* [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform
@ 2026-01-30 18:16 Luka Gejak
2026-01-30 18:16 ` [PATCH v5 1/5] staging: rtl8723bs: fix potential out-of-bounds Luka Gejak
` (6 more replies)
0 siblings, 7 replies; 10+ messages in thread
From: Luka Gejak @ 2026-01-30 18:16 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Dan Carpenter, linux-staging, linux-kernel, Luka Gejak
Changes in v5:
- Corrected commit message line wrapping to 72 characters.
- Removed blank lines between tags in the Signed-off-by block.
- Removed "Security:" prefix from subject lines.
Changes in v4:
- IMPORTANT: Fixed a build regression in rtw_mlme.c found after
submitting v3. v3 will not compile; please use this version instead.
- Fixed build regression in rtw_mlme.c found in v3.
- Removed unused variable 'i' from previous iteration.
Changes in v3:
- Reordered the series so the bugfix is Patch 1/5.
- Patch 1: Dropped memcmp change, kept original byte comparison style
for clarity (requested by Greg KH).
- Patch 1: Added Cc: stable tag.
- Patch 1: Updated commit message to explain the OOB read logic.
Changes in v2:
- Split u1bTmp rename and spacing fixes into two separate patches.
- Split hex modernization and the WMM bugfix into two separate patches.
- Added a Fixes: tag to the WMM bugfix.
- Removed an unused variable and dead debugging code.
Luka Gejak (5):
staging: rtl8723bs: fix potential out-of-bounds read in
rtw_restruct_wmm_ie
staging: rtl8723bs: rename u1bTmp to val
staging: rtl8723bs: fix spacing around operators
staging: rtl8723bs: modernize hex output in rtw_report_sec_ie
staging: rtl8723bs: remove dead debugging code in rtw_mlme_ext.c
drivers/staging/rtl8723bs/core/rtw_mlme.c | 10 +++---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 9 ------
.../staging/rtl8723bs/hal/rtl8723b_hal_init.c | 32 +++++++++----------
drivers/staging/rtl8723bs/hal/sdio_halinit.c | 32 +++++++++----------
4 files changed, 38 insertions(+), 45 deletions(-)
--
2.52.0
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH v5 1/5] staging: rtl8723bs: fix potential out-of-bounds
2026-01-30 18:16 [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
@ 2026-01-30 18:16 ` Luka Gejak
2026-01-30 18:16 ` [PATCH v5 2/5] staging: rtl8723bs: rename u1bTmp to val Luka Gejak
` (5 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: Luka Gejak @ 2026-01-30 18:16 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Dan Carpenter, linux-staging, linux-kernel, Luka Gejak, stable
The current code checks 'i + 5 < in_len' at the end of the if statement.
However, it accesses 'in_ie[i + 5]' before that check, which can lead
to an out-of-bounds read. Move the length check to the beginning of the
conditional to ensure the index is within bounds before accessing the
array.
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Luka Gejak <lukagejak5@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8723bs/core/rtw_mlme.c
index 98704179ad35..7dfc2678924e 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -2000,7 +2000,10 @@ int rtw_restruct_wmm_ie(struct adapter *adapter, u8 *in_ie, u8 *out_ie, uint in_
while (i < in_len) {
ielength = initial_out_len;
- if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */
+ if (i + 5 < in_len &&
+ in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 &&
+ in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 &&
+ in_ie[i + 5] == 0x02) {
for (j = i; j < i + 9; j++) {
out_ie[ielength] = in_ie[j];
ielength++;
--
2.52.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v5 2/5] staging: rtl8723bs: rename u1bTmp to val
2026-01-30 18:16 [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
2026-01-30 18:16 ` [PATCH v5 1/5] staging: rtl8723bs: fix potential out-of-bounds Luka Gejak
@ 2026-01-30 18:16 ` Luka Gejak
2026-01-30 18:16 ` [PATCH v5 3/5] staging: rtl8723bs: fix spacing around operators Luka Gejak
` (4 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: Luka Gejak @ 2026-01-30 18:16 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Dan Carpenter, linux-staging, linux-kernel, Luka Gejak
Rename the variable u1bTmp to val to remove Hungarian notation. This
improves readability and aligns the code with kernel naming standards.
