* [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()
@ 2026-04-20 4:27 Yuho Choi
2026-04-20 8:27 ` Andy Shevchenko
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Yuho Choi @ 2026-04-20 4:27 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-staging
Cc: Hans de Goede, Michael Straube, Andy Shevchenko, Minu Jin,
Omer El Idrissi, William Hansen-Baird, Ethan Tidmore, Ingo Molnar,
linux-kernel, Myeonghun Pak, Ijae Kim, Taegyu Kim, Yuho Choi
recv_func_posthandle() saved the original recv_frame pointer before
calling recvframe_chk_defrag().
On the last-fragment reassembly path, recvframe_chk_defrag() may return
the first fragment as the new frame while freeing the original
last-fragment frame when draining the defrag queue.
If process_recv_indicatepkts() then fails, recv_func_posthandle() frees
the saved pre-defrag pointer again, which can result in a stale pointer
free.
Free the current recv_frame on the failure path instead of the saved
pre-defrag pointer.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Co-developed-by: Myeonghun Pak <mhun512@gmail.com>
Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
Co-developed-by: Ijae Kim <ae878000@gmail.com>
Signed-off-by: Ijae Kim <ae878000@gmail.com>
Co-developed-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Taegyu Kim <tmk5904@psu.edu>
Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_recv.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_recv.c b/drivers/staging/rtl8723bs/core/rtw_recv.c
index 337671b1211f0..a404b6fc97723 100644
--- a/drivers/staging/rtl8723bs/core/rtw_recv.c
+++ b/drivers/staging/rtl8723bs/core/rtw_recv.c
@@ -2139,7 +2139,6 @@ static int recv_func_prehandle(struct adapter *padapter, union recv_frame *rfram
static int recv_func_posthandle(struct adapter *padapter, union recv_frame *prframe)
{
int ret = _SUCCESS;
- union recv_frame *orig_prframe = prframe;
struct recv_priv *precvpriv = &padapter->recvpriv;
struct __queue *pfree_recv_queue = &padapter->recvpriv.free_recv_queue;
@@ -2163,7 +2162,7 @@ static int recv_func_posthandle(struct adapter *padapter, union recv_frame *prfr
ret = process_recv_indicatepkts(padapter, prframe);
if (ret != _SUCCESS) {
- rtw_free_recvframe(orig_prframe, pfree_recv_queue);/* free this recv_frame */
+ rtw_free_recvframe(prframe, pfree_recv_queue);/* free this recv_frame */
goto _recv_data_drop;
}
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()
2026-04-20 4:27 [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle() Yuho Choi
@ 2026-04-20 8:27 ` Andy Shevchenko
2026-04-20 10:05 ` Greg Kroah-Hartman
2026-04-20 14:20 ` Dan Carpenter
2 siblings, 0 replies; 4+ messages in thread
From: Andy Shevchenko @ 2026-04-20 8:27 UTC (permalink / raw)
To: Yuho Choi
Cc: Greg Kroah-Hartman, linux-staging, Hans de Goede, Michael Straube,
Minu Jin, Omer El Idrissi, William Hansen-Baird, Ethan Tidmore,
Ingo Molnar, linux-kernel, Myeonghun Pak, Ijae Kim, Taegyu Kim
On Mon, Apr 20, 2026 at 12:27:34AM -0400, Yuho Choi wrote:
> recv_func_posthandle() saved the original recv_frame pointer before
> calling recvframe_chk_defrag().
>
> On the last-fragment reassembly path, recvframe_chk_defrag() may return
> the first fragment as the new frame while freeing the original
> last-fragment frame when draining the defrag queue.
>
> If process_recv_indicatepkts() then fails, recv_func_posthandle() frees
> the saved pre-defrag pointer again, which can result in a stale pointer
> free.
>
> Free the current recv_frame on the failure path instead of the saved
> pre-defrag pointer.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Co-developed-by: Myeonghun Pak <mhun512@gmail.com>
> Signed-off-by: Myeonghun Pak <mhun512@gmail.com>
> Co-developed-by: Ijae Kim <ae878000@gmail.com>
> Signed-off-by: Ijae Kim <ae878000@gmail.com>
> Co-developed-by: Taegyu Kim <tmk5904@psu.edu>
> Signed-off-by: Taegyu Kim <tmk5904@psu.edu>
Same. Are you, folks, doing some AI/static analyser tool?
> Signed-off-by: Yuho Choi <dbgh9129@gmail.com>
--
With Best Regards,
Andy Shevchenko
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()
2026-04-20 4:27 [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle() Yuho Choi
2026-04-20 8:27 ` Andy Shevchenko
@ 2026-04-20 10:05 ` Greg Kroah-Hartman
2026-04-20 14:20 ` Dan Carpenter
2 siblings, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2026-04-20 10:05 UTC (permalink / raw)
To: Yuho Choi
Cc: linux-staging, Hans de Goede, Michael Straube, Andy Shevchenko,
Minu Jin, Omer El Idrissi, William Hansen-Baird, Ethan Tidmore,
Ingo Molnar, linux-kernel, Myeonghun Pak, Ijae Kim, Taegyu Kim
On Mon, Apr 20, 2026 at 12:27:34AM -0400, Yuho Choi wrote:
> recv_func_posthandle() saved the original recv_frame pointer before
> calling recvframe_chk_defrag().
>
> On the last-fragment reassembly path, recvframe_chk_defrag() may return
> the first fragment as the new frame while freeing the original
> last-fragment frame when draining the defrag queue.
>
> If process_recv_indicatepkts() then fails, recv_func_posthandle() frees
> the saved pre-defrag pointer again, which can result in a stale pointer
> free.
>
> Free the current recv_frame on the failure path instead of the saved
> pre-defrag pointer.
Can you cause this to happen in any way? Given the age of this code,
and the crazy paths here, I'm loath to change this without lots of
testing with a real device, have you done so?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()
2026-04-20 4:27 [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle() Yuho Choi
2026-04-20 8:27 ` Andy Shevchenko
2026-04-20 10:05 ` Greg Kroah-Hartman
@ 2026-04-20 14:20 ` Dan Carpenter
2 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2026-04-20 14:20 UTC (permalink / raw)
To: Yuho Choi
Cc: Greg Kroah-Hartman, linux-staging, Hans de Goede, Michael Straube,
Andy Shevchenko, Minu Jin, Omer El Idrissi, William Hansen-Baird,
Ethan Tidmore, Ingo Molnar, linux-kernel, Myeonghun Pak, Ijae Kim,
Taegyu Kim
On Mon, Apr 20, 2026 at 12:27:34AM -0400, Yuho Choi wrote:
> recv_func_posthandle() saved the original recv_frame pointer before
> calling recvframe_chk_defrag().
>
> On the last-fragment reassembly path, recvframe_chk_defrag() may return
> the first fragment as the new frame while freeing the original
> last-fragment frame when draining the defrag queue.
>
> If process_recv_indicatepkts() then fails, recv_func_posthandle() frees
> the saved pre-defrag pointer again, which can result in a stale pointer
> free.
You seem to be saying that process_recv_indicatepkts() frees
orig_prframe. And, sure, that's true. But then it returns NULL and we
goto _recv_data_drop so we don't hit this path.
This seems like a false positive.
regards,
dan carpenter
>
> Free the current recv_frame on the failure path instead of the saved
> pre-defrag pointer.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-20 14:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-20 4:27 [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle() Yuho Choi
2026-04-20 8:27 ` Andy Shevchenko
2026-04-20 10:05 ` Greg Kroah-Hartman
2026-04-20 14:20 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox