* [bug report] rtlwifi: Fill ap_num field by driver
@ 2017-07-06 11:50 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2017-07-06 11:50 UTC (permalink / raw)
To: pkshih; +Cc: linux-wireless
Hello Ping-Ke Shih,
The patch c76ab8e75442: "rtlwifi: Fill ap_num field by driver" from
Jun 21, 2017, leads to the following static checker warning:
drivers/net/wireless/realtek/rtlwifi/base.c:1741 rtl_scan_list_expire()
error: dereferencing freed memory 'entry'
drivers/net/wireless/realtek/rtlwifi/base.c
1724 void rtl_scan_list_expire(struct ieee80211_hw *hw)
1725 {
1726 struct rtl_priv *rtlpriv = rtl_priv(hw);
1727 struct rtl_bssid_entry *entry, *next;
1728 unsigned long flags;
1729
1730 spin_lock_irqsave(&rtlpriv->locks.scan_list_lock, flags);
1731
1732 list_for_each_entry_safe(entry, next, &rtlpriv->scan_list.list, list) {
1733 /* 180 seconds */
1734 if (jiffies_to_msecs(jiffies - entry->age) < 180000)
1735 continue;
1736
1737 list_del(&entry->list);
1738 kfree(entry);
^^^^^
Freed.
1739 rtlpriv->scan_list.num--;
1740
1741 RT_TRACE(rtlpriv, COMP_SCAN, DBG_LOUD,
1742 "BSSID=%pM is expire in scan list (total=%d)\n",
1743 entry->bssid, rtlpriv->scan_list.num);
^^^^^^^^^^^^
Dereferenced.
1744 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-07-06 11:51 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-06 11:50 [bug report] rtlwifi: Fill ap_num field by driver Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).