* FAILED: patch "[PATCH] wifi: rtl8xxxu: fix potential use of uninitialized value" failed to apply to 6.6-stable tree
@ 2026-05-04 8:42 gregkh
2026-05-09 0:35 ` [PATCH 6.6.y] wifi: rtl8xxxu: fix potential use of uninitialized value Sasha Levin
0 siblings, 1 reply; 2+ messages in thread
From: gregkh @ 2026-05-04 8:42 UTC (permalink / raw)
To: yicong, pkshih; +Cc: stable
The patch below does not apply to the 6.6-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.6.y
git checkout FETCH_HEAD
git cherry-pick -x f8a2fc809bfeb49130709b31a4d357a049f28547
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2026050450-canning-drab-e2be@gregkh' --subject-prefix 'PATCH 6.6.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From f8a2fc809bfeb49130709b31a4d357a049f28547 Mon Sep 17 00:00:00 2001
From: Yi Cong <yicong@kylinos.cn>
Date: Fri, 6 Mar 2026 15:16:27 +0800
Subject: [PATCH] wifi: rtl8xxxu: fix potential use of uninitialized value
The local variables 'mcs' and 'nss' in rtl8xxxu_update_ra_report() are
passed to rtl8xxxu_desc_to_mcsrate() as output parameters. If the helper
function encounters an unhandled rate index, it may return without setting
these values, leading to the use of uninitialized stack data.
Remove the helper rtl8xxxu_desc_to_mcsrate() and inline the logic into
rtl8xxxu_update_ra_report(). This fixes the use of uninitialized 'mcs'
and 'nss' variables for legacy rates.
The new implementation explicitly handles:
- Legacy rates: Set bitrate only.
- HT rates (MCS0-15): Set MCS flags, index, and NSS (1 or 2) directly.
- Invalid rates: Return early.
Fixes: 7de16123d9e2 ("wifi: rtl8xxxu: Introduce rtl8xxxu_update_ra_report")
Cc: stable@vger.kernel.org
Suggested-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Yi Cong <yicong@kylinos.cn>
Link: https://lore.kernel.org/all/96e31963da0c42dcb52ce44f818963d7@realtek.com/
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260306071627.56501-1-cong.yi@linux.dev
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/core.c b/drivers/net/wireless/realtek/rtl8xxxu/core.c
index b4efc6f00a37..d1b1474cba67 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c
@@ -4697,20 +4697,6 @@ static const struct ieee80211_rate rtl8xxxu_legacy_ratetable[] = {
{.bitrate = 540, .hw_value = 0x0b,},
};
-static void rtl8xxxu_desc_to_mcsrate(u16 rate, u8 *mcs, u8 *nss)
-{
- if (rate <= DESC_RATE_54M)
- return;
-
- if (rate >= DESC_RATE_MCS0 && rate <= DESC_RATE_MCS15) {
- if (rate < DESC_RATE_MCS8)
- *nss = 1;
- else
- *nss = 2;
- *mcs = rate - DESC_RATE_MCS0;
- }
-}
-
static void rtl8xxxu_set_basic_rates(struct rtl8xxxu_priv *priv, u32 rate_cfg)
{
struct ieee80211_hw *hw = priv->hw;
@@ -4820,23 +4806,25 @@ static void rtl8xxxu_set_aifs(struct rtl8xxxu_priv *priv, u8 slot_time)
void rtl8xxxu_update_ra_report(struct rtl8xxxu_ra_report *rarpt,
u8 rate, u8 sgi, u8 bw)
{
- u8 mcs, nss;
-
rarpt->txrate.flags = 0;
if (rate <= DESC_RATE_54M) {
rarpt->txrate.legacy = rtl8xxxu_legacy_ratetable[rate].bitrate;
- } else {
- rtl8xxxu_desc_to_mcsrate(rate, &mcs, &nss);
+ } else if (rate >= DESC_RATE_MCS0 && rate <= DESC_RATE_MCS15) {
rarpt->txrate.flags |= RATE_INFO_FLAGS_MCS;
+ if (rate < DESC_RATE_MCS8)
+ rarpt->txrate.nss = 1;
+ else
+ rarpt->txrate.nss = 2;
- rarpt->txrate.mcs = mcs;
- rarpt->txrate.nss = nss;
+ rarpt->txrate.mcs = rate - DESC_RATE_MCS0;
if (sgi)
rarpt->txrate.flags |= RATE_INFO_FLAGS_SHORT_GI;
rarpt->txrate.bw = bw;
+ } else {
+ return;
}
rarpt->bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH 6.6.y] wifi: rtl8xxxu: fix potential use of uninitialized value
2026-05-04 8:42 FAILED: patch "[PATCH] wifi: rtl8xxxu: fix potential use of uninitialized value" failed to apply to 6.6-stable tree gregkh
@ 2026-05-09 0:35 ` Sasha Levin
0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2026-05-09 0:35 UTC (permalink / raw)
To: stable; +Cc: Yi Cong, Ping-Ke Shih, Sasha Levin
From: Yi Cong <yicong@kylinos.cn>
[ Upstream commit f8a2fc809bfeb49130709b31a4d357a049f28547 ]
The local variables 'mcs' and 'nss' in rtl8xxxu_update_ra_report() are
passed to rtl8xxxu_desc_to_mcsrate() as output parameters. If the helper
function encounters an unhandled rate index, it may return without setting
these values, leading to the use of uninitialized stack data.