Signed-off-by: Luka Gejak <lukagejak5@gmail.com>
---
.../staging/rtl8723bs/hal/rtl8723b_hal_init.c | 12 +++----
drivers/staging/rtl8723bs/hal/sdio_halinit.c | 32 +++++++++----------
2 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
index 57c83f332e74..d75a63fd8a6b 100644
--- a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
+++ b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
@@ -259,7 +259,7 @@ static s32 _FWFreeToGo(struct adapter *adapter, u32 min_cnt, u32 timeout_ms)
void rtl8723b_FirmwareSelfReset(struct adapter *padapter)
{
struct hal_com_data *pHalData = GET_HAL_DATA(padapter);
- u8 u1bTmp;
+ u8 val;
u8 Delay = 100;
if (
@@ -268,19 +268,19 @@ void rtl8723b_FirmwareSelfReset(struct adapter *padapter)
/* 0x1cf = 0x20. Inform 8051 to reset. 2009.12.25. tynli_test */
rtw_write8(padapter, REG_HMETFR+3, 0x20);
- u1bTmp = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
- while (u1bTmp & BIT2) {
+ val = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
+ while (val & BIT2) {
Delay--;
if (Delay == 0)
break;
udelay(50);
- u1bTmp = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
+ val = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
}
if (Delay == 0) {
/* force firmware reset */
- u1bTmp = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
- rtw_write8(padapter, REG_SYS_FUNC_EN+1, u1bTmp&(~BIT2));
+ val = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
+ rtw_write8(padapter, REG_SYS_FUNC_EN+1, val&(~BIT2));
}
}
}
diff --git a/drivers/staging/rtl8723bs/hal/sdio_halinit.c b/drivers/staging/rtl8723bs/hal/sdio_halinit.c
index 4e81ef53dc47..c774a9009e95 100644
--- a/drivers/staging/rtl8723bs/hal/sdio_halinit.c
+++ b/drivers/staging/rtl8723bs/hal/sdio_halinit.c
@@ -589,7 +589,7 @@ u32 rtl8723bs_hal_init(struct adapter *padapter)
struct hal_com_data *pHalData;
struct pwrctrl_priv *pwrctrlpriv;
u32 NavUpper = WiFiNavUpperUs;
- u8 u1bTmp;
+ u8 val;
pHalData = GET_HAL_DATA(padapter);
pwrctrlpriv = adapter_to_pwrctl(padapter);
@@ -780,9 +780,9 @@ u32 rtl8723bs_hal_init(struct adapter *padapter)
pHalData->SdioTxOQTMaxFreeSpace = pHalData->SdioTxOQTFreeSpace;
/* Enable MACTXEN/MACRXEN block */
- u1bTmp = rtw_read8(padapter, REG_CR);
- u1bTmp |= (MACTXEN | MACRXEN);
- rtw_write8(padapter, REG_CR, u1bTmp);
+ val = rtw_read8(padapter, REG_CR);
+ val |= (MACTXEN | MACRXEN);
+ rtw_write8(padapter, REG_CR, val);
rtw_hal_set_hwreg(padapter, HW_VAR_NAV_UPPER, (u8 *)&NavUpper);
@@ -848,7 +848,7 @@ u32 rtl8723bs_hal_init(struct adapter *padapter)
/* */
static void CardDisableRTL8723BSdio(struct adapter *padapter)
{
- u8 u1bTmp;
+ u8 val;
u8 bMacPwrCtrlOn;
/* Run LPS WL RFOFF flow */
@@ -856,26 +856,26 @@ static void CardDisableRTL8723BSdio(struct adapter *padapter)
/* ==== Reset digital sequence ====== */
- u1bTmp = rtw_read8(padapter, REG_MCUFWDL);
- if ((u1bTmp & RAM_DL_SEL) && padapter->bFWReady) /* 8051 RAM code */
+ val = rtw_read8(padapter, REG_MCUFWDL);
+ if ((val & RAM_DL_SEL) && padapter->bFWReady) /* 8051 RAM code */
rtl8723b_FirmwareSelfReset(padapter);
/* Reset MCU 0x2[10]= 0. Suggested by Filen. 2011.01.26. by tynli. */
- u1bTmp = rtw_read8(padapter, REG_SYS_FUNC_EN + 1);
- u1bTmp &= ~BIT(2); /* 0x2[10], FEN_CPUEN */
- rtw_write8(padapter, REG_SYS_FUNC_EN + 1, u1bTmp);
+ val = rtw_read8(padapter, REG_SYS_FUNC_EN + 1);
+ val &= ~BIT(2); /* 0x2[10], FEN_CPUEN */
