hostap: Do not free priv until timer handler has actually stopped using it

Function del_timer() does not guarantee that timer was really deleted.
If the timer handler is beeing executed at the moment, the function
does nothing. So, it's possible to use already freed memory in the handler:

[ref: Documentation/DocBook/kernel-locking.tmpl]

This was found using grep and compile-tested only. Please, consider
applying or something similar to it.

Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
CC: Jouni Malinen <j@w1.fi>
CC: John W. Linville <linville@tuxdriver.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This commit is contained in:
Kirill Tkhai 2014-02-14 16:17:49 +04:00 committed by John W. Linville
parent d421c62e37
commit 72471c0d31
1 changed files with 1 additions and 1 deletions

View File

@ -147,7 +147,7 @@ static void ap_free_sta(struct ap_data *ap, struct sta_info *sta)
if (!sta->ap && sta->u.sta.challenge)
kfree(sta->u.sta.challenge);
del_timer(&sta->timer);
del_timer_sync(&sta->timer);
#endif /* PRISM2_NO_KERNEL_IEEE80211_MGMT */
kfree(sta);