Remove the helper rtl8xxxu_desc_to_mcsrate() and inline the logic into
rtl8xxxu_update_ra_report(). This fixes the use of uninitialized 'mcs'
and 'nss' variables for legacy rates.
The new implementation explicitly handles:
- Legacy rates: Set bitrate only.
- HT rates (MCS0-15): Set MCS flags, index, and NSS (1 or 2) directly.
- Invalid rates: Return early.
Fixes: 7de16123d9e2 ("wifi: rtl8xxxu: Introduce rtl8xxxu_update_ra_report")
Cc: stable@vger.kernel.org
Suggested-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Yi Cong <yicong@kylinos.cn>
Link: https://lore.kernel.org/all/96e31963da0c42dcb52ce44f818963d7@realtek.com/
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260306071627.56501-1-cong.yi@linux.dev
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 28 ++++++-------------
1 file changed, 8 insertions(+), 20 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index 03aacb7a43171..5a57ffb53acee 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -4809,20 +4809,6 @@ static const struct ieee80211_rate rtl8xxxu_legacy_ratetable[] = {
{.bitrate = 540, .hw_value = 0x0b,},
};
-static void rtl8xxxu_desc_to_mcsrate(u16 rate, u8 *mcs, u8 *nss)
-{
- if (rate <= DESC_RATE_54M)
- return;
-
- if (rate >= DESC_RATE_MCS0 && rate <= DESC_RATE_MCS15) {
- if (rate < DESC_RATE_MCS8)
- *nss = 1;
- else
- *nss = 2;
- *mcs = rate - DESC_RATE_MCS0;
- }
-}
-
static void rtl8xxxu_set_basic_rates(struct rtl8xxxu_priv *priv, u32 rate_cfg)
{
struct ieee80211_hw *hw = priv->hw;
@@ -4927,23 +4913,25 @@ static void rtl8xxxu_set_aifs(struct rtl8xxxu_priv *priv, u8 slot_time)
void rtl8xxxu_update_ra_report(struct rtl8xxxu_ra_report *rarpt,
u8 rate, u8 sgi, u8 bw)
{
- u8 mcs, nss;
-
rarpt->txrate.flags = 0;
if (rate <= DESC_RATE_54M) {
rarpt->txrate.legacy = rtl8xxxu_legacy_ratetable[rate].bitrate;
- } else {
- rtl8xxxu_desc_to_mcsrate(rate, &mcs, &nss);
+ } else if (rate >= DESC_RATE_MCS0 && rate <= DESC_RATE_MCS15) {
rarpt->txrate.flags |= RATE_INFO_FLAGS_MCS;
+ if (rate < DESC_RATE_MCS8)
+ rarpt->txrate.nss = 1;
+ else
+ rarpt->txrate.nss = 2;
- rarpt->txrate.mcs = mcs;
- rarpt->txrate.nss = nss;
+ rarpt->txrate.mcs = rate - DESC_RATE_MCS0;
if (sgi)
rarpt->txrate.flags |= RATE_INFO_FLAGS_SHORT_GI;
rarpt->txrate.bw = bw;
+ } else {
+ return;
}
rarpt->bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
--
2.53.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-09 0:35 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-04 8:42 FAILED: patch "[PATCH] wifi: rtl8xxxu: fix potential use of uninitialized value" failed to apply to 6.6-stable tree gregkh
2026-05-09 0:35 ` [PATCH 6.6.y] wifi: rtl8xxxu: fix potential use of uninitialized value Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.