+ rtw_write8(padapter, REG_SYS_FUNC_EN + 1, val);
/* MCUFWDL 0x80[1:0]= 0 */
/* reset MCU ready status */
rtw_write8(padapter, REG_MCUFWDL, 0);
/* Reset MCU IO Wrapper, added by Roger, 2011.08.30 */
- u1bTmp = rtw_read8(padapter, REG_RSV_CTRL + 1);
- u1bTmp &= ~BIT(0);
- rtw_write8(padapter, REG_RSV_CTRL + 1, u1bTmp);
- u1bTmp = rtw_read8(padapter, REG_RSV_CTRL + 1);
- u1bTmp |= BIT(0);
- rtw_write8(padapter, REG_RSV_CTRL+1, u1bTmp);
+ val = rtw_read8(padapter, REG_RSV_CTRL + 1);
+ val &= ~BIT(0);
+ rtw_write8(padapter, REG_RSV_CTRL + 1, val);
+ val = rtw_read8(padapter, REG_RSV_CTRL + 1);
+ val |= BIT(0);
+ rtw_write8(padapter, REG_RSV_CTRL+1, val);
/* ==== Reset digital sequence end ====== */
--
2.52.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v5 3/5] staging: rtl8723bs: fix spacing around operators
2026-01-30 18:16 [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
2026-01-30 18:16 ` [PATCH v5 1/5] staging: rtl8723bs: fix potential out-of-bounds Luka Gejak
2026-01-30 18:16 ` [PATCH v5 2/5] staging: rtl8723bs: rename u1bTmp to val Luka Gejak
@ 2026-01-30 18:16 ` Luka Gejak
2026-01-30 18:16 ` [PATCH v5 4/5] staging: rtl8723bs: modernize hex output in Luka Gejak
` (3 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: Luka Gejak @ 2026-01-30 18:16 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Dan Carpenter, linux-staging, linux-kernel, Luka Gejak
Fix coding style issues by adding missing spaces around operators.
Signed-off-by: Luka Gejak <lukagejak5@gmail.com>
---
.../staging/rtl8723bs/hal/rtl8723b_hal_init.c | 28 +++++++++----------
drivers/staging/rtl8723bs/hal/sdio_halinit.c | 2 +-
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
index d75a63fd8a6b..ae5e4980ed06 100644
--- a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
+++ b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
@@ -17,8 +17,8 @@ static void _FWDownloadEnable(struct adapter *padapter, bool enable)
if (enable) {
/* 8051 enable */
- tmp = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
- rtw_write8(padapter, REG_SYS_FUNC_EN+1, tmp|0x04);
+ tmp = rtw_read8(padapter, REG_SYS_FUNC_EN + 1);
+ rtw_write8(padapter, REG_SYS_FUNC_EN + 1, tmp | 0x04);
tmp = rtw_read8(padapter, REG_MCUFWDL);
rtw_write8(padapter, REG_MCUFWDL, tmp|0x01);
@@ -158,23 +158,23 @@ void _8051Reset8723(struct adapter *padapter)
/* Reset 8051(WLMCU) IO wrapper */
/* 0x1c[8] = 0 */
/* Suggested by Isaac@SD1 and Gimmy@SD1, coding by Lucas@20130624 */
- io_rst = rtw_read8(padapter, REG_RSV_CTRL+1);
+ io_rst = rtw_read8(padapter, REG_RSV_CTRL + 1);
io_rst &= ~BIT(0);
- rtw_write8(padapter, REG_RSV_CTRL+1, io_rst);
+ rtw_write8(padapter, REG_RSV_CTRL + 1, io_rst);
- cpu_rst = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
+ cpu_rst = rtw_read8(padapter, REG_SYS_FUNC_EN + 1);
cpu_rst &= ~BIT(2);
- rtw_write8(padapter, REG_SYS_FUNC_EN+1, cpu_rst);
+ rtw_write8(padapter, REG_SYS_FUNC_EN + 1, cpu_rst);
/* Enable 8051 IO wrapper */
/* 0x1c[8] = 1 */
- io_rst = rtw_read8(padapter, REG_RSV_CTRL+1);
+ io_rst = rtw_read8(padapter, REG_RSV_CTRL + 1);
io_rst |= BIT(0);
- rtw_write8(padapter, REG_RSV_CTRL+1, io_rst);
+ rtw_write8(padapter, REG_RSV_CTRL + 1, io_rst);
- cpu_rst = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
+ cpu_rst = rtw_read8(padapter, REG_SYS_FUNC_EN + 1);
cpu_rst |= BIT(2);
- rtw_write8(padapter, REG_SYS_FUNC_EN+1, cpu_rst);
