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=abrahamadekunle50@gmail.com \
--cc=bqn9090@gmail.com \
--cc=bryant.boatright@proton.me \
--cc=davidzalman.101@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=s9430939@naver.com \
--cc=straube.linux@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.