Re: [PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet

Next message: syzbot: "Forwarded: Syzbot test for v2: ocfs2: clear lock identity upon inode eviction"
Previous message: Matthew Wilcox: "Re: [PATCH v1 00/11] Zero page-&gt;private when freeing pages"
In reply to: Ping-Ke Shih: "RE: [PATCH wireless] rtlwifi: rtl_pci: Fix possible use-after-free caused by unfinished tasklet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: duoming

Date: Sun Feb 22 2026 - 23:31:40 EST

Ping-Ke Shih <pkshih@xxxxxxxxxxx> wrote:
> > The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
> > scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
> > But it is never killed in rtl_pci_deinit(). When the rtlwifi card
> > probe fails or is being detached, the ieee80211_hw is deallocated.
> > However, irq_prepare_bcn_tasklet may still be running or pending,
> > leading to use-after-free when the freed ieee80211_hw is accessed
> > in _rtl_pci_prepare_bcn_tasklet().
> >
> > Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
> > ensure that irq_prepare_bcn_tasklet is properly terminated before
> > the ieee80211_hw is released.
> >
> > The issue was identified through static analysis.
> >
> > Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
> > Signed-off-by: Duoming Zhou <duoming@xxxxxxxxxx>
>
> The tree selection should be "rtw-next" (may be "rtw", but I don't think
> this patch is urgent), and subject prefix should be "wifi: rtlwifi: ...".
> More, I'd point out the name of tasklet in subject. Then,
> "[PATCH rtw-next] wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet"

Thank you for your time and reply! I will select the "rtw-next" tree,
adjust the subject prefix and send a v2 patch.

> Otherwise, looks good to me.
>
> Acked-by: Ping-Ke Shih <pkshih@xxxxxxxxxxx>

Best regards,
Duoming Zhou