Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()

Next message: Krzysztof Kozlowski: "Re: [PATCH] dt-bindings: crypto: qcom,inline-crypto-engine: Document Nord ICE"
Previous message: Andy Shevchenko: "Re: [PATCH v1] staging: rtl8723bs: remove shadowed bDumpRxPkt declaration"
In reply to: Yuho Choi: "[PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Mon Apr 20 2026 - 04:31:40 EST

On Mon, Apr 20, 2026 at 12:27:34AM -0400, Yuho Choi wrote:
> recv_func_posthandle() saved the original recv_frame pointer before
> calling recvframe_chk_defrag().
>
> On the last-fragment reassembly path, recvframe_chk_defrag() may return
> the first fragment as the new frame while freeing the original
> last-fragment frame when draining the defrag queue.
>
> If process_recv_indicatepkts() then fails, recv_func_posthandle() frees
> the saved pre-defrag pointer again, which can result in a stale pointer
> free.
>
> Free the current recv_frame on the failure path instead of the saved
> pre-defrag pointer.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
> Co-developed-by: Myeonghun Pak <mhun512@xxxxxxxxx>
> Signed-off-by: Myeonghun Pak <mhun512@xxxxxxxxx>
> Co-developed-by: Ijae Kim <ae878000@xxxxxxxxx>
> Signed-off-by: Ijae Kim <ae878000@xxxxxxxxx>
> Co-developed-by: Taegyu Kim <tmk5904@xxxxxxx>
> Signed-off-by: Taegyu Kim <tmk5904@xxxxxxx>

Same. Are you, folks, doing some AI/static analyser tool?

> Signed-off-by: Yuho Choi <dbgh9129@xxxxxxxxx>

--
With Best Regards,
Andy Shevchenko