hostap: Do not free priv until timer handler has actually stopped using it
Function del_timer() does not guarantee that timer was really deleted. If the timer handler is beeing executed at the moment, the function does nothing. So, it's possible to use already freed memory in the handler: [ref: Documentation/DocBook/kernel-locking.tmpl] This was found using grep and compile-tested only. Please, consider applying or something similar to it. Signed-off-by: Kirill Tkhai <ktkhai@parallels.com> CC: Jouni Malinen <j@w1.fi> CC: John W. Linville <linville@tuxdriver.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
parent
d421c62e37
commit
72471c0d31
@ -147,7 +147,7 @@ static void ap_free_sta(struct ap_data *ap, struct sta_info *sta)
|
||||
|
||||
if (!sta->ap && sta->u.sta.challenge)
|
||||
kfree(sta->u.sta.challenge);
|
||||
del_timer(&sta->timer);
|
||||
del_timer_sync(&sta->timer);
|
||||
#endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
|
||||
|
||||
kfree(sta);
|
||||
|
Loading…
Reference in New Issue
Block a user