+ rtw_write8(padapter, REG_SYS_FUNC_EN + 1, cpu_rst);
}
u8 g_fwdl_chksum_fail;
@@ -268,19 +268,19 @@ void rtl8723b_FirmwareSelfReset(struct adapter *padapter)
/* 0x1cf = 0x20. Inform 8051 to reset. 2009.12.25. tynli_test */
rtw_write8(padapter, REG_HMETFR+3, 0x20);
- val = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
+ val = rtw_read8(padapter, REG_SYS_FUNC_EN + 1);
while (val & BIT2) {
Delay--;
if (Delay == 0)
break;
udelay(50);
- val = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
+ val = rtw_read8(padapter, REG_SYS_FUNC_EN + 1);
}
if (Delay == 0) {
/* force firmware reset */
- val = rtw_read8(padapter, REG_SYS_FUNC_EN+1);
- rtw_write8(padapter, REG_SYS_FUNC_EN+1, val&(~BIT2));
+ val = rtw_read8(padapter, REG_SYS_FUNC_EN + 1);
+ rtw_write8(padapter, REG_SYS_FUNC_EN + 1, val & (~BIT2));
}
}
}
diff --git a/drivers/staging/rtl8723bs/hal/sdio_halinit.c b/drivers/staging/rtl8723bs/hal/sdio_halinit.c
index c774a9009e95..668616efa68a 100644
--- a/drivers/staging/rtl8723bs/hal/sdio_halinit.c
+++ b/drivers/staging/rtl8723bs/hal/sdio_halinit.c
@@ -875,7 +875,7 @@ static void CardDisableRTL8723BSdio(struct adapter *padapter)
rtw_write8(padapter, REG_RSV_CTRL + 1, val);
val = rtw_read8(padapter, REG_RSV_CTRL + 1);
val |= BIT(0);
- rtw_write8(padapter, REG_RSV_CTRL+1, val);
+ rtw_write8(padapter, REG_RSV_CTRL + 1, val);
/* ==== Reset digital sequence end ====== */
--
2.52.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v5 4/5] staging: rtl8723bs: modernize hex output in
2026-01-30 18:16 [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
` (2 preceding siblings ...)
2026-01-30 18:16 ` [PATCH v5 3/5] staging: rtl8723bs: fix spacing around operators Luka Gejak
@ 2026-01-30 18:16 ` Luka Gejak
2026-01-30 18:16 ` [PATCH v5 5/5] staging: rtl8723bs: remove dead debugging code Luka Gejak
` (2 subsequent siblings)
6 siblings, 0 replies; 10+ messages in thread
From: Luka Gejak @ 2026-01-30 18:16 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Dan Carpenter, linux-staging, linux-kernel, Luka Gejak
Replace the manual hex-printing loop with the standard kernel '%*ph'
format string. This simplifies the code and uses modern logging
practices.
Signed-off-by: Luka Gejak <lukagejak5@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme.c b/drivers/staging/rtl8723bs/core/rtw_mlme.c
index 7dfc2678924e..5e79a720710f 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c
@@ -2071,7 +2071,7 @@ static int rtw_append_pmkid(struct adapter *Adapter, int iEntry, u8 *ie, uint ie
static void rtw_report_sec_ie(struct adapter *adapter, u8 authmode, u8 *sec_ie)
{
uint len;
- u8 *buff, *p, i;
+ u8 *buff, *p;
union iwreq_data wrqu;
buff = NULL;
@@ -2087,8 +2087,7 @@ static void rtw_report_sec_ie(struct adapter *adapter, u8 authmode, u8 *sec_ie)
len = sec_ie[1] + 2;
len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
- for (i = 0; i < len; i++)
- p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), "%02x", sec_ie[i]);
+ p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), " %*ph", len, sec_ie);
p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), ")");
--
2.52.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH v5 5/5] staging: rtl8723bs: remove dead debugging code
2026-01-30 18:16 [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
` (3 preceding siblings ...)
