Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()

Next message: Mark Brown: "Re: [PATCH v3 1/7] dt-bindings: spi: qcom,spi-qcom-qspi: Add qcom,qcs615-qspi compatible"
Previous message: Leon Hwang: "[PATCH bpf-next v12 7/8] libbpf: Add syscall common attributes support for map_create"
In reply to: Greg Kroah-Hartman: "Re: [PATCH v1] staging: rtl8723bs: fix stale recv_frame free in recv_func_posthandle()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Mon Apr 20 2026 - 12:46:59 EST

On Mon, Apr 20, 2026 at 12:27:34AM -0400, Yuho Choi wrote:
> recv_func_posthandle() saved the original recv_frame pointer before
> calling recvframe_chk_defrag().
>
> On the last-fragment reassembly path, recvframe_chk_defrag() may return
> the first fragment as the new frame while freeing the original
> last-fragment frame when draining the defrag queue.
>
> If process_recv_indicatepkts() then fails, recv_func_posthandle() frees
> the saved pre-defrag pointer again, which can result in a stale pointer
> free.

You seem to be saying that process_recv_indicatepkts() frees
orig_prframe. And, sure, that's true. But then it returns NULL and we
goto _recv_data_drop so we don't hit this path.

This seems like a false positive.

regards,
dan carpenter

>
> Free the current recv_frame on the failure path instead of the saved
> pre-defrag pointer.
>
> Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")