Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()

Next message: pshete: "[PATCH v2 1/6] pinctrl: tegra: Export tegra_pinctrl_probe()"
Previous message: Shawn Guo: "[PATCH 2/2] scsi: ufs: dt-bindings: Add compatible for SA8797P UFS Host Controller"
In reply to: Andy Shevchenko: "Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()"
Next in thread: Dan Carpenter: "Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Mon Apr 20 2026 - 06:05:53 EST

On Mon, Apr 20, 2026 at 12:27:34AM -0400, Yuho Choi wrote:
> recv_func_posthandle() saved the original recv_frame pointer before
> calling recvframe_chk_defrag().
>
> On the last-fragment reassembly path, recvframe_chk_defrag() may return
> the first fragment as the new frame while freeing the original
> last-fragment frame when draining the defrag queue.
>
> If process_recv_indicatepkts() then fails, recv_func_posthandle() frees
> the saved pre-defrag pointer again, which can result in a stale pointer
> free.
>
> Free the current recv_frame on the failure path instead of the saved
> pre-defrag pointer.

Can you cause this to happen in any way? Given the age of this code,
and the crazy paths here, I'm loath to change this without lots of
testing with a real device, have you done so?

thanks,

greg k-h