From nobody Fri Oct 3 16:44:17 2025 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E262482EB; Wed, 27 Aug 2025 12:06:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.149.199.84 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756296406; cv=none; b=ZIpnAbf/sTa5U82mNeGjrXS+YUqm1ZibYhd1w4E7nqNuMKXXaSdDM/CDPkllr2kb1Ahp+14H+MUJm24LW/GduHkHsSIHrAc7i9AFJD7ZSO6wquJHL65EeBQm5zxixADGlZLj9MnA8hVtZMlvfm2WDbc6c3kQbH209AJmouSuQec= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756296406; c=relaxed/simple; bh=ltGKl3e/7swTIxGSgNABd1Z6Y13L8HAhErf3zfINjxs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bGpZ7hn5iQcdVnWTA2fzuhWbcGJ00HGyP/G6fbz08au05u6EsGA8E8pz1KjmumGMLgkSzGRXj58JZFMbI47yGTxIPs3M5fjOX6iFvyADMFIblBNY1TVea18s2Bx72GsUDqEBgDk9X0BNQhUJuXcqlCZDmfF5EGT/Q4A0dn/7b6Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru; spf=pass smtp.mailfrom=ispras.ru; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b=Ct1rbZV0; arc=none smtp.client-ip=83.149.199.84 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ispras.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b="Ct1rbZV0" Received: from debian (unknown [5.228.116.177]) by mail.ispras.ru (Postfix) with ESMTPSA id 6A5D5406B8A5; Wed, 27 Aug 2025 12:06:39 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 6A5D5406B8A5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1756296399; bh=9RyUcudEzoL6X6XXNPOz80pAhNVEKgHr7S9bPQpGFFc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ct1rbZV0ZLmsAlcSEid9txjnJ9+GOTWAEfpToSDWaO5Ikuz9a8AhxDts1kcfdErB0 d+wyRxr9XRqsG6yKJhDUu0YR1XG0vROyX/I4SkQ7+cUIxLnt0RKjLhzIAMvUHwXaXw 0/5gfq1Sytg3PRoNAmLS5DMHEA5vvxd8agwQQEig= From: Fedor Pchelkin To: Ping-Ke Shih , Zong-Zhe Yang Cc: Fedor Pchelkin , Po-Hao Huang , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, stable@vger.kernel.org Subject: [PATCH rtw v2 1/4] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() Date: Wed, 27 Aug 2025 15:05:14 +0300 Message-ID: <20250827120603.723548-2-pchelkin@ispras.ru> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250827120603.723548-1-pchelkin@ispras.ru> References: <20250827120603.723548-1-pchelkin@ispras.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to access already freed skb_data: BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drive= rs/net/wireless/realtek/rtw89/core.c:1110 CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 = PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-= 14.fc42 05/23/2025 Workqueue: events_unbound cfg80211_wiphy_work [cfg80211] Use-after-free write at 0x0000000020309d9d (in kfence-#251): rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:= 1110 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=3D232, cache=3Dsk= buff_head_cache allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago): __alloc_skb net/core/skbuff.c:659 __netdev_alloc_skb net/core/skbuff.c:734 ieee80211_nullfunc_get net/mac80211/tx.c:5844 rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431 rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338 rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979 rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165 rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194 rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012 rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059 rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758 process_one_work kernel/workqueue.c:3241 worker_thread kernel/workqueue.c:3400 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago): ieee80211_tx_status_skb net/mac80211/status.c:1117 rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564 rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:= 651 rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676 rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238 __napi_poll net/core/dev.c:7495 net_rx_action