On Wed, 2022-02-02 at 16:05 +0300, Dan Carpenter wrote: > This code needs to use skb_queue_walk_safe() instead of skb_queue_walk() > because it frees the list iterator. > > Fixes: d95984b5580d ("rtw88: fix memory overrun and memory leak during hw_scan") > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > --- > drivers/net/wireless/realtek/rtw88/fw.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c > index ce9535cce723..2de0bb67bac6 100644 > --- a/drivers/net/wireless/realtek/rtw88/fw.c > +++ b/drivers/net/wireless/realtek/rtw88/fw.c > @@ -1864,7 +1864,7 @@ static int rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev, > { > struct cfg80211_scan_request *req = rtwvif->scan_req; > struct sk_buff_head list; > - struct sk_buff *skb; > + struct sk_buff *skb, *tmp; > u8 num = req->n_ssids, i, bands = 0; > int ret; > > @@ -1889,7 +1889,7 @@ static int rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev, > return _rtw_hw_scan_update_probe_req(rtwdev, num * bands, &list); > > out: > - skb_queue_walk(&list, skb) > + skb_queue_walk_safe(&list, skb, tmp) > kfree_skb(skb); > > return ret; Oops, when I reivewed the patch "rtw88: fix memory overrun and memory leak during hw_scan", I did only focus on pointers of list head, but forget skb is freed that leads use after free. Could I have related fix with this patch? --- a/drivers/net/wireless/realtek/rtw88/fw.c +++ b/drivers/net/wireless/realtek/rtw88/fw.c @@ -1853,7 +1853,7 @@ static int _rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev, u8 num_probes, rtwdev->scan_info.probe_pg_size = page_offset; out: kfree(buf); - skb_queue_walk(probe_req_list, skb) + skb_queue_walk_safe(probe_req_list, skb, tmp) kfree_skb(skb); return ret; -- Ping-Ke