lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <73dfdd41cf9c422c8cd18d41ab3dd1ec@realtek.com>
Date: Mon, 22 Sep 2025 01:20:25 +0000
From: Ping-Ke Shih <pkshih@...ltek.com>
To: Fedor Pchelkin <pchelkin@...ras.ru>,
        Zong-Zhe Yang
	<kevin_yang@...ltek.com>
CC: Bitterblue Smith <rtl8821cerfe2@...il.com>,
        Bernie Huang
	<phhuang@...ltek.com>,
        "linux-wireless@...r.kernel.org"
	<linux-wireless@...r.kernel.org>,
        "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>,
        "lvc-project@...uxtesting.org"
	<lvc-project@...uxtesting.org>,
        "stable@...r.kernel.org"
	<stable@...r.kernel.org>
Subject: RE: [PATCH rtw-next v5 2/4] wifi: rtw89: avoid possible TX wait initialization race

Fedor Pchelkin <pchelkin@...ras.ru> wrote:
> The value of skb_data->wait indicates whether skb is passed on to the
> core mac80211 stack or released by the driver itself.  Make sure that by
> the time skb is added to txwd queue and becomes visible to the completing
> side, it has already allocated and initialized TX wait related data (in
> case it's needed).
> 
> This is found by code review and addresses a possible race scenario
> described below:
> 
>       Waiting thread                          Completing thread
> 
> rtw89_core_send_nullfunc()
>   rtw89_core_tx_write_link()
>     ...
>     rtw89_pci_txwd_submit()
>       skb_data->wait = NULL
>       /* add skb to the queue */
>       skb_queue_tail(&txwd->queue, skb)
> 
>   /* another thread (e.g. rtw89_ops_tx) performs TX kick off for the same queue */
> 
>                                             rtw89_pci_napi_poll()
>                                             ...
>                                               rtw89_pci_release_txwd_skb()
>                                                 /* get skb from the queue */
>                                                 skb_unlink(skb, &txwd->queue)
>                                                 rtw89_pci_tx_status()
>                                                   rtw89_core_tx_wait_complete()
>                                                   /* use incorrect skb_data->wait */
>   rtw89_core_tx_kick_off_and_wait()
>   /* assign skb_data->wait but too late */
> 
> Found by Linux Verification Center (linuxtesting.org).
> 
> Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs")
> Cc: stable@...r.kernel.org
> Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>

Acked-by: Ping-Ke Shih <pkshih@...ltek.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