From: Greg KH <greg@kroah.com>
To: Michal Pecio <michal.pecio@gmail.com>
Cc: Bitterblue Smith <rtl8821cerfe2@gmail.com>,
Ping-Ke Shih <pkshih@realtek.com>, Zenm Chen <zenmchen@gmail.com>,
"gustavo@embeddedor.com" <gustavo@embeddedor.com>,
"Jes.Sorensen@gmail.com" <Jes.Sorensen@gmail.com>,
"gustavoars@kernel.org" <gustavoars@kernel.org>,
"linux-hardening@vger.kernel.org"
<linux-hardening@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
linux-usb@vger.kernel.org
Subject: Re: [PATCH][next] wifi: rtl8xxxu: Avoid -Wflex-array-member-not-at-end warnings
Date: Sun, 7 Dec 2025 08:55:59 +0900 [thread overview]
Message-ID: <2025120716-sway-hypnotic-8cb6@gregkh> (raw)
In-Reply-To: <20251207001608.1f6940bf.michal.pecio@gmail.com>
On Sun, Dec 07, 2025 at 12:16:08AM +0100, Michal Pecio wrote:
> Hi,
>
> > >> I got something. In my case everything seemed fine until I
> > >> unplugged the wifi adapter. And then the system still worked for a
> > >> few minutes before it froze.
>
> Sounds like memory corruption.
>
> > > Zenm and I tested below changes which can also reproduce the
> > > symptom, so I wonder driver might assume urb is the first member of
> > > struct, but unfortunately I can't find that.
>
> That's what it seems to be doing, because it uses usb_init_urb()
> on urbs embedded in some struct and then usb_free_urb().
>
> If you look what usb_free_urb() does, it decrements refcount and
> attempts to free urb. But here urb is a member of a larger struct,
> so I guess the whole struct is freed (and this was either intentional
> or a bug that didn't happen to blow up yet).
That's not ok at all, it's amazing this is working today. urbs need to
be "stand alone" structures and never embedded into anything else.
So this needs to be fixed up no matter what.
thanks,
greg k-h
next prev parent reply other threads:[~2025-12-06 23:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <ff184c0e-17f2-445f-9339-f4db9943db86@embeddedor.com>
[not found] ` <20251121111132.4435-1-zenmchen@gmail.com>
[not found] ` <475b4336-eed0-4fae-848f-aae26f109606@gmail.com>
[not found] ` <c0d187d6fead4e5387db2a14129be96c@realtek.com>
2025-12-06 21:53 ` [PATCH][next] wifi: rtl8xxxu: Avoid -Wflex-array-member-not-at-end warnings Bitterblue Smith
2025-12-06 23:16 ` Michal Pecio
2025-12-06 23:55 ` Greg KH [this message]
2025-12-07 8:05 ` Michal Pecio
2025-12-08 0:05 ` Bitterblue Smith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025120716-sway-hypnotic-8cb6@gregkh \
--to=greg@kroah.com \
--cc=Jes.Sorensen@gmail.com \
--cc=gustavo@embeddedor.com \
--cc=gustavoars@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=michal.pecio@gmail.com \
--cc=pkshih@realtek.com \
--cc=rtl8821cerfe2@gmail.com \
--cc=zenmchen@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox