From: Gongwei Li __skb_unlink(skb, list)) attempt to access skb->next, triggering a NULL pointer dereference (Kernel Panic). [ 541.001831][ 7] [ T273] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 541.011776][ 7] [ T273] Mem abort info: [ 541.015697][ 7] [ T273] ESR = 0x96000046 [ 541.019873][ 7] [ T273] EC = 0x25: DABT (current EL), IL = 32 bits [ 541.026302][ 7] [ T273] SET = 0, FnV = 0 [ 541.030476][ 7] [ T273] EA = 0, S1PTW = 0 [ 541.034733][ 7] [ T273] Data abort info: [ 541.038734][ 7] [ T273] ISV = 0, ISS = 0x00000046 [ 541.043689][ 7] [ T273] CM = 0, WnR = 1 [ 541.047779][ 7] [ T273] user pgtable: 4k pages, 39-bit VAs, pgdp=0000002610943000 [ 541.055341][ 7] [ T273] [0000000000000000] pgd=0000002610948003, pud=0000002610948003, pmd=0000000000000000 [ 541.065173][ 7] [ T273] Internal error: Oops: 96000046 [#1] SMP [ 541.220794][ 7] [ T273] Workqueue: phy0 rtw89_fw_c2h_work [rtw89_core] [ 541.227407][ 7] [ T273] pstate: 20001089 (nzCv daIf -PAN -UAO) [ 541.233339][ 7] [ T273] pc : skb_unlink+0x68/0xa0 [ 541.238164][ 7] [ T273] lr : rtw89_fw_c2h_work+0x3c/0x88 [rtw89_core] [ 541.244686][ 7] [ T273] sp : ffffffa6c998bd40 [ 541.249124][ 7] [ T273] x29: ffffffa6c998bd40 x28: ffffffa6db4ad200 [ 541.255558][ 7] [ T273] x27: ffffffa6dc810000 x26: 0000000000000000 [ 541.261996][ 7] [ T273] x25: ffffffa6dc810090 x24: 0000000000000000 [ 541.268432][ 7] [ T273] x23: ffffffa6da902be0 x22: ffffffa6da903140 [ 541.274877][ 7] [ T273] x21: 0000000000000000 x20: ffffffa6ca2a2900 [ 541.281313][ 7] [ T273] x19: ffffffa6da903970 x18: 0000000000000000 [ 541.287749][ 7] [ T273] x17: 0000007fb74284b8 x16: 0000000000415090 [ 541.294184][ 7] [ T273] x15: 000000007fffffde x14: ffffffa59082bc1b [ 541.300620][ 7] [ T273] x13: ffffffa59082bb16 x12: ffffffa59082bbfa [ 541.307058][ 7] [ T273] x11: 0000000000000000 x10: ffffffff9b08a8a0 [ 541.313494][ 7] [ T273] x9 : 0000000000000000 x8 : 0000000000000000 [ 541.319928][ 7] [ T273] x7 : 0000000000000000 x6 : ffffffa6ca2a2600 [ 541.326363][ 7] [ T273] x5 : 0000000000000060 x4 : 0000000000000000 [ 541.332796][ 7] [ T273] x3 : 0000000000000001 x2 : 0000000000000000 [ 541.339229][ 7] [ T273] x1 : ffffffa6ca2a3600 x0 : 0000000000000000 [ 541.345666][ 7] [ T273] Call trace: [ 541.349254][ 7] [ T273] skb_unlink+0x68/0xa0 [ 541.353720][ 7] [ T273] rtw89_fw_c2h_work+0x3c/0x88 [rtw89_core] [ 541.359907][ 7] [ T273] process_one_work+0x1c0/0x340 [ 541.365050][ 7] [ T273] worker_thread+0x4c/0x488 [ 541.369845][ 7] [ T273] kthread+0xf8/0x128 [ 541.374117][ 7] [ T273] ret_from_fork+0x10/0x18 [ 541.378817][ 7] [ T273] Code: b9001260 a9400281 a9007e9f f9000420 (f9000001) [ 541.386039][ 7] [ T273] ---[ end trace 1c8ff29ce038612f ]--- Signed-off-by: Gongwei Li --- drivers/net/wireless/realtek/rtw89/fw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c index ab904a7de..d00e97eb4 100644 --- a/drivers/net/wireless/realtek/rtw89/fw.c +++ b/drivers/net/wireless/realtek/rtw89/fw.c @@ -6895,6 +6895,8 @@ void rtw89_fw_c2h_work(struct wiphy *wiphy, struct wiphy_work *work) lockdep_assert_wiphy(rtwdev->hw->wiphy); skb_queue_walk_safe(&rtwdev->c2h_queue, skb, tmp) { + if (unlikely(!skb->next || !skb->prev)) + return; skb_unlink(skb, &rtwdev->c2h_queue); rtw89_fw_c2h_cmd_handle(rtwdev, skb); dev_kfree_skb_any(skb); -- 2.25.1