net/core/dev.c:7557 net/core/dev.c:7684 handle_softirqs kernel/softirq.c:580 do_softirq.part.0 kernel/softirq.c:480 __local_bh_enable_ip kernel/softirq.c:407 rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927 irq_thread_fn kernel/irq/manage.c:1133 irq_thread kernel/irq/manage.c:1257 kthread kernel/kthread.c:463 ret_from_fork arch/x86/kernel/process.c:154 ret_from_fork_asm arch/x86/entry/entry_64.S:258 It is a consequence of a race between the waiting and the signaling side of the completion: Waiting thread Completing thread rtw89_core_tx_kick_off_and_wait() rcu_assign_pointer(skb_data->wait, wait) /* start waiting */ wait_for_completion_timeout() rtw89_pci_tx_status() rtw89_core_tx_wait_comple= te() rcu_read_lock() /* signals completion a= nd * proceeds further */ complete(&wait->complet= ion) rcu_read_unlock() ... /* frees skb_data */ ieee80211_tx_status_ni() /* returns (exit status doesn't matter) */ wait_for_completion_timeout() ... /* accesses the already freed skb_data */ rcu_assign_pointer(skb_data->wait, NULL) The completing side might proceed and free the underlying skb even before the waiting side is fully awoken and run to execution. Actually the race happens regardless of wait_for_completion_timeout() exit status, e.g. the waiting side may hit a timeout and the concurrent completing side is still able to free the skb. Skbs which are sent by rtw89_core_tx_kick_off_and_wait() are owned by the driver. They don't come from core ieee80211 stack so no need to pass them to ieee80211_tx_status_ni() on completing side. Introduce a work function which will act as a garbage collector for rtw89_tx_wait_info objects and the associated skbs. Thus no potentially heavy locks are required on the completing side. Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of T= X skbs") Cc: stable@vger.kernel.org Suggested-by: Zong-Zhe Yang Signed-off-by: Fedor Pchelkin --- v2: use a work function to manage release of tx_waits and associated skbs (= Zong-Zhe) The interesting part is how rtw89_tx_wait_work() should wait for completion - based on timeout or without it, or just check status with a call to completion_done(). Simply waiting with wait_for_completion() may become a bottleneck if for any reason the completion is delayed significantly, and we are holding a wiphy lock here. I _suspect_ rtw89_pci_tx_status() should be called either by napi polling handler or in other cases e.g. by rtw89_hci_reset() but it's hard to deduce for any possible scenario that it will be called in some time. Anyway, the current and the next patch try to make sure that when rtw89_core_tx_wait_complete() is called, skbdata->wait is properly initialized so that there should be no buggy situations when tx_wait skb is not recognized and invalidly passed to ieee80211 stack, also without signaling a completion. If rtw89_core_tx_wait_complete() is not called at all, this should indicate a bug elsewhere. drivers/net/wireless/realtek/rtw89/core.c | 42 +++++++++++++++++++---- drivers/net/wireless/realtek/rtw89/core.h | 22 +++++++----- drivers/net/wireless/realtek/rtw89/pci.c | 9 ++--- 3 files changed, 54 insertions(+), 19 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wirele= ss/realtek/rtw89/core.c index 57590f5577a3..48aa02d6abd4 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1073,6 +1073,26 @@ rtw89_core_tx_update_desc_info(struct rtw89_dev *rtw= dev, } } =20 +static void rtw89_tx_wait_work(struct wiphy *wiphy, struct wiphy_work *wor= k) +{ + struct rtw89_dev *rtwdev =3D container_of(work, struct rtw89_dev, + tx_wait_work); + struct rtw89_tx_wait_info *wait, *tmp; + + lockdep_assert_wiphy(wiphy); + + list_for_each_entry_safe(wait, tmp, &rtwdev->tx_waits, list) { + if (!wait->finished) { + unsigned long tmo =3D msecs_to_jiffies(wait->timeout); + if (!wait_for_completion_timeout(&wait->completion, tmo)) + continue; + } + list_del(&wait->list); + dev_kfree_skb_any(wait->skb); + kfree(wait); + } +} + void rtw89_core_tx_kick_off(struct rtw89_dev *rtwdev, u8 qsel) { u8 ch_dma; @@ -1090,6 +1110,8 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_dev = *rtwdev, struct sk_buff *sk unsigned long time_left; int ret =3D 0; =20 + lockdep_assert_wiphy(rtwdev->hw->wiphy); + wait =3D kzalloc(sizeof(*wait), GFP_KERNEL); if (!wait) { rtw89_core_tx_kick_off(rtwdev, qsel); @@ -1097,18 +1119,23 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_de= v *rtwdev, struct sk_buff *sk } =20 init_completion(&wait->completion); - rcu_assign_pointer(skb_data->wait, wait); + skb_data->wait =3D wait; =20 rtw89_core_tx_kick_off(rtwdev, qsel); time_left =3D wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); - if (time_left =3D=3D 0) + if (time_left =3D=3D 0) { ret =3D -ETIMEDOUT; - else if (!wait->tx_done) - ret =3D -EAGAIN; + } else { + wait->finished =3D true; + if (!wait->tx_done) + ret =3D -EAGAIN; + } =20 - rcu_assign_pointer(skb_data->wait, NULL); - kfree_rcu(wait, rcu_head); + wait->skb =3D skb; + wait->timeout =3D timeout; + list_add_tail(&wait->list, &rtwdev->tx_waits); + wiphy_work_queue(rtwdev->hw->wiphy, &rtwdev->tx_wait_work); =20 return ret; } @@ -4972,6 +4999,7 @@ void rtw89_core_stop(struct rtw89_dev *rtwdev) clear_bit(RTW89_FLAG_RUNNING, rtwdev->flags); =20 wiphy_work_cancel(wiphy, &rtwdev->c2h_work); + wiphy_work_cancel(wiphy, &rtwdev->tx_wait_work); wiphy_work_cancel(wiphy, &rtwdev->cancel_6ghz_probe_work); wiphy_work_cancel(wiphy, &btc->eapol_notify_work); wiphy_work_cancel(wiphy, &btc->arp_notify_work); @@ -5203,6 +5231,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) INIT_LIST_HEAD(&rtwdev->scan_info.pkt_list[band]); } INIT_LIST_HEAD(&rtwdev->scan_info.chan_list); + INIT_LIST_HEAD(&rtwdev->tx_waits); INIT_WORK(&rtwdev->ba_work, rtw89_core_ba_work); INIT_WORK(&rtwdev->txq_work, rtw89_core_txq_work); INIT_DELAYED_WORK(&rtwdev->txq_reinvoke_work, rtw89_core_txq_reinvoke_wor= k); @@ -5233,6 +5262,7 @@ int rtw89_core_init(struct rtw89_dev *rtwdev) wiphy_work_init(&rtwdev->c2h_work, rtw89_fw_c2h_work); wiphy_work_init(&rtwdev->ips_work, rtw89_ips_work); wiphy_work_init(&rtwdev->cancel_6ghz_probe_work, rtw89_cancel_6ghz_probe_= work); + wiphy_work_init(&rtwdev->tx_wait_work, rtw89_tx_wait_work); INIT_WORK(&rtwdev->load_firmware_work, rtw89_load_firmware_work); =20 skb_queue_head_init(&rtwdev->c2h_queue); diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wirele= ss/realtek/rtw89/core.h index 43e10278e14d..06f7d82a8d18 100644 --- a/drivers/net/wireless/realtek/rtw89/core.h +++ b/drivers/net/wireless/realtek/rtw89/core.h @@ -3508,12 +3508,16 @@ struct rtw89_phy_rate_pattern { =20 struct rtw89_tx_wait_info { struct rcu_head rcu_head; + struct list_head list; struct completion completion; + struct sk_buff *skb; + unsigned int timeout; bool tx_done; + bool finished; }; =20 struct rtw89_tx_skb_data { - struct rtw89_tx_wait_info __rcu *wait; + struct rtw89_tx_wait_info *wait; u8 hci_priv[]; }; =20 @@ -5925,6 +5929,9 @@ struct rtw89_dev { /* used to protect rpwm */ spinlock_t rpwm_lock; =20 + struct list_head tx_waits; + struct wiphy_work tx_wait_work; + struct rtw89_cam_info cam_info; =20 struct sk_buff_head c2h_queue; @@ -7258,23 +7265,20 @@ static inline struct sk_buff *rtw89_alloc_skb_for_r= x(struct rtw89_dev *rtwdev, return dev_alloc_skb(length); } =20 -static inline void rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, +static inline bool rtw89_core_tx_wait_complete(struct rtw89_dev *rtwdev, struct rtw89_tx_skb_data *skb_data, bool tx_done) { struct rtw89_tx_wait_info *wait; =20 - rcu_read_lock(); - - wait =3D rcu_dereference(skb_data->wait); + wait =3D skb_data->wait; if (!wait) - goto out; + return false; =20 wait->tx_done =3D tx_done; - complete(&wait->completion); + complete_all(&wait->completion); =20 -out: - rcu_read_unlock(); + return true; } =20 static inline bool rtw89_is_mlo_1_1(struct rtw89_dev *rtwdev) diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireles= s/realtek/rtw89/pci.c index a669f2f843aa..6356c2c224c5 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -464,10 +464,7 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwd= ev, struct rtw89_tx_skb_data *skb_data =3D RTW89_TX_SKB_CB(skb); struct ieee80211_tx_info *info; =20 - rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status =3D=3D RTW89_TX_D= ONE); - info =3D IEEE80211_SKB_CB(skb); - ieee80211_tx_info_clear_status(info); =20 if (info->flags & IEEE80211_TX_CTL_NO_ACK) info->flags |=3D IEEE80211_TX_STAT_NOACK_TRANSMITTED; @@ -494,6 +491,10 @@ static void rtw89_pci_tx_status(struct rtw89_dev *rtwd= ev, } } =20 + if (rtw89_core_tx_wait_complete(rtwdev, skb_data, tx_status =3D=3D RTW89_= TX_DONE)) + return; + + ieee80211_tx_info_clear_status(info); ieee80211_tx_status_ni(rtwdev->hw, skb); } =20 @@ -1387,7 +1388,7 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rt= wdev, } =20 tx_data->dma =3D dma; - rcu_assign_pointer(skb_data->wait, NULL); + skb_data->wait =3D NULL; =20 txwp_len =3D sizeof(*txwp_info); txwd_len =3D chip->txwd_body_size; --=20 2.50.1 From nobody Fri Oct 3 16:44:17 2025 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E977E1F5834; Wed, 27 Aug 2025 12:06:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.149.199.84 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756296406; cv=none; b=Ha5WBe/8cMwIfZ2aXj+T+5XMt8USlD4R0nJf4IqETBRs4isWYVqgP5Dk3ifyaSCkHEGEJPmzAg8r/S6R7DODF3vjiDZFPGqx0FdH8greCCQfJ0y2Knb+jrQrNFqMms1fszc0NsySjhLbcC2/aKszvtiQL07w0OxAsi0A1iRXfjk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756296406; c=relaxed/simple; bh=oTjrnS1aokalKGVqTNC1iPeymCdEbqzGxNqHVimfBRo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=p/3mqqXMDhGcmwVkLOzbNbJgQb2HsmFA8ZHQQGqNXYO5zA7Ux/E0uD8qxSzgM0R8ap+3a2rJyL5WOCnWShJRzTD4/3v5iTVuJli3C78FXqlPoK1ne9u9Xy7khGv4ukkFcvIqdoJ8+GsSvk5D1mRS5hJ8+Gx3oyH23RMF6grjHcs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru; spf=pass smtp.mailfrom=ispras.ru; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b=pX7uyyFi; arc=none smtp.client-ip=83.149.199.84 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ispras.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b="pX7uyyFi" Received: from debian (unknown [5.228.116.177]) by mail.ispras.ru (Postfix) with ESMTPSA id 55C2B406C3E0; Wed, 27 Aug 2025 12:06:40 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 55C2B406C3E0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1756296400; bh=Mr57vs1QnPyRziD5WmW4Bs5hMaftxIZmL4AMV+GIvZI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pX7uyyFiXLmy8F4NFoUs4lyvlx/VywnrXkIvcLvNwZeI+z/VrJYLhw5VC4LArmBZ3 XT4NBMrhLsHHDvSyxKSmOKGRzOu4sjC2AdRel1EEgdF4tFpSvn9OpiAclAzi52CWQZ R2x+lPU1ZAXqpYwLi6y/cOF6aFkWpVCrpu6qzR2w= From: Fedor Pchelkin To: Ping-Ke Shih , Zong-Zhe Yang Cc: Fedor Pchelkin , Po-Hao Huang , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, stable@vger.kernel.org Subject: [PATCH rtw v2 2/4] wifi: rtw89: fix tx_wait initialization race Date: Wed, 27 Aug 2025 15:05:15 +0300 Message-ID: <20250827120603.723548-3-pchelkin@ispras.ru> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250827120603.723548-1-pchelkin@ispras.ru> References: <20250827120603.723548-1-pchelkin@ispras.