From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Zong-Zhe Yang <kevin_yang@realtek.com>,
Fedor Pchelkin <pchelkin@ispras.ru>,
Ping-Ke Shih <pkshih@realtek.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.12 01/35] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()
Date: Fri, 10 Oct 2025 15:16:03 +0200 [thread overview]
Message-ID: <20251010131331.842424641@linuxfoundation.org> (raw)
In-Reply-To: <20251010131331.785281312@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit 3e31a6bc07312b448fad3b45de578471f86f0e77 ]
There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to
access already freed skb_data:
BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110
CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025
Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]
Use-after-free write at 0x0000000020309d9d (in kfence-#251):
rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110
rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338
rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979
rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165
rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141
rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012
rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059
rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758
process_one_work kernel/workqueue.c:3241
worker_thread kernel/workqueue.c:3400
kthread kernel/kthread.c:463
ret_from_fork arch/x86/kernel/process.c:154
ret_from_fork_asm arch/x86/entry/entry_64.S:258
kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache
allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):
__alloc_skb net/core/skbuff.c:659
__netdev_alloc_skb net/core/skbuff.c:734
ieee80211_nullfunc_get net/mac80211/tx.c:5844
rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431
rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338
rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979
rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165
rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194
rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012
rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059
rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758
process_one_work kernel/workqueue.c:3241
worker_thread kernel/workqueue.c:3400
kthread kernel/kthread.c:463
ret_from_fork arch/x86/kernel/process.c:154
ret_from_fork_asm arch/x86/entry/entry_64.S:258
freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):
ieee80211_tx_status_skb net/mac80211/status.c:1117
rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564
rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651
rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676
rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238
__napi_poll net/core/dev.c:7495
net_rx_action net/core/dev.c:7557 net/core/dev.c:7684
handle_softirqs kernel/softirq.c:580
do_softirq.part.0 kernel/softirq.c:480
__local_bh_enable_ip kernel/softirq.c:407
rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927
irq_thread_fn kernel/irq/manage.c:1133
irq_thread kernel/irq/manage.c:1257
kthread kernel/kthread.c:463
ret_from_fork arch/x86/kernel/process.c:154
ret_from_fork_asm arch/x86/entry/entry_64.S:258
It is a consequence of a race between the waiting and the signaling side
of the completion:
Waiting thread Completing thread
rtw89_core_tx_kick_off_and_wait()
rcu_assign_pointer(skb_data->wait, wait)
/* start waiting */
wait_for_completion_timeout()
rtw89_pci_tx_status()
rtw89_core_tx_wait_complete()
rcu_read_lock()
/* signals completion and
* proceeds further
*/
complete(&wait->completion)
rcu_read_unlock()
...
/* frees skb_data */
ieee80211_tx_status_ni()
/* returns (exit status doesn't matter) */
wait_for_completion_timeout()
...
/* accesses the already freed skb_data */
rcu_assign_pointer(skb_data->wait, NULL)
The completing side might proceed and free the underlying skb even before
the waiting side is fully awoken and run to execution. Actually the race
happens regardless of wait_for_completion_timeout() exit status, e.g.
the waiting side may hit a timeout and the concurrent completing side is
still able to free the skb.
Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the
driver. They don't come from core ieee80211 stack so no need to pass them
to ieee80211_tx_status_ni() on completing side.
