lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1a3cf60e3d52472894bd98369699ee03@realtek.com>
Date: Thu, 20 Nov 2025 08:25:33 +0000
From: Ping-Ke Shih <pkshih@...ltek.com>
To: Gongwei Li <13875017792@....com>
CC: "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Gongwei Li
	<ligongwei@...inos.cn>
Subject: RE: [PATCH 1/1] wifi: rtw89: Add missing NULL check before
 __skb_unlink

Gongwei Li <13875017792@....com> wrote:
> From: Gongwei Li <ligongwei@...inos.cn>
> 
> __skb_unlink(skb, list)) attempt to access skb->next,
> triggering a NULL pointer dereference (Kernel Panic).
> 
> [  541.001831][ 7] [  T273] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000000
> [  541.011776][ 7] [  T273] Mem abort info:
> [  541.015697][ 7] [  T273]   ESR = 0x96000046
> [  541.019873][ 7] [  T273]   EC = 0x25: DABT (current EL), IL = 32 bits
> [  541.026302][ 7] [  T273]   SET = 0, FnV = 0
> [  541.030476][ 7] [  T273]   EA = 0, S1PTW = 0
> [  541.034733][ 7] [  T273] Data abort info:
> [  541.038734][ 7] [  T273]   ISV = 0, ISS = 0x00000046
> [  541.043689][ 7] [  T273]   CM = 0, WnR = 1
> [  541.047779][ 7] [  T273] user pgtable: 4k pages, 39-bit VAs, pgdp=0000002610943000
> [  541.055341][ 7] [  T273] [0000000000000000] pgd=0000002610948003,
> pud=0000002610948003, pmd=0000000000000000
> [  541.065173][ 7] [  T273] Internal error: Oops: 96000046 [#1] SMP
> 
> [  541.220794][ 7] [  T273] Workqueue: phy0 rtw89_fw_c2h_work [rtw89_core]
> [  541.227407][ 7] [  T273] pstate: 20001089 (nzCv daIf -PAN -UAO)
> [  541.233339][ 7] [  T273] pc : skb_unlink+0x68/0xa0
> [  541.238164][ 7] [  T273] lr : rtw89_fw_c2h_work+0x3c/0x88 [rtw89_core]
> [  541.244686][ 7] [  T273] sp : ffffffa6c998bd40
> [  541.249124][ 7] [  T273] x29: ffffffa6c998bd40 x28: ffffffa6db4ad200
> [  541.255558][ 7] [  T273] x27: ffffffa6dc810000 x26: 0000000000000000
> [  541.261996][ 7] [  T273] x25: ffffffa6dc810090 x24: 0000000000000000
> [  541.268432][ 7] [  T273] x23: ffffffa6da902be0 x22: ffffffa6da903140
> [  541.274877][ 7] [  T273] x21: 0000000000000000 x20: ffffffa6ca2a2900
> [  541.281313][ 7] [  T273] x19: ffffffa6da903970 x18: 0000000000000000
> [  541.287749][ 7] [  T273] x17: 0000007fb74284b8 x16: 0000000000415090
> [  541.294184][ 7] [  T273] x15: 000000007fffffde x14: ffffffa59082bc1b
> [  541.300620][ 7] [  T273] x13: ffffffa59082bb16 x12: ffffffa59082bbfa
> [  541.307058][ 7] [  T273] x11: 0000000000000000 x10: ffffffff9b08a8a0
> [  541.313494][ 7] [  T273] x9 : 0000000000000000 x8 : 0000000000000000
> [  541.319928][ 7] [  T273] x7 : 0000000000000000 x6 : ffffffa6ca2a2600
> [  541.326363][ 7] [  T273] x5 : 0000000000000060 x4 : 0000000000000000
> [  541.332796][ 7] [  T273] x3 : 0000000000000001 x2 : 0000000000000000
> [  541.339229][ 7] [  T273] x1 : ffffffa6ca2a3600 x0 : 0000000000000000
> [  541.345666][ 7] [  T273] Call trace:
> [  541.349254][ 7] [  T273]  skb_unlink+0x68/0xa0
> [  541.353720][ 7] [  T273]  rtw89_fw_c2h_work+0x3c/0x88 [rtw89_core]
> [  541.359907][ 7] [  T273]  process_one_work+0x1c0/0x340
> [  541.365050][ 7] [  T273]  worker_thread+0x4c/0x488
> [  541.369845][ 7] [  T273]  kthread+0xf8/0x128
> [  541.374117][ 7] [  T273]  ret_from_fork+0x10/0x18
> [  541.378817][ 7] [  T273] Code: b9001260 a9400281 a9007e9f f9000420 (f9000001)
> [  541.386039][ 7] [  T273] ---[ end trace 1c8ff29ce038612f ]---

Should not add timestamp in commit message.

> 
> Signed-off-by: Gongwei Li <ligongwei@...inos.cn>
> ---
>  drivers/net/wireless/realtek/rtw89/fw.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
> index ab904a7de..d00e97eb4 100644
> --- a/drivers/net/wireless/realtek/rtw89/fw.c
> +++ b/drivers/net/wireless/realtek/rtw89/fw.c
> @@ -6895,6 +6895,8 @@ void rtw89_fw_c2h_work(struct wiphy *wiphy, struct wiphy_work *work)
>         lockdep_assert_wiphy(rtwdev->hw->wiphy);
> 
>         skb_queue_walk_safe(&rtwdev->c2h_queue, skb, tmp) {
> +               if (unlikely(!skb->next || !skb->prev))
> +                       return;
>                 skb_unlink(skb, &rtwdev->c2h_queue);
>                 rtw89_fw_c2h_cmd_handle(rtwdev, skb);
>                 dev_kfree_skb_any(skb);

We sent patch [1] to fix this problem, but it is not upstream yet.
Please try if [2] can work to your site. 

[1] https://lore.kernel.org/linux-wireless/20251021133402.15467-2-pkshih@realtek.com/
[2] https://github.com/pkshih/rtw.git rtw-next

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