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that nullfunc skbs are recycled in a separate work item in the driver, the following race during initialization and processing of those skbs might lead to noticeable bugs: Waiting thread Completing thread rtw89_core_send_nullfunc() rtw89_core_tx_write_link() ... rtw89_pci_txwd_submit() skb_data->wait =3D NULL /* add skb to the queue */ skb_queue_tail(&txwd->queue, skb) rtw89_pci_napi_poll() ... rtw89_pci_release_txwd_skb() /* get skb from the queue */ skb_unlink(skb, &txwd->queu= e) rtw89_pci_tx_status() rtw89_core_tx_wait_comple= te() /* use incorrect skb_data= ->wait */ rtw89_core_tx_kick_off_and_wait() /* assign skb_data->wait but too late */ The value of skb_data->wait indicates whether skb is passed on to the core ieee80211 stack or released by the driver itself. So assure that by the time skb is added to txwd queue and becomes visible to the completing side, it has already allocated tx_wait-related data (in case it's needed). Found by Linux Verification Center (linuxtesting.org). Fixes: 1ae5ca615285 ("wifi: rtw89: add function to wait for completion of T= X skbs") Cc: stable@vger.kernel.org Signed-off-by: Fedor Pchelkin --- drivers/net/wireless/realtek/rtw89/core.c | 31 +++++++++++++---------- drivers/net/wireless/realtek/rtw89/pci.c | 2 -- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wirele= ss/realtek/rtw89/core.c index 48aa02d6abd4..28bbc898b95e 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -1106,21 +1106,12 @@ int rtw89_core_tx_kick_off_and_wait(struct rtw89_de= v *rtwdev, struct sk_buff *sk int qsel, unsigned int timeout) { struct rtw89_tx_skb_data *skb_data =3D RTW89_TX_SKB_CB(skb); - struct rtw89_tx_wait_info *wait; + struct rtw89_tx_wait_info *wait =3D skb_data->wait; unsigned long time_left; int ret =3D 0; =20 lockdep_assert_wiphy(rtwdev->hw->wiphy); =20 - wait =3D kzalloc(sizeof(*wait), GFP_KERNEL); - if (!wait) { - rtw89_core_tx_kick_off(rtwdev, qsel); - return 0; - } - - init_completion(&wait->completion); - skb_data->wait =3D wait; - rtw89_core_tx_kick_off(rtwdev, qsel); time_left =3D wait_for_completion_timeout(&wait->completion, msecs_to_jiffies(timeout)); @@ -1184,10 +1175,12 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, static int rtw89_core_tx_write_link(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rtwvif_link, struct rtw89_sta_link *rtwsta_link, - struct sk_buff *skb, int *qsel, bool sw_mld) + struct sk_buff *skb, int *qsel, bool sw_mld, + struct rtw89_tx_wait_info *wait) { struct ieee80211_sta *sta =3D rtwsta_link_to_sta_safe(rtwsta_link); struct ieee80211_vif *vif =3D rtwvif_link_to_vif(rtwvif_link); + struct rtw89_tx_skb_data *skb_data =3D RTW89_TX_SKB_CB(skb); struct rtw89_vif *rtwvif =3D rtwvif_link->rtwvif; struct rtw89_core_tx_request tx_req =3D {}; int ret; @@ -1204,6 +1197,8 @@ static int rtw89_core_tx_write_link(struct rtw89_dev = *rtwdev, rtw89_core_tx_update_desc_info(rtwdev, &tx_req); rtw89_core_tx_wake(rtwdev, &tx_req); =20 + skb_data->wait =3D wait; + ret =3D rtw89_hci_tx_write(rtwdev, &tx_req); if (ret) { rtw89_err(rtwdev, "failed to transmit skb to HCI\n"); @@ -1240,7 +1235,8 @@ int rtw89_core_tx_write(struct rtw89_dev *rtwdev, str= uct ieee80211_vif *vif, } } =20 - return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qs= el, false); + return rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, qs= el, false, + NULL); } =20 static __le32 rtw89_build_txwd_body0(struct rtw89_tx_desc_info *desc_info) @@ -3438,6 +3434,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev= , struct rtw89_vif_link *rt struct ieee80211_vif *vif =3D rtwvif_link_to_vif(rtwvif_link); int link_id =3D ieee80211_vif_is_mld(vif) ? rtwvif_link->link_id : -1; struct rtw89_sta_link *rtwsta_link; + struct rtw89_tx_wait_info *wait; struct ieee80211_sta *sta; struct ieee80211_hdr *hdr; struct rtw89_sta *rtwsta; @@ -3447,6 +3444,12 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwde= v, struct rtw89_vif_link *rt if (vif->type !=3D NL80211_IFTYPE_STATION || !vif->cfg.assoc) return 0; =20 + wait =3D kzalloc(sizeof(*wait), GFP_KERNEL); + if (!wait) + return -ENOMEM; + + init_completion(&wait->completion); + rcu_read_lock(); sta =3D ieee80211_find_sta(vif, vif->cfg.ap_addr); if (!sta) { @@ -3471,7 +3474,8 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev= , struct rtw89_vif_link *rt goto out; } =20 - ret =3D rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &= qsel, true); + ret =3D rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &= qsel, true, + wait); if (ret) { rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); dev_kfree_skb_any(skb); @@ -3484,6 +3488,7 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev= , struct rtw89_vif_link *rt timeout); out: rcu_read_unlock(); + kfree(wait); =20 return ret; } diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireles= s/realtek/rtw89/pci.c index 6356c2c224c5..8ad505743a8e 100644 --- a/drivers/net/wireless/realtek/rtw89/pci.c +++ b/drivers/net/wireless/realtek/rtw89/pci.c @@ -1372,7 +1372,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rt= wdev, struct pci_dev *pdev =3D rtwpci->pdev; struct sk_buff *skb =3D tx_req->skb; struct rtw89_pci_tx_data *tx_data =3D RTW89_PCI_TX_SKB_CB(skb); - struct rtw89_tx_skb_data *skb_data =3D RTW89_TX_SKB_CB(skb); bool en_wd_info =3D desc_info->en_wd_info; u32 txwd_len; u32 txwp_len; @@ -1388,7 +1387,6 @@ static int rtw89_pci_txwd_submit(struct rtw89_dev *rt= wdev, } =20 tx_data->dma =3D dma; - skb_data->wait =3D NULL; =20 txwp_len =3D sizeof(*txwp_info); txwd_len =3D chip->txwd_body_size; --=20 2.50.1 From nobody Fri Oct 3 16:44:17 2025 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1606C2765D6; Wed, 27 Aug 2025 12:06:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.149.199.84 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756296405; cv=none; b=KaLXe2x+MDzFEp3qADg6SbpQn+6ByTxKjt7Ujw9IrndjoWPcECFn+wlrKylwxrT3aEGAks5h8TZ997EPMd8W5KIsdwbhO34ccquotEEatkRuP64xDZ0gWBWoLSydIgICA4ClqTLiIcfpvGG9CxfchXFuu0XNYCQ49mFd3LiaCFo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756296405; c=relaxed/simple; bh=r3bwLk4B6xy2ftAAUnk1Z9Kh2yH+/XnuGMv5Z+g4s7I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ATXEqgVTur/UdJcoObmUfJk3fsPZzpusTVTTpvkdndk+jMOHymS3yJKb7yAEpCSN3mehEGee1yPv+WFfOC7MEmG2l/ffkKLnq4MM4bsLCf/CAWQg+oMuP4KPLV1dCtW4CzP1VlZwwJ3dNQrHRTURfJlchiX8vju/ZeTLdKLara4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru; spf=pass smtp.mailfrom=ispras.ru; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b=D2IN175S; arc=none smtp.client-ip=83.149.199.84 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ispras.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b="D2IN175S" Received: from debian (unknown [5.228.116.177]) by mail.ispras.ru (Postfix) with ESMTPSA id 1147C406C3E1; Wed, 27 Aug 2025 12:06:41 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 1147C406C3E1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1756296401; bh=x5NAugXlcutAqdPDV5Vn4Ip5GFUHeDytp7QlYPTrJ/4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D2IN175SNc2Hkhy34u4NJPiy5TpqtlnC6fb/lCQOCf19iET5ygw19QQatvFvNi8js yFjPCDMY0sBKyH8f81HCVvnCglFfpIm/fPukzJQtCgrzTGyJyWYGOLUwKtq1Rde0Yc Apu1yayP91L90jAsTMYsljpYBJhrRVjtpieO6z2I= From: Fedor Pchelkin To: Ping-Ke Shih , Zong-Zhe Yang Cc: Fedor Pchelkin , Po-Hao Huang , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH rtw v2 3/4] wifi: rtw89: fix leak in rtw89_core_send_nullfunc() Date: Wed, 27 Aug 2025 15:05:16 +0300 Message-ID: <20250827120603.723548-4-pchelkin@ispras.ru> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250827120603.723548-1-pchelkin@ispras.ru> References: <20250827120603.723548-1-pchelkin@ispras.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If there is no rtwsta_link found in rtw89_core_send_nullfunc(), allocated skb is leaked. Free it on the error handling path. Found by Linux Verification Center (linuxtesting.org). Fixes: a8ba4acab7db ("wifi: rtw89: send nullfunc based on the given link") Signed-off-by: Fedor Pchelkin --- drivers/net/wireless/realtek/rtw89/core.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wirele= ss/realtek/rtw89/core.c index 28bbc898b95e..e498c08151d5 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -3454,14 +3454,14 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwd= ev, struct rtw89_vif_link *rt sta =3D ieee80211_find_sta(vif, vif->cfg.ap_addr); if (!sta) { ret =3D -EINVAL; - goto out; + goto out_unlock; } rtwsta =3D sta_to_rtwsta(sta); =20 skb =3D ieee80211_nullfunc_get(rtwdev->hw, vif, link_id, qos); if (!skb) { ret =3D -ENOMEM; - goto out; + goto out_unlock; } =20 hdr =3D (struct ieee80211_hdr *)skb->data; @@ -3471,22 +3471,23 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwd= ev, struct rtw89_vif_link *rt rtwsta_link =3D rtwsta->links[rtwvif_link->link_id]; if (unlikely(!rtwsta_link)) { ret =3D -ENOLINK; - goto out; + goto out_free_skb; } =20 ret =3D rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &= qsel, true, wait); if (ret) { rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret); - dev_kfree_skb_any(skb); - goto out; + goto out_free_skb; } =20 rcu_read_unlock(); =20 return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, qsel, timeout); -out: +out_free_skb: + dev_kfree_skb_any(skb); +out_unlock: rcu_read_unlock(); kfree(wait); =20 --=20 2.50.1 From nobody Fri Oct 3 16:44:17 2025 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5CD483002B1; Wed, 27 Aug 2025 12:06:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=83.149.199.84 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756296406; cv=none; b=bz1YGeAaEjGVKSYtGp5nT1kiVVzTZrTX0PwctD3yN08ykChGkCXvEQM/zBrSm8J7gtvF0aDQgs2CRrXMssq61Y0CBBTq926kfelp/nDxwMbKhiukwVgKEwCY+zy+q/gPNyNr4cXmUBqUIVn+ym5NYI1TwrrJiClDKqAUsFI1SgY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756296406; c=relaxed/simple; bh=vqZZIw5/ur/jIhQWs/3Gokj0Zn0OQYByDQGXFndhH3Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lbgRLAEPo18FOQaAtGRQnLX4WBtgfpsiO043ek7gtJhNsEZ/6GH7PBZPoK5p1O3jomHBQu5yLp8wox4JEPl0UWbTIiO9rLrhztrQwaj+a6GT+1Tk+4zfRaFwArGZrepP+ybSZ4WCS60Td2gVYLGgVsWWb3XJd5bWGbWTrQ+Rc54= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru; spf=pass smtp.mailfrom=ispras.ru; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b=JrLM7P64; arc=none smtp.client-ip=83.149.199.84 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=ispras.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ispras.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ispras.ru header.i=@ispras.ru header.b="JrLM7P64" Received: from debian (unknown [5.228.116.177]) by mail.ispras.ru (Postfix) with ESMTPSA id CE9AD406C3E2; Wed, 27 Aug 2025 12:06:41 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru CE9AD406C3E2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1756296401; bh=tQlyuqDvMaR9vp6QaKLqCqx+jLri4M8w72th86oy/gw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JrLM7P64VgNKcZcC4cEnsp9RpLGDsez78nzt4CVfdinKjBCSIdVPzn92keA8aFaLK yV//ffIb0PUmu4/TGOEoMpvOu3cbeNOneZiuSdjI4eZb2IIHs11akrsdOK+kVGEs+b /A0h54ky2cHmmEF7EsDI1yBVGEEcSBYHXTF2YknI= From: Fedor Pchelkin To: Ping-Ke Shih , Zong-Zhe Yang Cc: Fedor Pchelkin , Po-Hao Huang , linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH rtw v2 4/4] wifi: rtw89: avoid circular locking dependency in ser_state_run() Date: Wed, 27 Aug 2025 15:05:17 +0300 Message-ID: <20250827120603.723548-5-pchelkin@ispras.ru> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250827120603.723548-1-pchelkin@ispras.ru> References: <20250827120603.723548-1-pchelkin@ispras.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Lockdep gives a splat [1] when ser_hdl_work item is executed. It is scheduled at mac80211 workqueue via ieee80211_queue_work() and takes a wiphy lock inside. However, this workqueue can be flushed when e.g. closing the interface and wiphy lock is already taken in that case. Choosing wiphy_work_queue() for SER is likely not suitable. Back on to the global workqueue. [1]: WARNING: possible circular locking dependency detected 6.17.0-rc2 #17 Not tainted ------------------------------------------------------ kworker/u32:1/61 is trying to acquire lock: ffff88811bc00768 (&rdev->wiphy.mtx){+.