Skip to content

Commit

Permalink
hostap: Do not free priv until timer handler has actually stopped usi…
Browse files Browse the repository at this point in the history 
…ng it

Function del_timer() does not guarantee that timer was really deleted.
If the timer handler is beeing executed at the moment, the function
does nothing. So, it's possible to use already freed memory in the handler:

[ref: Documentation/DocBook/kernel-locking.tmpl]

This was found using grep and compile-tested only. Please, consider
applying or something similar to it.

Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
CC: Jouni Malinen <j@w1.fi>
CC: John W. Linville <linville@tuxdriver.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
  • Loading branch information
Kirill Tkhai authored and John W. Linville committed Feb 20, 2014
1 parent d421c62 commit 72471c0
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion drivers/net/wireless/hostap/hostap_ap.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,7 +147,7 @@ static void ap_free_sta(struct ap_data *ap, struct sta_info *sta)

if (!sta->ap && sta->u.sta.challenge)
kfree(sta->u.sta.challenge);
del_timer(&sta->timer);
del_timer_sync(&sta->timer);
#endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */

kfree(sta);
Expand Down

0 comments on commit 72471c0

Please sign in to comment.