Re: [PATCH wireless-next] wifi: rt2x00: Allocate LED names dynamically
From: Rosen Penev
Date: Sun May 17 2026 - 19:24:46 EST
On Sun, May 17, 2026 at 4:18 PM Rosen Penev <rosenp@xxxxxxxxx> wrote:
>
> The rt2x00 LED registration path builds LED class names from the
> driver and wiphy names. A fixed stack buffer can truncate those names
> before they are passed to the LED core.
>
> Allocate each LED name with kasprintf(), check allocation failures, and
> release the stored name when the LED is unregistered.
>
> Assisted-by: Codex:GPT-5.5
I got a crash from this driver:
[11292.387895] ieee80211 phy2: rt2x00_set_rt: Info - RT chipset 3070,
rev 0201 detected
[11293.065970] ieee80211 phy2: rt2x00_set_rf: Info - RF chipset 0005 detected
[11293.072037] ieee80211 phy2: Selected rate control algorithm 'minstrel_ht'
[11293.105170] ieee80211 phy2: rt2x00lib_request_firmware: Info -
Loading firmware file 'rt2870.bin'
[11293.105237] ieee80211 phy2: rt2x00lib_request_firmware: Info -
Firmware detected - version: 0.36
[11296.194097] usb 1-11: USB disconnect, device number 6
[11296.196552] ieee80211 phy2: rt2x00usb_vendor_request: Error -
Vendor Request 0x06 failed for offset 0x101c with error -19
[11301.161824] BUG: unable to handle page fault for address: ffffffffffffff08
[11301.161830] #PF: supervisor read access in kernel mode
[11301.161833] #PF: error_code(0x0000) - not-present page
[11301.161835] PGD ea3a27067 P4D ea3a27067 PUD ea3a29067 PMD 0
[11301.161842] Oops: Oops: 0000 [#1] SMP NOPTI
[11301.161847] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted
7.0.8-arch1-1 #1 PREEMPT(full)
c2ec282795e9f47cb8bc86f69b5629c84ae881f4
[11301.161851] Hardware name: To Be Filled By O.E.M. X370 Professional
Gaming/X370 Professional Gaming, BIOS P7.30 10/27/2022
[11301.161854] RIP: 0010:led_blink_set_nosleep+0x1a/0xa0
[11301.161860] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
f3 0f 1e fa 0f 1f 44 00 00 53 48 89 fb 48 83 ec 10 48 89 74 24 08 48
89 14 24 <48> 83 7f 38 00 74 07 48 83 7f 28 00 75 35 48 8d bb 88 00 00
00 e8
[11301.161863] RSP: 0018:ffffc9fc80003d88 EFLAGS: 00010286
[11301.161867] RAX: 0000000000000000 RBX: fffffffffffffed0 RCX: ffffffffc232c4f8
[11301.161869] RDX: 0000000000000000 RSI: 0000000000000001 RDI: fffffffffffffed0
[11301.161871] RBP: ffff89714752de40 R08: ffff8975fef1f2c0 R09: 0000000100a7df80
[11301.161873] R10: 0000000000000201 R11: 0000000000000000 R12: 0000000000000001
[11301.161875] R13: 0000000000000000 R14: ffffc9fc80003e10 R15: ffff8975fef1f2c0
[11301.161877] FS: 0000000000000000(0000) GS:ffff897645967000(0000)
knlGS:0000000000000000
[11301.161880] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[11301.161882] CR2: ffffffffffffff08 CR3: 00000001191d1000 CR4: 0000000000f50ef0
[11301.161884] PKRU: 55555554
[11301.161887] Call Trace:
[11301.161889] <IRQ>
[11301.161893] led_trigger_blink+0x55/0x90
[11301.161898] ? __pfx_tpt_trig_timer+0x10/0x10 [mac80211
43d2d2695e6be7042340c3321c2c597aa1cd7f70]
[11301.161944] ? __pfx_tpt_trig_timer+0x10/0x10 [mac80211
43d2d2695e6be7042340c3321c2c597aa1cd7f70]
[11301.161980] call_timer_fn+0x2a/0x140
[11301.161986] __run_timers+0x269/0x330
[11301.161993] timer_expire_remote+0x47/0x60
[11301.161997] tmigr_handle_remote+0x498/0x570
[11301.162005] handle_softirqs+0xe8/0x2c0
[11301.162011] __irq_exit_rcu+0xc9/0xf0
[11301.162015] sysvec_apic_timer_interrupt+0x71/0x90
[11301.162020] </IRQ>
[11301.162022] <TASK>
[11301.162024] asm_sysvec_apic_timer_interrupt+0x1a/0x20
[11301.162028] RIP: 0010:cpuidle_enter_state+0xbb/0x440
[11301.162032] Code: 00 00 e8 c8 ec ec fe e8 93 ee ff ff 48 89 c5 0f
1f 44 00 00 31 ff e8 04 41 eb fe 45 84 ff 0f 85 74 01 00 00 fb 0f 1f