Introduce a work function which will act as a garbage collector for
rtw89_tx_wait_info objects and the associated skbs. Thus no potentially
heavy locks are required on the completing side.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs")
Cc: stable@vger.kernel.org
Suggested-by: Zong-Zhe Yang <kevin_yang@realtek.com>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250919210852.823912-2-pchelkin@ispras.ru
[ added wiphy variable declarations ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtw89/core.c | 31 +++++++++++++++++++++-----
drivers/net/wireless/realtek/rtw89/core.h | 35 ++++++++++++++++++++++++++++--
drivers/net/wireless/realtek/rtw89/pci.c | 3 +-
drivers/net/wireless/realtek/rtw89/ser.c | 3 ++
4 files changed, 63 insertions(+), 9 deletions(-)
--- a/drivers/net/wireless/realtek/rtw89/core.c
+++ b/drivers/net/wireless/realtek/rtw89/core.c
@@ -960,6 +960,14 @@ rtw89_core_tx_update_desc_info(struct rt
}
}
+static void rtw89_tx_wait_work(struct wiphy *wiphy, struct wiphy_work *work)
+{
+ struct rtw89_dev *rtwdev = container_of(work, struct rtw89_dev,
+ tx_wait_work.work);
+
+ rtw89_tx_wait_list_clear(rtwdev);
+}
+
void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel)
{
u8 ch_dma;
@@ -977,6 +985,8 @@ int rtw89_core_tx_kick_off_and_wait(stru
unsigned long time_left;
int ret = 0;
+ lockdep_assert_wiphy(rtwdev->hw->wiphy);
+
wait = kzalloc(sizeof(*wait), GFP_KERNEL);
if (!wait) {
rtw89_core_tx_kick_off(rtwdev, qsel);
@@ -984,18 +994,23 @@ int rtw89_core_tx_kick_off_and_wait(stru
}
init_completion(&wait->completion);
+ wait->skb = skb;
rcu_assign_pointer(skb_data->wait, wait);
rtw89_core_tx_kick_off(rtwdev, qsel);
time_left = wait_for_completion_timeout(&wait->completion,
msecs_to_jiffies(timeout));
- if (time_left == 0)
- ret = -ETIMEDOUT;
- else if (!wait->tx_done)
- ret = -EAGAIN;
- rcu_assign_pointer(skb_data->wait, NULL);
- kfree_rcu(wait, rcu_head);
+ if (time_left == 0) {
+ ret = -ETIMEDOUT;
+ list_add_tail(&wait->list, &rtwdev->tx_waits);
+ wiphy_delayed_work_queue(rtwdev->hw->wiphy, &rtwdev->tx_wait_work,
+ RTW89_TX_WAIT_WORK_TIMEOUT);
+ } else {
+ if (!wait->tx_done)
+ ret = -EAGAIN;
+ rtw89_tx_wait_release(wait);
+ }
return ret;
}
@@ -4419,6 +4434,7 @@ int rtw89_core_start(struct rtw89_dev *r
void rtw89_core_stop(struct rtw89_dev *rtwdev)
{
struct rtw89_btc *btc = &rtwdev->btc;
+ struct wiphy *wiphy = rtwdev->hw->wiphy;
/* Prvent to stop twice; enter_ips and ops_stop */
if (!test_bit(RTW89_FLAG_RUNNING, rtwdev->flags))
@@ -4437,6 +4453,7 @@ void rtw89_core_stop(struct rtw89_dev *r
cancel_work_sync(&btc->dhcp_notify_work);
cancel_work_sync(&btc->icmp_notify_work);
cancel_delayed_work_sync(&rtwdev->txq_reinvoke_work);
+ wiphy_delayed_work_cancel(wiphy, &rtwdev->tx_wait_work);
cancel_delayed_work_sync(&rtwdev->track_work);
cancel_delayed_work_sync(&rtwdev->chanctx_work);
cancel_delayed_work_sync(&rtwdev->coex_act1_work);
@@ -4657,6 +4674,7 @@ int rtw89_core_init(struct rtw89_dev *rt
continue;
INIT_LIST_HEAD(&rtwdev->scan_info.pkt_list[band]);
}
+ INIT_LIST_HEAD(&rtwdev->tx_waits);
INIT_WORK(&rtwdev->ba_work, rtw89_core_ba_work);
INIT_WORK(&rtwdev->txq_work, rtw89_core_txq_work);
INIT_DELAYED_WORK(&rtwdev->txq_reinvoke_work, rtw89_core_txq_reinvoke_work);
@@ -4666,6 +4684,7 @@ int rtw89_core_init(struct rtw89_dev *rt
INIT_DELAYED_WORK(&rtwdev->coex_bt_devinfo_work, rtw89_coex_bt_devinfo_work);
INIT_DELAYED_WORK(&rtwdev->coex_rfk_chk_work, rtw89_coex_rfk_chk_work);
INIT_DELAYED_WORK(&rtwdev->cfo_track_work, rtw89_phy_cfo_track_work);
+ wiphy_delayed_work_init(&rtwdev->tx_wait_work, rtw89_tx_wait_work);
INIT_DELAYED_WORK(&rtwdev->forbid_ba_work, rtw89_forbid_ba_work);
INIT_DELAYED_WORK(&rtwdev->antdiv_work, rtw89_phy_antdiv_work);
rtwdev->txq_wq = alloc_workqueue("rtw89_tx_wq", WQ_UNBOUND | WQ_HIGHPRI, 0);
