[lvc-project] [PATCH rtw-next v5 2/4] wifi: rtw89: avoid possible TX wait initialization race
Ping-Ke Shih
pkshih at realtek.com
Mon Sep 22 04:20:25 MSK 2025
Fedor Pchelkin <pchelkin at ispras.ru> wrote:
> The value of skb_data->wait indicates whether skb is passed on to the
> core mac80211 stack or released by the driver itself. Make sure that by
> the time skb is added to txwd queue and becomes visible to the completing
> side, it has already allocated and initialized TX wait related data (in
> case it's needed).
>
> This is found by code review and addresses a possible race scenario
> described below:
>
> Waiting thread Completing thread
>
> rtw89_core_send_nullfunc()
> rtw89_core_tx_write_link()
> ...
> rtw89_pci_txwd_submit()
> skb_data->wait = NULL
> /* add skb to the queue */
> skb_queue_tail(&txwd->queue, skb)
>
> /* another thread (e.g. rtw89_ops_tx) performs TX kick off for the same queue */
>
> rtw89_pci_napi_poll()
> ...
> rtw89_pci_release_txwd_skb()
> /* get skb from the queue */
> skb_unlink(skb, &txwd->queue)
> rtw89_pci_tx_status()
> rtw89_core_tx_wait_complete()
> /* use incorrect skb_data->wait */
> rtw89_core_tx_kick_off_and_wait()
> /* assign skb_data->wait but too late */
>
> Found by Linux Verification Center (linuxtesting.org).
>
> Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of TX skbs")
> Cc: stable at vger.kernel.org
> Signed-off-by: Fedor Pchelkin <pchelkin at ispras.ru>
Acked-by: Ping-Ke Shih <pkshih at realtek.com>
More information about the lvc-project
mailing list