[PATCH v4] staging: rtl8723bs: fix potential race in expire_timeout_chk

[PATCH v4] staging: rtl8723bs: fix potential race in expire_timeout_chk

[Minu Jin]

The expire_timeout_chk function currently do lock and unlock inside the
loop before calling rtw_free_stainfo().

This can be risky as the list might be changed
when the lock is briefly released.

To fix this, move expired sta_info entries into a local free_list while
holding the lock, and then perform the actual freeing after the lock is
released.

Signed-off-by: Minu Jin <s9430939@naver.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
---
Changes in v4:
    - Add Reviewed-by tag from Dan Carpenter

Changes in v3:
    Suggested-by Dan Carpenter
    - Use list_for_each_entry_safe() only for the new code.
    - Remove blank line in the declaration block.
    - Keep existing code unchanged

Changes in v2:
    - Use LIST_HEAD for init list (suggested by Dan Carpenter)
    - Replace list_for_each_safe with list_for_each_entry_safe
    - Clean up unused variable 'plist' and fix type of 'tmp' iterator.
    - Remove redundant "free free_list" comment.

 drivers/staging/rtl8723bs/core/rtw_ap.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_ap.c b/drivers/staging/rtl8723bs/core/rtw_ap.c
index 67197c7d4a4d..2ee7cc0ebaf6 100644
--- a/drivers/staging/rtl8723bs/core/rtw_ap.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ap.c
@@ -178,6 +178,8 @@ void expire_timeout_chk(struct adapter *padapter)
 	struct sta_priv *pstapriv = &padapter->stapriv;
 	u8 chk_alive_num = 0;
 	char chk_alive_list[NUM_STA];
+	struct sta_info *psta_tmp;
+	LIST_HEAD(free_list);
 	int i;
 
 	spin_lock_bh(&pstapriv->auth_list_lock);
@@ -190,19 +192,19 @@ void expire_timeout_chk(struct adapter *padapter)
 		if (psta->expire_to > 0) {
 			psta->expire_to--;
 			if (psta->expire_to == 0) {
-				list_del_init(&psta->auth_list);
+				list_move(&psta->auth_list, &free_list);
 				pstapriv->auth_list_cnt--;
-
-				spin_unlock_bh(&pstapriv->auth_list_lock);
-
-				rtw_free_stainfo(padapter, psta);
-
-				spin_lock_bh(&pstapriv->auth_list_lock);
 			}
 		}
 	}
 
 	spin_unlock_bh(&pstapriv->auth_list_lock);
+
+	list_for_each_entry_safe(psta, psta_tmp, &free_list, auth_list) {
+		list_del_init(&psta->auth_list);
+		rtw_free_stainfo(padapter, psta);
+	}
+
 	psta = NULL;
 
 	spin_lock_bh(&pstapriv->asoc_list_lock);
-- 
2.43.0

Re: [PATCH v4] staging: rtl8723bs: fix potential race in expire_timeout_chk

[Dan Carpenter]

On Sun, Feb 01, 2026 at 02:11:53AM +0900, Minu Jin wrote:
> The expire_timeout_chk function currently do lock and unlock inside the
> loop before calling rtw_free_stainfo().
> 
> This can be risky as the list might be changed
> when the lock is briefly released.
> 
> To fix this, move expired sta_info entries into a local free_list while
> holding the lock, and then perform the actual freeing after the lock is
> released.
> 
> Signed-off-by: Minu Jin <s9430939@naver.com>
> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> Changes in v4:
>     - Add Reviewed-by tag from Dan Carpenter

No, you don't need to do that.  Greg's scripts adds the tags.  Only add
tags if you need to send another version for a different reason.

Not a big deal, but now you know for next time.

regards,
dan carpenter

Re: [PATCH v4] staging: rtl8723bs: fix potential race in expire_timeout_chk

[Greg KH]

On Sun, Feb 01, 2026 at 02:11:53AM +0900, Minu Jin wrote:
> The expire_timeout_chk function currently do lock and unlock inside the
> loop before calling rtw_free_stainfo().
> 
> This can be risky as the list might be changed
> when the lock is briefly released.
> 
> To fix this, move expired sta_info entries into a local free_list while
> holding the lock, and then perform the actual freeing after the lock is
> released.
> 
> Signed-off-by: Minu Jin <s9430939@naver.com>
> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> Changes in v4:
>     - Add Reviewed-by tag from Dan Carpenter

You never have to do this.  Our tools pick that up, and this just moves
you further down the review queue as it's a new submission :(

thanks,

greg k-h

Re: [PATCH v4] staging: rtl8723bs: fix potential race in expire_timeout_chk

[Greg KH]

On Sun, Feb 01, 2026 at 02:11:53AM +0900, Minu Jin wrote:
> The expire_timeout_chk function currently do lock and unlock inside the
> loop before calling rtw_free_stainfo().
> 
> This can be risky as the list might be changed
> when the lock is briefly released.
> 
> To fix this, move expired sta_info entries into a local free_list while
> holding the lock, and then perform the actual freeing after the lock is
> released.
> 
> Signed-off-by: Minu Jin <s9430939@naver.com>
> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> Changes in v4:
>     - Add Reviewed-by tag from Dan Carpenter

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- Your patch did not apply to any known trees that Greg is in control
  of.  Possibly this is because you made it against Linus's tree, not
  the linux-next tree, which is where all of the development for the
  next version of the kernel is at.  Please refresh your patch against
  the linux-next tree, or even better yet, the development tree
  specified in the MAINTAINERS file for the subsystem you are submitting
  a patch for, and resend it.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot