From: Ping-Ke Shih Date: Tue, 21 Oct 2025 13:33:56 +0000 (+0800) Subject: wifi: rtw89: use skb_dequeue() for queued ROC packets to prevent racing X-Git-Tag: v6.19-rc1~170^2~33^2~10^2~72 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f44a9b14a78f1e2e2c57dbc1f1e93889ad2f6ac0;p=thirdparty%2Fkernel%2Flinux.git wifi: rtw89: use skb_dequeue() for queued ROC packets to prevent racing TX task can enqueue ROC skb, but other tasks dequeue the skb. Using skb_queue_walk_safe() without locking will cause potential racing. Use skb_dequeue() with lock instead. Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20251021133402.15467-3-pkshih@realtek.com --- diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c index 917b2adede61d..8b40cada4149e 100644 --- a/drivers/net/wireless/realtek/rtw89/core.c +++ b/drivers/net/wireless/realtek/rtw89/core.c @@ -3632,12 +3632,10 @@ void rtw89_core_free_sta_pending_roc_tx(struct rtw89_dev *rtwdev, struct ieee80211_sta *sta) { struct rtw89_sta *rtwsta = sta_to_rtwsta(sta); - struct sk_buff *skb, *tmp; + struct sk_buff *skb; - skb_queue_walk_safe(&rtwsta->roc_queue, skb, tmp) { - skb_unlink(skb, &rtwsta->roc_queue); + while ((skb = skb_dequeue(&rtwsta->roc_queue))) dev_kfree_skb_any(skb); - } } static void rtw89_core_stop_tx_ba_session(struct rtw89_dev *rtwdev, @@ -3881,8 +3879,8 @@ static void rtw89_core_sta_pending_tx_iter(void *data, struct ieee80211_vif *vif = rtwvif_to_vif(rtwvif); struct rtw89_vif_link *target = data; struct rtw89_vif_link *rtwvif_link; - struct sk_buff *skb, *tmp; unsigned int link_id; + struct sk_buff *skb; int qsel, ret; rtw89_vif_for_each_link(rtwvif, rtwvif_link, link_id) @@ -3895,9 +3893,7 @@ bottom: if (skb_queue_len(&rtwsta->roc_queue) == 0) return; - skb_queue_walk_safe(&rtwsta->roc_queue, skb, tmp) { - skb_unlink(skb, &rtwsta->roc_queue); - + while ((skb = skb_dequeue(&rtwsta->roc_queue))) { ret = rtw89_core_tx_write(rtwdev, vif, sta, skb, &qsel); if (ret) { rtw89_warn(rtwdev, "pending tx failed with %d\n", ret);