RE: [PATCH rtw v2 1/4] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Zong-Zhe Yang <kevin_yang@realtek.com>
To: "pchelkin@ispras.ru" <pchelkin@ispras.ru>
Cc: Ping-Ke Shih <pkshih@realtek.com>,
	Bernie Huang <phhuang@realtek.com>,
	"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: RE: [PATCH rtw v2 1/4] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()
Date: Fri, 29 Aug 2025 03:02:47 +0000	[thread overview]
Message-ID: <da4e555fb0e6404386a5b18f17dbc296@realtek.com> (raw)
In-Reply-To: <20250828140912-171fa800b314416241936137-pchelkin@ispras>

Fedor Pchelkin <pchelkin@ispras.ru> wrote:
> 
> Thanks! I agree with all aforementioned comments but wonder about this one:
> 
> On Thu, 28. Aug 08:07, Zong-Zhe Yang wrote:
> > Fedor Pchelkin <pchelkin@ispras.ru> wrote:
> > > --- a/drivers/net/wireless/realtek/rtw89/pci.c
> > > +++ b/drivers/net/wireless/realtek/rtw89/pci.c
> > > @@ -464,10 +464,7 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwdev,
> > >     struct rtw89_tx_skb_data *skb_data = RTW89_TX_SKB_CB(skb);
> > >     struct ieee80211_tx_info *info;
> > >
> > > -   rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE);
> > > -
> > >     info = IEEE80211_SKB_CB(skb);
> > > -   ieee80211_tx_info_clear_status(info);
> > >
> > >     if (info->flags & IEEE80211_TX_CTL_NO_ACK)
> > >             info->flags |= IEEE80211_TX_STAT_NOACK_TRANSMITTED;
> > > @@ -494,6 +491,10 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwdev,
> > >             }
> > >     }
> > >
> > > +   if (rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status == RTW89_TX_DONE))
> > > +           return;
> > > +
> > > +   ieee80211_tx_info_clear_status(info);
> >
> > Don't change order of these calls.
> > (it's wrong for normal pkt because their tx_info are cleared after
> > filled)
> >
> 
> ieee80211_tx_info_clear_status() clears only TX status part of the ieee80211_tx_info. It
> doesn't touch 'flags' field - the only one filled here by rtw89_pci_tx_status(). It shouldn't be
> wrong for normal packets.
> 

I double checked it again and think you are right.
I misread tx_info->flags against tx_info->status.flags.
Sorry.

> The reason for changing the order of those calls is to have a chance to update tx_ring
> statistics before fast return from rtw89_pci_tx_status() in case of tx_wait packets.
> 
> But, ergh, I can't find those stats reported anywhere in the driver so it looks like just not a real
> issue currently and I'd rather not change the order, okay.
> 

These statistics are used when debugging normal packets from stack.
For driver packets (with tx wait), I think top callers, e.g. rtw89_core_send_nullfunc,
will warns when tx failed. So, don't care these statistics.

> > >     ieee80211_tx_status_ni(rtwdev->hw, skb);  }
> > >

next prev parent reply	other threads:[~2025-08-29  3:03 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-27 12:05 [PATCH rtw v2 0/4] fixes for rtw89 Fedor Pchelkin
2025-08-27 12:05 ` [PATCH rtw v2 1/4] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() Fedor Pchelkin
2025-08-28  8:07   ` Zong-Zhe Yang
2025-08-28 11:35     ` pchelkin
2025-08-29  3:02       ` Zong-Zhe Yang [this message]
2025-08-27 12:05 ` [PATCH rtw v2 2/4] wifi: rtw89: fix tx_wait initialization race Fedor Pchelkin
2025-08-27 12:05 ` [PATCH rtw v2 3/4] wifi: rtw89: fix leak in rtw89_core_send_nullfunc() Fedor Pchelkin
2025-08-28  8:25   ` Zong-Zhe Yang
2025-08-27 12:05 ` [PATCH rtw v2 4/4] wifi: rtw89: avoid circular locking dependency in ser_state_run() Fedor Pchelkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=da4e555fb0e6404386a5b18f17dbc296@realtek.com \
    --to=kevin_yang@realtek.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=lvc-project@linuxtesting.org \
    --cc=pchelkin@ispras.ru \
    --cc=phhuang@realtek.com \
    --cc=pkshih@realtek.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.