Re: [PATCH rtw-next v2] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet

Next message: Jakub Kicinski: "Re: [PATCH net-next 0/6] net: mana: Per-vPort EQ and MSI-X interrupt management"
Previous message: Jingbo Xu: "Re: [PATCH v3] fuse: invalidate the page cache after direct write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ping-Ke Shih

Date: Mon Mar 02 2026 - 21:57:03 EST

Duoming Zhou <duoming@xxxxxxxxxx> wrote:

> The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
> scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
> But it is never killed in rtl_pci_deinit(). When the rtlwifi card
> probe fails or is being detached, the ieee80211_hw is deallocated.
> However, irq_prepare_bcn_tasklet may still be running or pending,
> leading to use-after-free when the freed ieee80211_hw is accessed
> in _rtl_pci_prepare_bcn_tasklet().
>
> Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
> ensure that irq_prepare_bcn_tasklet is properly terminated before
> the ieee80211_hw is released.
>
> The issue was identified through static analysis.
>
> Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
> Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
> Acked-by: Ping-Ke Shih <pkshih@xxxxxxxxxxx>

1 patch(es) applied to rtw-next branch of rtw.git, thanks.

039cd522dc70 wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet

---
https://github.com/pkshih/rtw.git