--- a/drivers/net/wireless/realtek/rtw89/core.h
+++ b/drivers/net/wireless/realtek/rtw89/core.h
@@ -3406,9 +3406,12 @@ struct rtw89_phy_rate_pattern {
bool enable;
};
+#define RTW89_TX_WAIT_WORK_TIMEOUT msecs_to_jiffies(500)
struct rtw89_tx_wait_info {
struct rcu_head rcu_head;
+ struct list_head list;
struct completion completion;
+ struct sk_buff *skb;
bool tx_done;
};
@@ -5539,6 +5542,9 @@ struct rtw89_dev {
/* used to protect rpwm */
spinlock_t rpwm_lock;
+ struct list_head tx_waits;
+ struct wiphy_delayed_work tx_wait_work;
+
struct rtw89_cam_info cam_info;
struct sk_buff_head c2h_queue;
@@ -5735,6 +5741,26 @@ u8 rtw89_sta_link_inst_get_index(struct
return rtwsta_link - rtwsta->links_inst;
}
+static inline void rtw89_tx_wait_release(struct rtw89_tx_wait_info *wait)
+{
+ dev_kfree_skb_any(wait->skb);
+ kfree_rcu(wait, rcu_head);
+}
+
+static inline void rtw89_tx_wait_list_clear(struct rtw89_dev *rtwdev)
+{
+ struct rtw89_tx_wait_info *wait, *tmp;
+
+ lockdep_assert_wiphy(rtwdev->hw->wiphy);
+
+ list_for_each_entry_safe(wait, tmp, &rtwdev->tx_waits, list) {
+ if (!completion_done(&wait->completion))
+ continue;
+ list_del(&wait->list);
+ rtw89_tx_wait_release(wait);
+ }
+}
+
static inline int rtw89_hci_tx_write(struct rtw89_dev *rtwdev,
struct rtw89_core_tx_request *tx_req)
{
@@ -5744,6 +5770,7 @@ static inline int rtw89_hci_tx_write(str
static inline void rtw89_hci_reset(struct rtw89_dev *rtwdev)
{
rtwdev->hci.ops->reset(rtwdev);
+ rtw89_tx_wait_list_clear(rtwdev);
}
static inline int rtw89_hci_start(struct rtw89_dev *rtwdev)
@@ -6745,11 +6772,12 @@ static inline struct sk_buff *rtw89_allo
return dev_alloc_skb(length);
}
-static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev,
+static inline bool rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev,
struct rtw89_tx_skb_data *skb_data,
bool tx_done)
{
struct rtw89_tx_wait_info *wait;
+ bool ret = false;
rcu_read_lock();
@@ -6757,11 +6785,14 @@ static inline void rtw89_core_tx_wait_co
if (!wait)
goto out;
+ ret = true;
wait->tx_done = tx_done;
- complete(&wait->completion);
+ /* Don't access skb anymore after completion */
+ complete_all(&wait->completion);
out:
rcu_read_unlock();
+ return ret;
}
static inline bool rtw89_is_mlo_1_1(struct rtw89_dev *rtwdev)
--- a/drivers/net/wireless/realtek/rtw89/pci.c
+++ b/drivers/net/wireless/realtek/rtw89/pci.c
@@ -458,7 +458,8 @@ static void rtw89_pci_tx_status(struct r
struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb);
struct ieee80211_tx_info *info;
- rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE);
+ if (rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE))
+ return;
info = IEEE80211_SKB_CB(skb);
ieee80211_tx_info_clear_status(info);
--- a/drivers/net/wireless/realtek/rtw89/ser.c
+++ b/drivers/net/wireless/realtek/rtw89/ser.c
@@ -484,6 +484,7 @@ static void ser_l1_reset_pre_st_hdl(stru
static void ser_reset_trx_st_hdl(struct rtw89_ser *ser, u8 evt)
{
struct rtw89_dev *rtwdev = container_of(ser, struct rtw89_dev, ser);
+ struct wiphy *wiphy = rtwdev->hw->wiphy;
switch (evt) {
case SER_EV_STATE_IN:
@@ -496,7 +497,9 @@ static void ser_reset_trx_st_hdl(struct
}
drv_stop_rx(ser);
+ wiphy_lock(wiphy);
drv_trx_reset(ser);
+ wiphy_unlock(wiphy);
/* wait m3 */
hal_send_m2_event(ser);
next prev parent reply other threads:[~2025-10-10 13:20 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 13:16 [PATCH 6.12 00/35] 6.12.52-rc1 review Greg Kroah-Hartman
2025-10-10 13:16 ` Greg Kroah-Hartman [this message]
