lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <f5d59026-434d-402c-8427-f0a335cc3ce1@RTKEXHMBS06.realtek.com.tw>
Date: Mon, 22 Sep 2025 14:12:48 +0800
From: Ping-Ke Shih <pkshih@...ltek.com>
To: Fedor Pchelkin <pchelkin@...ras.ru>, Ping-Ke Shih <pkshih@...ltek.com>,
        Zong-Zhe Yang <kevin_yang@...ltek.com>
CC: Fedor Pchelkin <pchelkin@...ras.ru>,
        Bitterblue Smith
	<rtl8821cerfe2@...il.com>,
        Po-Hao Huang <phhuang@...ltek.com>, <linux-wireless@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <lvc-project@...uxtesting.org>,
        <stable@...r.kernel.org>
Subject: Re: [PATCH rtw-next v5 1/4] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()

Fedor Pchelkin <pchelkin@...ras.ru> wrote:

> There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to
> access already freed skb_data:
> 
>  BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110
> 
>  CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted  6.17.0-rc1+ #1 PREEMPT(lazy)
>  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025
>  Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]
> 
>  Use-after-free write at 0x0000000020309d9d (in kfence-#251):
>  rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110
>  rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338
>  rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979
>  rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165
>  rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141
>  rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012
>  rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059
>  rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758
>  process_one_work kernel/workqueue.c:3241
>  worker_thread kernel/workqueue.c:3400
>  kthread kernel/kthread.c:463
>  ret_from_fork arch/x86/kernel/process.c:154
>  ret_from_fork_asm arch/x86/entry/entry_64.S:258
> 
>  kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache
> 
>  allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):
>  __alloc_skb net/core/skbuff.c:659
>  __netdev_alloc_skb net/core/skbuff.c:734
>  ieee80211_nullfunc_get net/mac80211/tx.c:5844
>  rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431
>  rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338
>  rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979
>  rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165
>  rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194
>  rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012
>  rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059
>  rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758
>  process_one_work kernel/workqueue.c:3241
>  worker_thread kernel/workqueue.c:3400
>  kthread kernel/kthread.c:463
>  ret_from_fork arch/x86/kernel/process.c:154
>  ret_from_fork_asm arch/x86/entry/entry_64.S:258
> 
>  freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):
>  ieee80211_tx_status_skb net/mac80211/status.c:1117
>  rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564
>  rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651
>  rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676
>  rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238
>  __napi_poll net/core/dev.c:7495
>  net_rx_action net/core/dev.c:7557 net/core/dev.c:7684
>  handle_softirqs kernel/softirq.c:580
>  do_softirq.part.0 kernel/softirq.c:480
>  __local_bh_enable_ip kernel/softirq.c:407
>  rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927
>  irq_thread_fn kernel/irq/manage.c:1133
>  irq_thread kernel/irq/manage.c:1257
>  kthread kernel/kthread.c:463
>  ret_from_fork arch/x86/kernel/process.c:154
>  ret_from_fork_asm arch/x86/entry/entry_64.S:258
> 
> It is a consequence of a race between the waiting and the signaling side
> of the completion:
> 
>             Waiting thread                            Completing thread
> 
> rtw89_core_tx_kick_off_and_wait()
>   rcu_assign_pointer(skb_data->wait, wait)
>   /* start waiting */
>   wait_for_completion_timeout()
>                                                 rtw89_pci_tx_status()
>                                                   rtw89_core_tx_wait_complete()
>                                                     rcu_read_lock()
>                                                     /* signals completion and
>                                                      * proceeds further
>                                                      */
>                                                     complete(&wait->completion)
>                                                     rcu_read_unlock()
>                                                   ...
>                                                   /* frees skb_data */
>                                                   ieee80211_tx_status_ni()
>   /* returns (exit status doesn't matter) */
>   wait_for_completion_timeout()
>   ...
>   /* accesses the already freed skb_data */
>   rcu_assign_pointer(skb_data->wait, NULL)
> 
> The completing side might proceed and free the underlying skb even before
> the waiting side is fully awoken and run to execution.  Actually the race
> happens regardless of wait_for_completion_timeout() exit status, e.g.
> the waiting side may hit a timeout and the concurrent completing side is
> still able to free the skb.
> 
> Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the
> driver.  They don't come from core ieee80211 stack so no need to pass them
> to ieee80211_tx_status_ni() on completing side.
> 
> Introduce a work function which will act as a garbage collector for
> rtw89_tx_wait_info objects and the associated skbs.  Thus no potentially
> heavy locks are required on the completing side.
> 
> Found by Linux Verification Center (linuxtesting.org).
> 
> Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs")
> Cc: stable@...r.kernel.org
> Suggested-by: Zong-Zhe Yang <kevin_yang@...ltek.com>
> Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
> Acked-by: Ping-Ke Shih <pkshih@...ltek.com>

4 patch(es) applied to rtw-next branch of rtw.git, thanks.

3e31a6bc0731 wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()
c24248ed78f3 wifi: rtw89: avoid possible TX wait initialization race
a9f0064f4716 wifi: rtw89: fix leak in rtw89_core_send_nullfunc()
570f94511766 wifi: rtw89: avoid circular locking dependency in ser_state_run()

---
https://github.com/pkshih/rtw.git

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