2026-01-30 18:16 ` [PATCH v5 4/5] staging: rtl8723bs: modernize hex output in Luka Gejak
@ 2026-01-30 18:16 ` Luka Gejak
2026-01-30 18:47 ` [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
2026-01-31 13:09 ` Dan Carpenter
6 siblings, 0 replies; 10+ messages in thread
From: Luka Gejak @ 2026-01-30 18:16 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Dan Carpenter, linux-staging, linux-kernel, Luka Gejak
Remove the unused local variable 'pattrib' and the unreachable 'if (0)'
debug block in OnAction_sa_query to clean up the driver code.
Signed-off-by: Luka Gejak <lukagejak5@gmail.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index ac49bfbaa5bb..b61841bf16a5 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1849,7 +1849,6 @@ unsigned int OnAction_ht(struct adapter *padapter, union recv_frame *precv_frame
unsigned int OnAction_sa_query(struct adapter *padapter, union recv_frame *precv_frame)
{
u8 *pframe = precv_frame->u.hdr.rx_data;
- struct rx_pkt_attrib *pattrib = &precv_frame->u.hdr.attrib;
struct mlme_ext_priv *pmlmeext = &(padapter->mlmeextpriv);
unsigned short tid;
@@ -1865,14 +1864,6 @@ unsigned int OnAction_sa_query(struct adapter *padapter, union recv_frame *precv
default:
break;
}
- if (0) {
- int pp;
-
- netdev_dbg(padapter->pnetdev, "pattrib->pktlen = %d =>", pattrib->pkt_len);
- for (pp = 0; pp < pattrib->pkt_len; pp++)
- pr_cont(" %02x ", pframe[pp]);
- pr_cont("\n");
- }
return _SUCCESS;
}
--
2.52.0
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform
2026-01-30 18:16 [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
` (4 preceding siblings ...)
2026-01-30 18:16 ` [PATCH v5 5/5] staging: rtl8723bs: remove dead debugging code Luka Gejak
@ 2026-01-30 18:47 ` Luka Gejak
2026-01-31 13:09 ` Dan Carpenter
6 siblings, 0 replies; 10+ messages in thread
From: Luka Gejak @ 2026-01-30 18:47 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: Dan Carpenter, linux-staging, linux-kernel
Hi Greg and Dan,
Please ignore this v5 series. I realized after sending, that my local
git configuration truncated the subject lines in the patches.
I will send a corrected v6 shortly with the full subject lines.
Apologies for the noise.
Best regards, Luka
On Fri, Jan 30, 2026 at 7:16 PM Luka Gejak <lukagejak5@gmail.com> wrote:
>
> Changes in v5:
> - Corrected commit message line wrapping to 72 characters.
> - Removed blank lines between tags in the Signed-off-by block.
> - Removed "Security:" prefix from subject lines.
> Changes in v4:
> - IMPORTANT: Fixed a build regression in rtw_mlme.c found after
> submitting v3. v3 will not compile; please use this version instead.
> - Fixed build regression in rtw_mlme.c found in v3.
> - Removed unused variable 'i' from previous iteration.
> Changes in v3:
> - Reordered the series so the bugfix is Patch 1/5.
> - Patch 1: Dropped memcmp change, kept original byte comparison style
> for clarity (requested by Greg KH).
> - Patch 1: Added Cc: stable tag.
> - Patch 1: Updated commit message to explain the OOB read logic.
> Changes in v2:
> - Split u1bTmp rename and spacing fixes into two separate patches.
> - Split hex modernization and the WMM bugfix into two separate patches.
> - Added a Fixes: tag to the WMM bugfix.
> - Removed an unused variable and dead debugging code.
