Commit 72471c0d authored Feb 14, 2014 by Kirill Tkhai Committed by John W. Linville Feb 20, 2014

hostap: Do not free priv until timer handler has actually stopped using it



Function del_timer() does not guarantee that timer was really deleted.
If the timer handler is beeing executed at the moment, the function
does nothing. So, it's possible to use already freed memory in the handler:

[ref: Documentation/DocBook/kernel-locking.tmpl]

This was found using grep and compile-tested only. Please, consider
applying or something similar to it.

Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
CC: Jouni Malinen <j@w1.fi>
CC: John W. Linville <linville@tuxdriver.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

parent d421c62e

drivers/net/wireless/hostap/hostap_ap.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -147,7 +147,7 @@ static void ap_free_sta(struct ap_data ap, struct sta_info sta)

		if (!sta->ap && sta->u.sta.challenge)
		kfree(sta->u.sta.challenge);
		del_timer(&sta->timer);
		del_timer_sync(&sta->timer);
		#endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */

		kfree(sta);