+.}-{4:4}, at: ser_state_run+0x5e/0x= 180 [rtw89_core] but task is already holding lock: ffffc9000048fd30 ((work_completion)(&ser->ser_hdl_work)){+.+.}-{0:0}, at: = process_one_work+0x7b5/0x1450 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 ((work_completion)(&ser->ser_hdl_work)){+.+.}-{0:0}: process_one_work+0x7c6/0x1450 worker_thread+0x49e/0xd00 kthread+0x313/0x640 ret_from_fork+0x221/0x300 ret_from_fork_asm+0x1a/0x30 -> #1 ((wq_completion)phy0){+.+.}-{0:0}: touch_wq_lockdep_map+0x8e/0x180 __flush_workqueue+0x129/0x10d0 ieee80211_stop_device+0xa8/0x110 ieee80211_do_stop+0x14ce/0x2880 ieee80211_stop+0x13a/0x2c0 __dev_close_many+0x18f/0x510 __dev_change_flags+0x25f/0x670 netif_change_flags+0x7b/0x160 do_setlink.isra.0+0x1640/0x35d0 rtnl_newlink+0xd8c/0x1d30 rtnetlink_rcv_msg+0x700/0xb80 netlink_rcv_skb+0x11d/0x350 netlink_unicast+0x49a/0x7a0 netlink_sendmsg+0x759/0xc20 ____sys_sendmsg+0x812/0xa00 ___sys_sendmsg+0xf7/0x180 __sys_sendmsg+0x11f/0x1b0 do_syscall_64+0xbb/0x360 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&rdev->wiphy.mtx){+.+.}-{4:4}: __lock_acquire+0x124c/0x1d20 lock_acquire+0x154/0x2e0 __mutex_lock+0x17b/0x12f0 ser_state_run+0x5e/0x180 [rtw89_core] rtw89_ser_hdl_work+0x119/0x220 [rtw89_core] process_one_work+0x82d/0x1450 worker_thread+0x49e/0xd00 kthread+0x313/0x640 ret_from_fork+0x221/0x300 ret_from_fork_asm+0x1a/0x30 other info that might help us debug this: Chain exists of: &rdev->wiphy.mtx --> (wq_completion)phy0 --> (work_completion)(&ser->ser= _hdl_work) Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock((work_completion)(&ser->ser_hdl_work)); lock((wq_completion)phy0); lock((work_completion)(&ser->ser_hdl_work)); lock(&rdev->wiphy.mtx); *** DEADLOCK *** 2 locks held by kworker/u32:1/61: #0: ffff888103835148 ((wq_completion)phy0){+.+.}-{0:0}, at: process_one_w= ork+0xefa/0x1450 #1: ffffc9000048fd30 ((work_completion)(&ser->ser_hdl_work)){+.+.}-{0:0},= at: process_one_work+0x7b5/0x1450 stack backtrace: CPU: 0 UID: 0 PID: 61 Comm: kworker/u32:1 Not tainted 6.17.0-rc2 #17 PREEM= PT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-= 14.fc42 05/23/2025 Workqueue: phy0 rtw89_ser_hdl_work [rtw89_core] Call Trace: dump_stack_lvl+0x5d/0x80 print_circular_bug.cold+0x178/0x1be check_noncircular+0x14c/0x170 __lock_acquire+0x124c/0x1d20 lock_acquire+0x154/0x2e0 __mutex_lock+0x17b/0x12f0 ser_state_run+0x5e/0x180 [rtw89_core] rtw89_ser_hdl_work+0x119/0x220 [rtw89_core] process_one_work+0x82d/0x1450 worker_thread+0x49e/0xd00 kthread+0x313/0x640 ret_from_fork+0x221/0x300 ret_from_fork_asm+0x1a/0x30 Found by Linux Verification Center (linuxtesting.org). Fixes: ebfc9199df05 ("wifi: rtw89: add wiphy_lock() to work that isn't held= wiphy_lock() yet") Signed-off-by: Fedor Pchelkin --- drivers/net/wireless/realtek/rtw89/ser.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/wireless/realtek/rtw89/ser.c b/drivers/net/wireles= s/realtek/rtw89/ser.c index bb39fdbcba0d..6c0a13a854f6 100644 --- a/drivers/net/wireless/realtek/rtw89/ser.c +++ b/drivers/net/wireless/realtek/rtw89/ser.c @@ -205,7 +205,6 @@ static void rtw89_ser_hdl_work(struct work_struct *work) =20 static int ser_send_msg(struct rtw89_ser *ser, u8 event) { - struct rtw89_dev *rtwdev =3D container_of(ser, struct rtw89_dev, ser); struct ser_msg *msg =3D NULL; =20 if (test_bit(RTW89_SER_DRV_STOP_RUN, ser->flags)) @@ -221,7 +220,7 @@ static int ser_send_msg(struct rtw89_ser *ser, u8 event) list_add(&msg->list, &ser->msg_q); spin_unlock_irq(&ser->msg_q_lock); =20 - ieee80211_queue_work(rtwdev->hw, &ser->ser_hdl_work); + schedule_work(&ser->ser_hdl_work); return 0; } =20 --=20 2.50.1