2025-10-10 13:16 ` [PATCH 6.12 02/35] media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 03/35] USB: serial: option: add SIMCom 8230C compositions Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 04/35] Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 05/35] wifi: rtlwifi: rtl8192cu: Dont claim USB ID 07b8:8188 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 06/35] wifi: rtl8xxxu: " Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 07/35] rust: block: fix `srctree/` links Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 08/35] ASoC: amd: acp: Adjust pdm gain value Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 09/35] dm-integrity: limit MAX_TAG_SIZE to 255 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 10/35] platform/x86/amd/pmc: Add MECHREVO Yilong15Pro to spurious_8042 list Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 11/35] perf subcmd: avoid crash in exclude_cmds when excludes is empty Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 12/35] platform/x86/amd/pmf: Support new ACPI ID AMDI0108 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 13/35] ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 14/35] btrfs: ref-verify: handle damaged extent root tree Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 15/35] netfs: Prevent duplicate unlocking Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 16/35] can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 17/35] can: rcar_canfd: Fix controller mode setting Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 18/35] platform/x86/amd/pmc: Add Stellaris Slim Gen6 AMD to spurious 8042 quirks list Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 19/35] drm/amd : Update MES API header file for v11 & v12 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 20/35] drm/amd/include : MES v11 and v12 API header update Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 21/35] drm/amd/include : Update MES v12 API for fence update Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 22/35] drm/amdgpu: Enable MES lr_compute_wa by default Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 23/35] ALSA: usb-audio: Kill timer properly at removal Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 24/35] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 25/35] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 26/35] nvmem: layouts: fix automatic module loading Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 27/35] binder: fix double-free in dbitmap Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 28/35] serial: stm32: allow selecting console when the driver is module Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 29/35] staging: axis-fifo: fix maximum TX packet length check Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 30/35] staging: axis-fifo: fix TX handling on copy_from_user() failure Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 31/35] staging: axis-fifo: flush RX FIFO on read errors Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 32/35] driver core/PM: Set power.no_callbacks along with power.no_pm Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 33/35] crypto: rng - Ensure set_ent is always present Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 34/35] net/9p: fix double req put in p9_fd_cancelled Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 35/35] KVM: x86: Dont (re)check L1 intercepts when completing userspace I/O Greg Kroah-Hartman
2025-10-10 17:15 ` [PATCH 6.12 00/35] 6.12.52-rc1 review Jon Hunter
2025-10-10 20:30 ` Brett Mastbergen
2025-10-10 22:21 ` Shuah Khan
2025-10-11 7:30 ` Pavel Machek
2025-10-11 8:59 ` Naresh Kamboju
2025-10-11 10:58 ` Mark Brown
2025-10-11 11:44 ` Ron Economos
2025-10-11 16:59 ` Brett A C Sheffield
2025-10-11 19:59 ` Peter Schneider
2025-10-12 9:30 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251010131331.842424641@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kevin_yang@realtek.com \
--cc=patches@lists.linux.dev \
--cc=pchelkin@ispras.ru \
--cc=pkshih@realtek.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.