[PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet

public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet
@ 2026-02-23  3:14 Duoming Zhou
  2026-02-23  3:52 ` Ping-Ke Shih
  0 siblings, 1 reply; 3+ messages in thread
From: Duoming Zhou @ 2026-02-23  3:14 UTC (permalink / raw)
  To: linux-wireless; +Cc: pkshih, linux-kernel, Duoming Zhou

The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
But it is never killed in rtl_pci_deinit(). When the rtlwifi card
probe fails or is being detached, the ieee80211_hw is deallocated.
However, irq_prepare_bcn_tasklet may still be running or pending,
leading to use-after-free when the freed ieee80211_hw is accessed
in _rtl_pci_prepare_bcn_tasklet().

Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
ensure that irq_prepare_bcn_tasklet is properly terminated before
the ieee80211_hw is released.

The issue was identified through static analysis.

Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
 drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index d080469264c..f0010336e78 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -1674,6 +1674,7 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw)

 	synchronize_irq(rtlpci->pdev->irq);
 	tasklet_kill(&rtlpriv->works.irq_tasklet);
+	tasklet_kill(&rtlpriv->works.irq_prepare_bcn_tasklet);
 	cancel_work_sync(&rtlpriv->works.lps_change_work);
 }

-- 
2.34.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet
  2026-02-23  3:14 [PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet Duoming Zhou
@ 2026-02-23  3:52 ` Ping-Ke Shih
  2026-02-23  4:31   ` duoming
  0 siblings, 1 reply; 3+ messages in thread
From: Ping-Ke Shih @ 2026-02-23  3:52 UTC (permalink / raw)
  To: Duoming Zhou, linux-wireless@vger.kernel.org; +Cc: linux-kernel@vger.kernel.org

Duoming Zhou <duoming@zju.edu.cn> wrote:
> The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
> scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
> But it is never killed in rtl_pci_deinit(). When the rtlwifi card
> probe fails or is being detached, the ieee80211_hw is deallocated.
> However, irq_prepare_bcn_tasklet may still be running or pending,
> leading to use-after-free when the freed ieee80211_hw is accessed
> in _rtl_pci_prepare_bcn_tasklet().
> 
> Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
> ensure that irq_prepare_bcn_tasklet is properly terminated before
> the ieee80211_hw is released.
> 
> The issue was identified through static analysis.
> 
> Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>

The tree selection should be "rtw-next" (may be "rtw", but I don't think
this patch is urgent), and subject prefix should be "wifi: rtlwifi: ...".
More, I'd point out the name of tasklet in subject. Then,
"[PATCH rtw-next] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet"

Otherwise, looks good to me.

Acked-by: Ping-Ke Shih <pkshih@realtek.com>


> ---
>  drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
> index d080469264c..f0010336e78 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/pci.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
> @@ -1674,6 +1674,7 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw)
> 
>         synchronize_irq(rtlpci->pdev->irq);
>         tasklet_kill(&rtlpriv->works.irq_tasklet);
> +       tasklet_kill(&rtlpriv->works.irq_prepare_bcn_tasklet);
>         cancel_work_sync(&rtlpriv->works.lps_change_work);
>  }
> 
> --
> 2.34.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet
  2026-02-23  3:52 ` Ping-Ke Shih
@ 2026-02-23  4:31   ` duoming
  0 siblings, 0 replies; 3+ messages in thread
From: duoming @ 2026-02-23  4:31 UTC (permalink / raw)
  To: Ping-Ke Shih; +Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org

Ping-Ke Shih <pkshih@realtek.com> wrote:
> > The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
> > scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
> > But it is never killed in rtl_pci_deinit(). When the rtlwifi card
> > probe fails or is being detached, the ieee80211_hw is deallocated.
> > However, irq_prepare_bcn_tasklet may still be running or pending,
> > leading to use-after-free when the freed ieee80211_hw is accessed
> > in _rtl_pci_prepare_bcn_tasklet().
> > 
> > Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
> > ensure that irq_prepare_bcn_tasklet is properly terminated before
> > the ieee80211_hw is released.
> > 
> > The issue was identified through static analysis.
> > 
> > Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
> > Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> 
> The tree selection should be "rtw-next" (may be "rtw", but I don't think
> this patch is urgent), and subject prefix should be "wifi: rtlwifi: ...".
> More, I'd point out the name of tasklet in subject. Then,
> "[PATCH rtw-next] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet"

Thank you for your time and reply! I will select the "rtw-next" tree,
adjust the subject prefix and send a v2 patch.

> Otherwise, looks good to me.
> 
> Acked-by: Ping-Ke Shih <pkshih@realtek.com>

Best regards,
Duoming Zhou

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-02-23  4:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-23  3:14 [PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet Duoming Zhou
2026-02-23  3:52 ` Ping-Ke Shih
2026-02-23  4:31   ` duoming

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox