On 20/06/2025 22:04, Bitterblue Smith wrote:
> Add very basic USB support. No TX/RX aggregation, no TX queues,
Commit 47a498b84f01 ("wifi: rtw89: TX nulldata 0 after scan complete")
exposed a problem with my lazy "no TX queues" approach:
[30316.444515] BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait+0xed/0x1e0 [rtw89_core]
[30316.444616] Use-after-free write at 0x00000000719224cd (in kfence-#231):
[30316.444623] rtw89_core_tx_kick_off_and_wait+0xed/0x1e0 [rtw89_core]
[30316.444716] rtw89_core_scan_complete+0x19b/0x260 [rtw89_core]
[30316.444810] rtw89_hw_scan_complete_cb+0xbb/0x150 [rtw89_core]
[30316.444906] rtw89_chanctx_proceed_cb+0x21/0x40 [rtw89_core]
[30316.444988] rtw89_chanctx_proceed+0x45/0x90 [rtw89_core]
[30316.445067] rtw89_hw_scan_complete+0x4e/0x70 [rtw89_core]
[30316.445156] rtw89_mac_c2h_scanofld_rsp+0x33a/0x380 [rtw89_core]
[30316.445241] rtw89_fw_c2h_cmd_handle+0x89/0x100 [rtw89_core]
[30316.445332] rtw89_fw_c2h_work+0x3c/0x60 [rtw89_core]
[30316.445412] cfg80211_wiphy_work+0x110/0x190 [cfg80211]
[30316.445412] process_one_work+0x190/0x350
[30316.445412] worker_thread+0x2d7/0x410
[30316.445412] kthread+0xf9/0x240
[30316.445412] ret_from_fork+0x31/0x50
[30316.445412] ret_from_fork_asm+0x1a/0x30
[30316.445412] kfence-#231: 0x0000000049346f7c-0x000000006dacad1c, size=232, cache=skbuff_head_cache
[30316.445412] allocated by task 17836 on cpu 0 at 30316.413509s (0.031903s ago):
[30316.445412] __alloc_skb+0x148/0x1a0
[30316.445412] __netdev_alloc_skb+0x38/0x190
[30316.445412] ieee80211_nullfunc_get+0x3f/0x210 [mac80211]
[30316.445412] rtw89_core_send_nullfunc+0xd2/0x190 [rtw89_core]
[30316.445412] rtw89_core_scan_complete+0x19b/0x260 [rtw89_core]
[30316.445412] rtw89_hw_scan_complete_cb+0xbb/0x150 [rtw89_core]
[30316.445412] rtw89_chanctx_proceed_cb+0x21/0x40 [rtw89_core]
[30316.445412] rtw89_chanctx_proceed+0x45/0x90 [rtw89_core]
[30316.445412] rtw89_hw_scan_complete+0x4e/0x70 [rtw89_core]
[30316.445412] rtw89_mac_c2h_scanofld_rsp+0x33a/0x380 [rtw89_core]
[30316.445412] rtw89_fw_c2h_cmd_handle+0x89/0x100 [rtw89_core]
[30316.445412] rtw89_fw_c2h_work+0x3c/0x60 [rtw89_core]
[30316.445412] cfg80211_wiphy_work+0x110/0x190 [cfg80211]
[30316.445412] process_one_work+0x190/0x350
[30316.445412] worker_thread+0x2d7/0x410
[30316.445412] kthread+0xf9/0x240
[30316.445412] ret_from_fork+0x31/0x50
[30316.445412] ret_from_fork_asm+0x1a/0x30
[30316.445412] freed by task 0 on cpu 3 at 30316.413558s (0.031854s ago):
[30316.445412] ieee80211_tx_status_skb+0x75/0xb0 [mac80211]
[30316.445412] ieee80211_handle_queued_frames+0x9f/0xd0 [mac80211]
[30316.445412] tasklet_action_common+0xc5/0x230
[30316.445412] handle_softirqs+0xe3/0x2a0
[30316.445412] __irq_exit_rcu+0xcb/0xf0
[30316.445412] common_interrupt+0x85/0xa0
[30316.445412] asm_common_interrupt+0x26/0x40
[30316.445412] cpuidle_enter_state+0xbb/0x410
[30316.445412] cpuidle_enter+0x31/0x50
[30316.445412] do_idle+0x1b1/0x210
[30316.445412] cpu_startup_entry+0x29/0x30
[30316.445412] start_secondary+0x119/0x140
[30316.445412] common_startup_64+0x13e/0x141
[30316.445412] CPU: 0 UID: 0 PID: 17836 Comm: kworker/u16:1 Tainted: G OE 6.15.1-arch1-2 #1 PREEMPT(full) cd63386364b969355862abafc710704c8116e874
[30316.445412] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[30316.445412] Hardware name: LENOVO 82KR/LNVNB161216, BIOS HBCN18WW 08/27/2021
[30316.445412] Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]
rtw89_core_send_nullfunc() calls rtw89_core_tx_write_link().
rtw89_usb_ops_tx_write() transmits the frame immediately and
rtw89_usb_write_port_complete() hands it to
ieee80211_tx_status_irqsafe(). Then rtw89_core_send_nullfunc()
calls rtw89_core_tx_kick_off_and_wait(), but the nullfunc was
already freed by mac80211.
So I will add TX queues in v4.