44 00 00 <45> 85 f6 0f 88 cb 01 00 00 44 89 f1 48 2b 2c 24 48 6b d1 68
48 89
[11301.162034] RSP: 0018:ffffffffb8403e10 EFLAGS: 00000246
[11301.162037] RAX: ffff897645967000 RBX: 0000000000000002 RCX: 0000000000000000
[11301.162039] RDX: 00000a4741bc4107 RSI: fffffffb5c704741 RDI: 0000000000000000
[11301.162041] RBP: 00000a4741bc4107 R08: ffff897645967000 R09: ffffffffb8619920
[11301.162043] R10: ffff8975fea217c0 R11: 0000000000000001 R12: ffff896702508800
[11301.162045] R13: ffffffffb8619920 R14: 0000000000000002 R15: 0000000000000000
[11301.162052] cpuidle_enter+0x31/0x50
[11301.162057] do_idle+0x14b/0x2a0
[11301.162063] cpu_startup_entry+0x29/0x30
[11301.162067] rest_init+0xcc/0xd0
[11301.162071] start_kernel+0xa5b/0xa70
[11301.162077] x86_64_start_reservations+0x24/0x30
[11301.162082] x86_64_start_kernel+0xda/0xe0
[11301.162086] common_startup_64+0x13e/0x141
[11301.162094] </TASK>
[11301.162096] Modules linked in: rt2800usb rt2x00usb rt2800lib
rt2x00lib rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device ccm
algif_aead des3_ede_x86_64 des_generic libdes cmac algif_skcipher md4
bnep algif_hash af_alg vfat fat amd_atl intel_rapl_msr
intel_rapl_common snd_hda_codec_alc882 snd_hda_codec_realtek_lib
snd_hda_codec_generic snd_hda_codec_atihdmi snd_hda_codec_hdmi
snd_hda_intel uvcvideo iwlmvm videobuf2_vmalloc kvm_amd snd_hda_codec
uvc snd_hda_core videobuf2_memops snd_intel_dspcfg videobuf2_v4l2
mac80211 btusb kvm snd_intel_sdw_acpi videobuf2_common btmtk snd_hwdep
btrtl videodev ee1004 libarc4 snd_pcm btbcm irqbypass igb atlantic
btintel snd_timer sp5100_tco mc mousedev iwlwifi wmi_bmof rapl macsec
dca snd mxm_wmi i2c_piix4 ptp pcspkr bluetooth soundcore k10temp
pps_core i2c_smbus gpio_amdpt gpio_generic mac_hid cfg80211 rfkill
crypto_user uinput pkcs8_key_parser i2c_dev ntsync nfnetlink zram
842_decompress 842_compress lz4hc_compress lz4_compress dm_crypt
encrypted_keys trusted asn1_encoder tee
[11301.162195] dm_mod hid_logitech_hidpp amdgpu amdxcp i2c_algo_bit
drm_ttm_helper ttm drm_exec drm_panel_backlight_quirks gpu_sched
drm_suballoc_helper video drm_buddy sr_mod nvme drm_display_helper
hid_logitech_dj cdrom nvme_core ghash_clmulni_intel cec aesni_intel
nvme_keyring ccp nvme_auth hkdf wmi thunderbolt
[11301.162227] CR2: ffffffffffffff08
[11301.162230] ---[ end trace 0000000000000000 ]---
[11301.162232] RIP: 0010:led_blink_set_nosleep+0x1a/0xa0
[11301.162236] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
f3 0f 1e fa 0f 1f 44 00 00 53 48 89 fb 48 83 ec 10 48 89 74 24 08 48
89 14 24 <48> 83 7f 38 00 74 07 48 83 7f 28 00 75 35 48 8d bb 88 00 00
00 e8
[11301.162238] RSP: 0018:ffffc9fc80003d88 EFLAGS: 00010286
[11301.162241] RAX: 0000000000000000 RBX: fffffffffffffed0 RCX: ffffffffc232c4f8
[11301.162243] RDX: 0000000000000000 RSI: 0000000000000001 RDI: fffffffffffffed0
[11301.162245] RBP: ffff89714752de40 R08: ffff8975fef1f2c0 R09: 0000000100a7df80
[11301.162247] R10: 0000000000000201 R11: 0000000000000000 R12: 0000000000000001
[11301.162249] R13: 0000000000000000 R14: ffffc9fc80003e10 R15: ffff8975fef1f2c0
[11301.162251] FS: 0000000000000000(0000) GS:ffff897645967000(0000)
knlGS:0000000000000000
[11301.162253] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[11301.162255] CR2: ffffffffffffff08 CR3: 00000001191d1000 CR4: 0000000000f50ef0
[11301.162258] PKRU: 55555554
[11301.162260] Kernel panic - not syncing: Fatal exception in interrupt
[11301.162414] Kernel Offset: 0x34c00000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
This AI kept trying to patch net/mac80211/led.c . I really don't think
the problem is there. It found this one in the driver itself. Although
it's probably not it either.
> Signed-off-by: Rosen Penev <rosenp@xxxxxxxxx>
> ---
> .../net/wireless/ralink/rt2x00/rt2x00leds.c | 30 ++++++++++++++-----
> 1 file changed, 23 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c b/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
> index f5361d582d4e..8818e0b2447b 100644
> --- a/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
> +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00leds.c
> @@ -100,6 +100,8 @@ static int rt2x00leds_register_led(struct rt2x00_dev *rt2x00dev,
>
> retval = led_classdev_register(device, &led->led_dev);
> if (retval) {
> + kfree(name);
> + led->led_dev.name = NULL;
> rt2x00_err(rt2x00dev, "Failed to register led handler\n");
> return retval;
> }
> @@ -111,15 +113,19 @@ static int rt2x00leds_register_led(struct rt2x00_dev *rt2x00dev,
>
> void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
> {
> - char name[36];
> + char *name;
> int retval;
> unsigned long on_period;
> unsigned long off_period;
> const char *phy_name = wiphy_name(rt2x00dev->hw->wiphy);
>
> if (rt2x00dev->led_radio.flags & LED_INITIALIZED) {
> - snprintf(name, sizeof(name), "%s-%s::radio",
> - rt2x00dev->ops->name, phy_name);
> + name = kasprintf(GFP_KERNEL, "%s-%s::radio",
> + rt2x00dev->ops->name, phy_name);
> + if (!name) {
> + retval = -ENOMEM;
> + goto exit_fail;
> + }
>
> retval = rt2x00leds_register_led(rt2x00dev,
> &rt2x00dev->led_radio,
> @@ -129,8 +135,12 @@ void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
> }
>
> if (rt2x00dev->led_assoc.flags & LED_INITIALIZED) {
> - snprintf(name, sizeof(name), "%s-%s::assoc",
> - rt2x00dev->ops->name, phy_name);
> + name = kasprintf(GFP_KERNEL, "%s-%s::assoc",
> + rt2x00dev->ops->name, phy_name);
> + if (!name) {
> + retval = -ENOMEM;
> + goto exit_fail;
> + }
>
> retval = rt2x00leds_register_led(rt2x00dev,
> &rt2x00dev->led_assoc,
> @@ -140,8 +150,12 @@ void rt2x00leds_register(struct rt2x00_dev *rt2x00dev)
> }
>
> if (rt2x00dev->led_qual.flags & LED_INITIALIZED) {
> - snprintf(name, sizeof(name), "%s-%s::quality",
> - rt2x00dev->ops->name, phy_name);
> + name = kasprintf(GFP_KERNEL, "%s-%s::quality",
> + rt2x00dev->ops->name, phy_name);
> + if (!name) {
> + retval = -ENOMEM;
> + goto exit_fail;
> + }
>
> retval = rt2x00leds_register_led(rt2x00dev,
> &rt2x00dev->led_qual,
> @@ -182,6 +196,8 @@ static void rt2x00leds_unregister_led(struct rt2x00_led *led)
> led->led_dev.brightness_set(&led->led_dev, LED_OFF);
>
> led->flags &= ~LED_REGISTERED;
> + kfree(led->led_dev.name);
> + led->led_dev.name = NULL;
> }
>
> void rt2x00leds_unregister(struct rt2x00_dev *rt2x00dev)
> --
> 2.54.0
>