>
>
> Luka Gejak (5):
> staging: rtl8723bs: fix potential out-of-bounds read in
> rtw_restruct_wmm_ie
> staging: rtl8723bs: rename u1bTmp to val
> staging: rtl8723bs: fix spacing around operators
> staging: rtl8723bs: modernize hex output in rtw_report_sec_ie
> staging: rtl8723bs: remove dead debugging code in rtw_mlme_ext.c
>
> drivers/staging/rtl8723bs/core/rtw_mlme.c | 10 +++---
> drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 9 ------
> .../staging/rtl8723bs/hal/rtl8723b_hal_init.c | 32 +++++++++----------
> drivers/staging/rtl8723bs/hal/sdio_halinit.c | 32 +++++++++----------
> 4 files changed, 38 insertions(+), 45 deletions(-)
>
> --
> 2.52.0
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform
2026-01-30 18:16 [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
` (5 preceding siblings ...)
2026-01-30 18:47 ` [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
@ 2026-01-31 13:09 ` Dan Carpenter
2026-01-31 13:57 ` Dan Carpenter
6 siblings, 1 reply; 10+ messages in thread
From: Dan Carpenter @ 2026-01-31 13:09 UTC (permalink / raw)
To: Luka Gejak; +Cc: Greg Kroah-Hartman, linux-staging, linux-kernel
On Fri, Jan 30, 2026 at 07:16:15PM +0100, Luka Gejak wrote:
> Changes in v5:
> - Corrected commit message line wrapping to 72 characters.
> - Removed blank lines between tags in the Signed-off-by block.
> - Removed "Security:" prefix from subject lines.
Looks okay.
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
regards,
dan carpenter
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform
2026-01-31 13:09 ` Dan Carpenter
@ 2026-01-31 13:57 ` Dan Carpenter
2026-01-31 14:05 ` Luka Gejak
0 siblings, 1 reply; 10+ messages in thread
From: Dan Carpenter @ 2026-01-31 13:57 UTC (permalink / raw)
To: Luka Gejak; +Cc: Greg Kroah-Hartman, linux-staging, linux-kernel
On Sat, Jan 31, 2026 at 04:09:11PM +0300, Dan Carpenter wrote:
> On Fri, Jan 30, 2026 at 07:16:15PM +0100, Luka Gejak wrote:
> > Changes in v5:
> > - Corrected commit message line wrapping to 72 characters.
> > - Removed blank lines between tags in the Signed-off-by block.
> > - Removed "Security:" prefix from subject lines.
>
> Looks okay.
>
> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
>
Or we could apply v6 with the tweaked subjects.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform
2026-01-31 13:57 ` Dan Carpenter
@ 2026-01-31 14:05 ` Luka Gejak
0 siblings, 0 replies; 10+ messages in thread
From: Luka Gejak @ 2026-01-31 14:05 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Greg Kroah-Hartman, linux-staging, linux-kernel
Hi Dan,
Thank you for the review and for recommending the v6 series to Greg.
I really appreciate the guidance!
Best regards,
Luka
On Sat, Jan 31, 2026 at 2:57 PM Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> On Sat, Jan 31, 2026 at 04:09:11PM +0300, Dan Carpenter wrote:
> > On Fri, Jan 30, 2026 at 07:16:15PM +0100, Luka Gejak wrote:
> > > Changes in v5:
> > > - Corrected commit message line wrapping to 72 characters.
> > > - Removed blank lines between tags in the Signed-off-by block.
> > > - Removed "Security:" prefix from subject lines.
> >
> > Looks okay.
> >
> > Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
> >
>
> Or we could apply v6 with the tweaked subjects.
>
> regards,
> dan carpenter
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2026-01-31 14:06 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-30 18:16 [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
2026-01-30 18:16 ` [PATCH v5 1/5] staging: rtl8723bs: fix potential out-of-bounds Luka Gejak
2026-01-30 18:16 ` [PATCH v5 2/5] staging: rtl8723bs: rename u1bTmp to val Luka Gejak
2026-01-30 18:16 ` [PATCH v5 3/5] staging: rtl8723bs: fix spacing around operators Luka Gejak
2026-01-30 18:16 ` [PATCH v5 4/5] staging: rtl8723bs: modernize hex output in Luka Gejak
2026-01-30 18:16 ` [PATCH v5 5/5] staging: rtl8723bs: remove dead debugging code Luka Gejak
2026-01-30 18:47 ` [PATCH v5 0/5] staging: rtl8723bs: fix OOB read and perform Luka Gejak
2026-01-31 13:09 ` Dan Carpenter
2026-01-31 13:57 ` Dan Carpenter
2026-01-31 14:05 ` Luka Gejak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox