From: Michal Pecio <michal.pecio@gmail.com>
To: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Cc: Ping-Ke Shih <pkshih@realtek.com>, Zenm Chen <zenmchen@gmail.com>,
"gustavo@embeddedor.com" <gustavo@embeddedor.com>,
"Jes.Sorensen@gmail.com" <Jes.Sorensen@gmail.com>,
"gustavoars@kernel.org" <gustavoars@kernel.org>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
linux-usb@vger.kernel.org
Subject: Re: [PATCH][next] wifi: rtl8xxxu: Avoid -Wflex-array-member-not-at-end warnings
Date: Sun, 7 Dec 2025 00:16:08 +0100 [thread overview]
Message-ID: <20251207001608.1f6940bf.michal.pecio@gmail.com> (raw)
In-Reply-To: <44c9c325-14a8-4391-adce-4bbe8c68b446@gmail.com>
Hi,
> >> I got something. In my case everything seemed fine until I
> >> unplugged the wifi adapter. And then the system still worked for a
> >> few minutes before it froze.
Sounds like memory corruption.
> > Zenm and I tested below changes which can also reproduce the
> > symptom, so I wonder driver might assume urb is the first member of
> > struct, but unfortunately I can't find that.
That's what it seems to be doing, because it uses usb_init_urb()
on urbs embedded in some struct and then usb_free_urb().
If you look what usb_free_urb() does, it decrements refcount and
attempts to free urb. But here urb is a member of a larger struct,
so I guess the whole struct is freed (and this was either intentional
or a bug that didn't happen to blow up yet).
Now a bogus address is being passed to kfree() and things go boom.
Or at least that's my first guess after spending a few minutes.
But that's the direction I would be looking at.
Regards,
Michal
next prev parent reply other threads:[~2025-12-06 23:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-19 9:08 [PATCH][next] wifi: rtl8xxxu: Avoid -Wflex-array-member-not-at-end warnings Gustavo A. R. Silva
2025-11-21 6:09 ` Ping-Ke Shih
2025-11-21 10:06 ` Zenm Chen
2025-11-21 10:19 ` Gustavo A. R. Silva
2025-11-21 11:11 ` Zenm Chen
2025-11-23 20:29 ` Bitterblue Smith
2025-11-24 6:37 ` Ping-Ke Shih
2025-11-24 8:02 ` Zenm Chen
2025-11-26 3:26 ` Ping-Ke Shih
2025-12-06 21:53 ` Bitterblue Smith
2025-12-06 23:16 ` Michal Pecio [this message]
2025-12-06 23:55 ` Greg KH
2025-12-07 8:05 ` Michal Pecio
2025-12-08 0:05 ` Bitterblue Smith
2025-11-21 11:12 ` Ping-Ke Shih
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251207001608.1f6940bf.michal.pecio@gmail.com \
--to=michal.pecio@gmail.com \
--cc=Jes.Sorensen@gmail.com \
--cc=gustavo@embeddedor.com \
--cc=gustavoars@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=pkshih@realtek.com \
--cc=rtl8821cerfe2@gmail.com \
--cc=zenmchen@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.