git.ipfire.org Git - thirdparty/linux.git/commit

author	Duoming Zhou <duoming@zju.edu.cn>
	Mon, 23 Feb 2026 04:55:22 +0000 (12:55 +0800)
committer	Ping-Ke Shih <pkshih@realtek.com>
	Tue, 3 Mar 2026 02:56:05 +0000 (10:56 +0800)
commit	039cd522dc70151da13329a5e3ae19b1736f468a
tree	dff45549ef78d1cfc6b646d1ec057c04400fe6cc	tree \| snapshot
parent	eb101d2abdcccb514ca4fccd3b278dd8267374f6	commit \| diff

wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet

The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
But it is never killed in rtl_pci_deinit(). When the rtlwifi card
probe fails or is being detached, the ieee80211_hw is deallocated.
However, irq_prepare_bcn_tasklet may still be running or pending,
leading to use-after-free when the freed ieee80211_hw is accessed
in _rtl_pci_prepare_bcn_tasklet().

Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
ensure that irq_prepare_bcn_tasklet is properly terminated before
the ieee80211_hw is released.

The issue was identified through static analysis.

Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260223045522.48377-1-duoming@zju.edu.cn