Re: [PATCH rtw-next v3 12/14] wifi: rtw89: Add usb.{c,h}

public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed

From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
To: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>
Cc: Ping-Ke Shih <pkshih@realtek.com>
Subject: Re: [PATCH rtw-next v3 12/14] wifi: rtw89: Add usb.{c,h}
Date: Mon, 23 Jun 2025 23:08:39 +0300	[thread overview]
Message-ID: <1e5e97d4-8267-4f77-a4bf-1fe23ea40f77@gmail.com> (raw)
In-Reply-To: <4f456355-fdc5-4624-ab00-ed374f3b58a1@gmail.com>

On 20/06/2025 22:04, Bitterblue Smith wrote:
> Add very basic USB support. No TX/RX aggregation, no TX queues,
Commit 47a498b84f01 ("wifi: rtw89: TX nulldata 0 after scan complete")
exposed a problem with my lazy "no TX queues" approach:

[30316.444515] BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait+0xed/0x1e0 [rtw89_core]
                                                                                     
[30316.444616] Use-after-free write at 0x00000000719224cd (in kfence-#231):
[30316.444623]  rtw89_core_tx_kick_off_and_wait+0xed/0x1e0 [rtw89_core]
[30316.444716]  rtw89_core_scan_complete+0x19b/0x260 [rtw89_core]
[30316.444810]  rtw89_hw_scan_complete_cb+0xbb/0x150 [rtw89_core]
[30316.444906]  rtw89_chanctx_proceed_cb+0x21/0x40 [rtw89_core]
[30316.444988]  rtw89_chanctx_proceed+0x45/0x90 [rtw89_core]
[30316.445067]  rtw89_hw_scan_complete+0x4e/0x70 [rtw89_core]
[30316.445156]  rtw89_mac_c2h_scanofld_rsp+0x33a/0x380 [rtw89_core]
[30316.445241]  rtw89_fw_c2h_cmd_handle+0x89/0x100 [rtw89_core]
[30316.445332]  rtw89_fw_c2h_work+0x3c/0x60 [rtw89_core]
[30316.445412]  cfg80211_wiphy_work+0x110/0x190 [cfg80211]
[30316.445412]  process_one_work+0x190/0x350
[30316.445412]  worker_thread+0x2d7/0x410                                                                                                                                  
[30316.445412]  kthread+0xf9/0x240                                                   
[30316.445412]  ret_from_fork+0x31/0x50                                              
[30316.445412]  ret_from_fork_asm+0x1a/0x30                            
  
[30316.445412] kfence-#231: 0x0000000049346f7c-0x000000006dacad1c, size=232, cache=skbuff_head_cache

[30316.445412] allocated by task 17836 on cpu 0 at 30316.413509s (0.031903s ago):
[30316.445412]  __alloc_skb+0x148/0x1a0
[30316.445412]  __netdev_alloc_skb+0x38/0x190
[30316.445412]  ieee80211_nullfunc_get+0x3f/0x210 [mac80211]
[30316.445412]  rtw89_core_send_nullfunc+0xd2/0x190 [rtw89_core]
[30316.445412]  rtw89_core_scan_complete+0x19b/0x260 [rtw89_core]
[30316.445412]  rtw89_hw_scan_complete_cb+0xbb/0x150 [rtw89_core]
[30316.445412]  rtw89_chanctx_proceed_cb+0x21/0x40 [rtw89_core]
[30316.445412]  rtw89_chanctx_proceed+0x45/0x90 [rtw89_core]
[30316.445412]  rtw89_hw_scan_complete+0x4e/0x70 [rtw89_core]
[30316.445412]  rtw89_mac_c2h_scanofld_rsp+0x33a/0x380 [rtw89_core]
[30316.445412]  rtw89_fw_c2h_cmd_handle+0x89/0x100 [rtw89_core]
[30316.445412]  rtw89_fw_c2h_work+0x3c/0x60 [rtw89_core]
[30316.445412]  cfg80211_wiphy_work+0x110/0x190 [cfg80211]
[30316.445412]  process_one_work+0x190/0x350
[30316.445412]  worker_thread+0x2d7/0x410
[30316.445412]  kthread+0xf9/0x240
[30316.445412]  ret_from_fork+0x31/0x50
[30316.445412]  ret_from_fork_asm+0x1a/0x30

