From: Ping-Ke Shih <pkshih@realtek.com>
To: Duoming Zhou <duoming@zju.edu.cn>,
"linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: RE: [PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet
Date: Mon, 23 Feb 2026 03:52:10 +0000 [thread overview]
Message-ID: <153117a9fd5b464baa77b5ef48daaabc@realtek.com> (raw)
In-Reply-To: <20260223031415.39221-1-duoming@zju.edu.cn>
Duoming Zhou <duoming@zju.edu.cn> wrote:
> The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
> scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
> But it is never killed in rtl_pci_deinit(). When the rtlwifi card
> probe fails or is being detached, the ieee80211_hw is deallocated.
> However, irq_prepare_bcn_tasklet may still be running or pending,
> leading to use-after-free when the freed ieee80211_hw is accessed
> in _rtl_pci_prepare_bcn_tasklet().
>
> Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
> ensure that irq_prepare_bcn_tasklet is properly terminated before
> the ieee80211_hw is released.
>
> The issue was identified through static analysis.
>
> Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
The tree selection should be "rtw-next" (may be "rtw", but I don't think
this patch is urgent), and subject prefix should be "wifi: rtlwifi: ...".
More, I'd point out the name of tasklet in subject. Then,
"[PATCH rtw-next] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet"
Otherwise, looks good to me.
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
> ---
> drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
> index d080469264c..f0010336e78 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/pci.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
> @@ -1674,6 +1674,7 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw)
>
> synchronize_irq(rtlpci->pdev->irq);
> tasklet_kill(&rtlpriv->works.irq_tasklet);
> + tasklet_kill(&rtlpriv->works.irq_prepare_bcn_tasklet);
> cancel_work_sync(&rtlpriv->works.lps_change_work);
> }
>
> --
> 2.34.1
next prev parent reply other threads:[~2026-02-23 3:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-23 3:14 [PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet Duoming Zhou
2026-02-23 3:52 ` Ping-Ke Shih [this message]
2026-02-23 4:31 ` duoming
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=153117a9fd5b464baa77b5ef48daaabc@realtek.com \
--to=pkshih@realtek.com \
--cc=duoming@zju.edu.cn \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox