Re: [PATCH] wifi: rsi: fix kthread lifetime race between self-exit and external-stop

Next message: Gabriele Monaco: "Re: [PATCH] tools/rv: harden monitor name lookup bounds checks"
Previous message: Martin Kaiser: "[PATCH 2/3] perf test: fix sys_enter_openat event test for musl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeongjun Park

Date: Mon Apr 27 2026 - 05:38:42 EST

Hi Hillf,

Hillf Danton <hdanton@xxxxxxxx> wrote:
>
> On Thu, 23 Apr 2026 02:38:46 +0900 Jeongjun Park wrote:
> > RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
> > (kthread_stop) when killing a kthread. Generally, kthread_stop() is called
> > first, and in this case, no particular issues occur.
> >
> > However, in rare instances where kthread_complete_and_exit() is called
> > first and then kthread_stop() is called, a UAF occurs because the kthread
> > object, which has already exited and been freed, is accessed again.
> >
> Alternatively the race could be described with the regular diagram to better
> understand the uaf.
>
> rsi_kill_thread() rsi_tx_scheduler_thread()
> --- ---
> atomic_inc(&handle->thread_done); // set the done flag
> rsi_set_event(&handle->event);
>
> do {
> something;
> } while (atomic_read(&common->tx_thread.thread_done) == 0);
> // exit after done
> kthread_complete_and_exit(&common->tx_thread.completion, 0);
>
> kthread_stop(handle->task); // uaf
>

I did not include the race scenario diagram separately to keep the
description brief. Apart from that, Hillf's diagram itself is accurate.

Regards,
Jeongjun Park