[30316.445412] freed by task 0 on cpu 3 at 30316.413558s (0.031854s ago):
[30316.445412]  ieee80211_tx_status_skb+0x75/0xb0 [mac80211]
[30316.445412]  ieee80211_handle_queued_frames+0x9f/0xd0 [mac80211]
[30316.445412]  tasklet_action_common+0xc5/0x230
[30316.445412]  handle_softirqs+0xe3/0x2a0
[30316.445412]  __irq_exit_rcu+0xcb/0xf0
[30316.445412]  common_interrupt+0x85/0xa0
[30316.445412]  asm_common_interrupt+0x26/0x40
[30316.445412]  cpuidle_enter_state+0xbb/0x410
[30316.445412]  cpuidle_enter+0x31/0x50
[30316.445412]  do_idle+0x1b1/0x210
[30316.445412]  cpu_startup_entry+0x29/0x30
[30316.445412]  start_secondary+0x119/0x140
[30316.445412]  common_startup_64+0x13e/0x141

[30316.445412] CPU: 0 UID: 0 PID: 17836 Comm: kworker/u16:1 Tainted: G           OE       6.15.1-arch1-2 #1 PREEMPT(full)  cd63386364b969355862abafc710704c8116e874
[30316.445412] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[30316.445412] Hardware name: LENOVO 82KR/LNVNB161216, BIOS HBCN18WW 08/27/2021
[30316.445412] Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]

rtw89_core_send_nullfunc() calls rtw89_core_tx_write_link().
rtw89_usb_ops_tx_write() transmits the frame immediately and
rtw89_usb_write_port_complete() hands it to
ieee80211_tx_status_irqsafe(). Then rtw89_core_send_nullfunc()
calls rtw89_core_tx_kick_off_and_wait(), but the nullfunc was
already freed by mac80211.

So I will add TX queues in v4.

next prev parent reply	other threads:[~2025-06-23 20:08 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-20 18:51 [PATCH rtw-next v3 00/14] wifi: rtw89: Add support for USB devices Bitterblue Smith
2025-06-20 18:53 ` [PATCH rtw-next v3 01/14] wifi: rtw89: 8851b: Accept USB devices and load their MAC address Bitterblue Smith
2025-06-20 18:54 ` [PATCH rtw-next v3 02/14] wifi: rtw89: Make dle_mem in rtw89_chip_info an array Bitterblue Smith
2025-06-24  5:42   ` Ping-Ke Shih
2025-06-20 18:56 ` [PATCH rtw-next v3 03/14] wifi: rtw89: Make hfc_param_ini " Bitterblue Smith
2025-06-24  5:45   ` Ping-Ke Shih
2025-06-20 18:56 ` [PATCH rtw-next v3 04/14] wifi: rtw89: Add rtw8851b_dle_mem_usb{2,3} Bitterblue Smith
2025-06-20 18:57 ` [PATCH rtw-next v3 05/14] wifi: rtw89: Add rtw8851b_hfc_param_ini_usb Bitterblue Smith
2025-06-20 18:58 ` [PATCH rtw-next v3 06/14] wifi: rtw89: Disable deep power saving for USB/SDIO Bitterblue Smith
2025-06-24  5:50   ` Ping-Ke Shih
2025-06-20 18:59 ` [PATCH rtw-next v3 07/14] wifi: rtw89: Add extra TX headroom for USB Bitterblue Smith
2025-06-20 19:00 ` [PATCH rtw-next v3 08/14] wifi: rtw89: Hide some errors when the device is unplugged Bitterblue Smith
2025-06-20 19:01 ` [PATCH rtw-next v3 09/14] wifi: rtw89: 8851b: Modify rtw8851b_pwr_{on,off}_func() for USB Bitterblue Smith
2025-06-24  5:51   ` Ping-Ke Shih
2025-06-20 19:02 ` [PATCH rtw-next v3 10/14] wifi: rtw89: Fix rtw89_mac_power_switch() " Bitterblue Smith
2025-06-24  5:52   ` Ping-Ke Shih
2025-06-20 19:03 ` [PATCH rtw-next v3 11/14] wifi: rtw89: Add some definitions " Bitterblue Smith
2025-06-20 19:04 ` [PATCH rtw-next v3 12/14] wifi: rtw89: Add usb.{c,h} Bitterblue Smith
2025-06-23 20:08   ` Bitterblue Smith [this message]
2025-06-24  6:18   ` Ping-Ke Shih
2025-06-20 19:05 ` [PATCH rtw-next v3 13/14] wifi: rtw89: Add rtw8851bu.c Bitterblue Smith
2025-06-20 19:05 ` [PATCH rtw-next v3 14/14] wifi: rtw89: Enable the new USB modules Bitterblue Smith

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1e5e97d4-8267-4f77-a4bf-1fe23ea40f77@gmail.com \
    --to=rtl8821cerfe2@gmail.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=pkshih@realtek.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox