Linux kernel staging patches
 help / color / mirror / Atom feed
* Re: [PATCH] greybus: audio: bound the topology section sizes against the fetched size
From: Dan Carpenter @ 2026-06-16  7:42 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: hexlabsecurity, Mark Greer, Vaibhav Agarwal, Johan Hovold,
	linux-kernel, linux-staging, greybus-dev, Alex Elder
In-Reply-To: <2026061643-crowbar-handgrip-620d@gregkh>

On Tue, Jun 16, 2026 at 12:01:30PM +0530, Greg Kroah-Hartman wrote:
> On Tue, Jun 16, 2026 at 01:06:12AM -0500, Bryam Vargas via B4 Relay wrote:
> > ---
> >  drivers/staging/greybus/audio_gb.c | 13 +++++++++++++
> >  1 file changed, 13 insertions(+)
> > 
> > diff --git a/drivers/staging/greybus/audio_gb.c b/drivers/staging/greybus/audio_gb.c
> > index 9d8994fdb41a..144591f1a512 100644
> > --- a/drivers/staging/greybus/audio_gb.c
> > +++ b/drivers/staging/greybus/audio_gb.c
> > @@ -37,6 +37,19 @@ int gb_audio_gb_get_topology(struct gb_connection *connection,
> >  		return ret;
> >  	}
> >  
> > +	/*
> > +	 * The size_* fields are supplied by the module and are used by
> > +	 * gbaudio_tplg_parse_data() to compute offsets into the blob; make
> > +	 * sure the sections fit within the fetched topology, so walking it
> > +	 * cannot read out of bounds.
> > +	 */
> > +	if ((u64)le32_to_cpu(topo->size_dais) + le32_to_cpu(topo->size_controls) +
> > +	    le32_to_cpu(topo->size_widgets) + le32_to_cpu(topo->size_routes) >
> > +	    size - sizeof(*topo)) {
> 
> Are you sure these checks will not overflow?


Yep.  The cast to u64 ensures that.

regards,
dan carpenter


^ permalink raw reply

* Re: [PATCH v2 3/4] staging: rtl8723bs: convert update_attrib_sec_info to return errno
From: Dan Carpenter @ 2026-06-16  7:39 UTC (permalink / raw)
  To: Hungyu Lin; +Cc: gregkh, linux-staging, linux-kernel
In-Reply-To: <20260615234340.97299-4-dennylin0707@gmail.com>

On Mon, Jun 15, 2026 at 11:43:39PM +0000, Hungyu Lin wrote:
> Convert update_attrib_sec_info() to return 0 on success and
> a negative errno on failure.
> 
> No functional change intended.
> 
> Signed-off-by: Hungyu Lin <dennylin0707@gmail.com>
> ---
>  drivers/staging/rtl8723bs/core/rtw_xmit.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
> index 69b6d3a2554a..0fd2415e7bb7 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
> @@ -505,7 +505,7 @@ static void update_attrib_phy_info(struct adapter *padapter, struct pkt_attrib *
>  	pattrib->retry_ctrl = false;
>  }
>  
> -static s32 update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *pattrib, struct sta_info *psta)
> +static int update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *pattrib, struct sta_info *psta)
>  {

Sorry, I was unclear.  You tried to follow my directions and then v2
introduced a bug as a result when actually v1 worked...  What I want
here is to update the check in the caller but not what it returns.

1 Bad:

	if (update_attrib_sec_info() == _FAIL)
		return _FAIL;

2 Not yet:
	ret = update_attrib_sec_info();
	if (ret)
		return ret;

3 Good:
	ret = update_attrib_sec_info();
	if (ret)
		return _FAIL;

And then in the next patch change all the return _FAIL sites in the
caller.  So we'll eventually move to option 2, but in a two step
process.

regards,
dan carpenter



^ permalink raw reply

* Re: [PATCH] greybus: audio: bound the topology section sizes against the fetched size
From: Greg Kroah-Hartman @ 2026-06-16  6:31 UTC (permalink / raw)
  To: hexlabsecurity
  Cc: Mark Greer, Vaibhav Agarwal, Johan Hovold, linux-kernel,
	linux-staging, greybus-dev, Alex Elder
In-Reply-To: <20260616-b4-disp-4352e8b0-v1-1-3e09f62e0ad5@proton.me>

On Tue, Jun 16, 2026 at 01:06:12AM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <hexlabsecurity@proton.me>
> 
> gb_audio_gb_get_topology() fetches a topology blob of a module-supplied
> size, and gbaudio_tplg_parse_data() then walks it by adding the
> module-supplied size_dais, size_controls and size_widgets fields to
> form the control, widget and route section offsets. Those le32 sizes
> are never checked against the fetched blob, so a module reporting a
> small topology size but large section sizes makes the offsets point
> past the allocation, and parsing reads out of bounds.

But we trust the hardware to send us proper data, right?  If we don't
trust modules, then there are lots of other places stuff like this needs
to be fixed, how many data paths did you audit?

> 
> Reject a topology whose section sizes do not fit within the fetched
> size before it is parsed.
> 
> Fixes: 184992e305f1 ("greybus: audio: Add Greybus Audio Device Class Protocol helper routines")
> Cc: stable@vger.kernel.org
> Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
> ---
> I reproduced the out-of-bounds read both in-kernel under KASAN and with
> a userspace AddressSanitizer model of the gbaudio_tplg_process_header()
> offset walk. The topology blob is kzalloc(size) where size is
> module-supplied (a u16), and process_header() forms control_offset =
> &data + size_dais, widget_offset = control_offset + size_controls, etc.;
> the consumers then read structs at those offsets.
> 
>   - In-kernel (7.1.0-rc5 + KASAN): a 64-byte blob (header 24, so 40 bytes
>     available) with size_dais = 44 makes control_offset point 4 bytes
>     past the allocation, and reading the first control byte there trips:
> 
>       BUG: KASAN: slab-out-of-bounds in ...parse_topology...
>       Read of size 1 at addr ...
>       ... which belongs to the cache kmalloc-64 of size 64
>       The buggy address is located 4 bytes to the right of
>        allocated 64-byte region
> 
>     The patched arm (sections rejected, -EINVAL) and an in-bounds control
>     arm (size_dais = 8) read cleanly with no KASAN report.
>   - ASan model (-m32 and -m64): size_dais = 4096 makes control_offset
>     point ~4 KB past the 64-byte blob - heap-buffer-overflow READ located
>     4056 bytes after the region, both ABIs; patched and in-bounds clean.
> 
> The source is a greybus audio module trust boundary (an attacker-supplied
> or compromised module reporting a malformed topology); the access is a
> read, and a large size_dais sends the offset far enough to fault. The
> reproducer (kernel module + ASan model) is available on request.


How did you find/fix this?  You need to list what tools helped you...

> ---
>  drivers/staging/greybus/audio_gb.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/drivers/staging/greybus/audio_gb.c b/drivers/staging/greybus/audio_gb.c
> index 9d8994fdb41a..144591f1a512 100644
> --- a/drivers/staging/greybus/audio_gb.c
> +++ b/drivers/staging/greybus/audio_gb.c
> @@ -37,6 +37,19 @@ int gb_audio_gb_get_topology(struct gb_connection *connection,
>  		return ret;
>  	}
>  
> +	/*
> +	 * The size_* fields are supplied by the module and are used by
> +	 * gbaudio_tplg_parse_data() to compute offsets into the blob; make
> +	 * sure the sections fit within the fetched topology, so walking it
> +	 * cannot read out of bounds.
> +	 */
> +	if ((u64)le32_to_cpu(topo->size_dais) + le32_to_cpu(topo->size_controls) +
> +	    le32_to_cpu(topo->size_widgets) + le32_to_cpu(topo->size_routes) >
> +	    size - sizeof(*topo)) {

Are you sure these checks will not overflow?

thanks,

greg k-h

^ permalink raw reply

* [PATCH] greybus: audio: bound the topology section sizes against the fetched size
From: Bryam Vargas via B4 Relay @ 2026-06-16  6:06 UTC (permalink / raw)
  To: Mark Greer, Vaibhav Agarwal
  Cc: Johan Hovold, linux-kernel, Greg Kroah-Hartman, linux-staging,
	greybus-dev, Alex Elder

From: Bryam Vargas <hexlabsecurity@proton.me>

gb_audio_gb_get_topology() fetches a topology blob of a module-supplied
size, and gbaudio_tplg_parse_data() then walks it by adding the
module-supplied size_dais, size_controls and size_widgets fields to
form the control, widget and route section offsets. Those le32 sizes
are never checked against the fetched blob, so a module reporting a
small topology size but large section sizes makes the offsets point
past the allocation, and parsing reads out of bounds.

Reject a topology whose section sizes do not fit within the fetched
size before it is parsed.

Fixes: 184992e305f1 ("greybus: audio: Add Greybus Audio Device Class Protocol helper routines")
Cc: stable@vger.kernel.org
Signed-off-by: Bryam Vargas <hexlabsecurity@proton.me>
---
I reproduced the out-of-bounds read both in-kernel under KASAN and with
a userspace AddressSanitizer model of the gbaudio_tplg_process_header()
offset walk. The topology blob is kzalloc(size) where size is
module-supplied (a u16), and process_header() forms control_offset =
&data + size_dais, widget_offset = control_offset + size_controls, etc.;
the consumers then read structs at those offsets.

  - In-kernel (7.1.0-rc5 + KASAN): a 64-byte blob (header 24, so 40 bytes
    available) with size_dais = 44 makes control_offset point 4 bytes
    past the allocation, and reading the first control byte there trips:

      BUG: KASAN: slab-out-of-bounds in ...parse_topology...
      Read of size 1 at addr ...
      ... which belongs to the cache kmalloc-64 of size 64
      The buggy address is located 4 bytes to the right of
       allocated 64-byte region

    The patched arm (sections rejected, -EINVAL) and an in-bounds control
    arm (size_dais = 8) read cleanly with no KASAN report.
  - ASan model (-m32 and -m64): size_dais = 4096 makes control_offset
    point ~4 KB past the 64-byte blob - heap-buffer-overflow READ located
    4056 bytes after the region, both ABIs; patched and in-bounds clean.

The source is a greybus audio module trust boundary (an attacker-supplied
or compromised module reporting a malformed topology); the access is a
read, and a large size_dais sends the offset far enough to fault. The
reproducer (kernel module + ASan model) is available on request.
---
 drivers/staging/greybus/audio_gb.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/staging/greybus/audio_gb.c b/drivers/staging/greybus/audio_gb.c
index 9d8994fdb41a..144591f1a512 100644
--- a/drivers/staging/greybus/audio_gb.c
+++ b/drivers/staging/greybus/audio_gb.c
@@ -37,6 +37,19 @@ int gb_audio_gb_get_topology(struct gb_connection *connection,
 		return ret;
 	}
 
+	/*
+	 * The size_* fields are supplied by the module and are used by
+	 * gbaudio_tplg_parse_data() to compute offsets into the blob; make
+	 * sure the sections fit within the fetched topology, so walking it
+	 * cannot read out of bounds.
+	 */
+	if ((u64)le32_to_cpu(topo->size_dais) + le32_to_cpu(topo->size_controls) +
+	    le32_to_cpu(topo->size_widgets) + le32_to_cpu(topo->size_routes) >
+	    size - sizeof(*topo)) {
+		kfree(topo);
+		return -EINVAL;
+	}
+
 	*topology = topo;
 
 	return 0;

---
base-commit: 8e65320d91cdc3b241d4b94855c88459b91abf66
change-id: 20260616-b4-disp-4352e8b0-45e86659956e

Best regards,
-- 
Bryam Vargas <hexlabsecurity@proton.me>



^ permalink raw reply related

* [PATCH v2 4/4] staging: rtl8723bs: convert update_attrib to return errno
From: Hungyu Lin @ 2026-06-15 23:43 UTC (permalink / raw)
  To: gregkh; +Cc: error27, linux-staging, linux-kernel, Hungyu Lin
In-Reply-To: <20260615234340.97299-1-dennylin0707@gmail.com>

Convert update_attrib() to return 0 on success and a
negative errno on failure. Update rtw_xmit() to handle
the returned error code.

No functional change intended.

Signed-off-by: Hungyu Lin <dennylin0707@gmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_xmit.c | 24 +++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
index 0fd2415e7bb7..4d886a35f4c8 100644
--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
+++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
@@ -654,7 +654,7 @@ static int set_qos(struct pkt_file *ppktfile, struct pkt_attrib *pattrib)
 	return 0;
 }
 
-static s32 update_attrib(struct adapter *padapter, struct sk_buff *pkt, struct pkt_attrib *pattrib)
+static int update_attrib(struct adapter *padapter, struct sk_buff *pkt, struct pkt_attrib *pattrib)
 {
 	struct pkt_file pktfile;
 	struct sta_info *psta = NULL;
@@ -741,23 +741,24 @@ static s32 update_attrib(struct adapter *padapter, struct sk_buff *pkt, struct p
 	} else {
 		psta = rtw_get_stainfo(pstapriv, pattrib->ra);
 		if (!psta)	/*  if we cannot get psta => drop the pkt */
-			return _FAIL;
+			return -EINVAL;
 		else if (check_fwstate(pmlmepriv, WIFI_AP_STATE) && !(psta->state & _FW_LINKED))
-			return _FAIL;
+			return -EINVAL;
 	}
 
 	if (!psta) {
 		/*  if we cannot get psta => drop the pkt */
-		return _FAIL;
+		return -EINVAL;
 	}
 
 	if (!(psta->state & _FW_LINKED))
-		return _FAIL;
+		return -EINVAL;
 
 	spin_lock_bh(&psta->lock);
-	if (update_attrib_sec_info(padapter, pattrib, psta) == _FAIL) {
+	ret = update_attrib_sec_info(padapter, pattrib, psta);
+	if (ret) {
 		spin_unlock_bh(&psta->lock);
-		return _FAIL;
+		return ret;
 	}
 
 	update_attrib_phy_info(padapter, pattrib, psta);
@@ -793,7 +794,7 @@ static s32 update_attrib(struct adapter *padapter, struct sk_buff *pkt, struct p
 	}
 
 	/* pattrib->priority = 5; force to used VI queue, for testing */
-	return _SUCCESS;
+	return 0;
 }
 
 static s32 xmitframe_addmic(struct adapter *padapter, struct xmit_frame *pxmitframe)
@@ -1954,7 +1955,7 @@ s32 rtw_xmit(struct adapter *padapter, struct sk_buff **ppkt)
 	struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
 	struct xmit_frame *pxmitframe = NULL;
 
-	s32 res;
+	int ret;
 
 	if (start == 0)
 		start = jiffies;
@@ -1967,9 +1968,8 @@ s32 rtw_xmit(struct adapter *padapter, struct sk_buff **ppkt)
 	if (!pxmitframe)
 		return -1;
 
-	res = update_attrib(padapter, *ppkt, &pxmitframe->attrib);
-
-	if (res != _SUCCESS) {
+	ret = update_attrib(padapter, *ppkt, &pxmitframe->attrib);
+	if (ret) {
 		rtw_free_xmitframe(pxmitpriv, pxmitframe);
 		return -1;
 	}
-- 
2.34.1


^ permalink raw reply related

* [PATCH v2 3/4] staging: rtl8723bs: convert update_attrib_sec_info to return errno
From: Hungyu Lin @ 2026-06-15 23:43 UTC (permalink / raw)
  To: gregkh; +Cc: error27, linux-staging, linux-kernel, Hungyu Lin
In-Reply-To: <20260615234340.97299-1-dennylin0707@gmail.com>

Convert update_attrib_sec_info() to return 0 on success and
a negative errno on failure.

No functional change intended.

Signed-off-by: Hungyu Lin <dennylin0707@gmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_xmit.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
index 69b6d3a2554a..0fd2415e7bb7 100644
--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
+++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
@@ -505,7 +505,7 @@ static void update_attrib_phy_info(struct adapter *padapter, struct pkt_attrib *
 	pattrib->retry_ctrl = false;
 }
 
-static s32 update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *pattrib, struct sta_info *psta)
+static int update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *pattrib, struct sta_info *psta)
 {
 	struct mlme_priv *pmlmepriv = &padapter->mlmepriv;
 	struct security_priv *psecuritypriv = &padapter->securitypriv;
@@ -519,7 +519,7 @@ static s32 update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *p
 		pattrib->encrypt = 0;
 
 		if ((pattrib->ether_type != 0x888e) && !check_fwstate(pmlmepriv, WIFI_MP_STATE))
-			return _FAIL;
+			return -EINVAL;
 	} else {
 		GET_ENCRY_ALGO(psecuritypriv, psta, pattrib->encrypt, bmcast);
 
@@ -558,7 +558,7 @@ static s32 update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *p
 		pattrib->icv_len = 4;
 
 		if (psecuritypriv->busetkipkey == _FAIL)
-			return _FAIL;
+			return -EINVAL;
 
 		if (bmcast)
 			TKIP_IV(pattrib->iv, psta->dot11txpn, pattrib->key_idx);
@@ -596,7 +596,7 @@ static s32 update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *p
 	else
 		pattrib->bswenc = false;
 
-	return _SUCCESS;
+	return 0;
 }
 
 u8 qos_acm(u8 acm_mask, u8 priority)
-- 
2.34.1


^ permalink raw reply related

* [PATCH v2 2/4] staging: rtl8723bs: simplify update_attrib control flow
From: Hungyu Lin @ 2026-06-15 23:43 UTC (permalink / raw)
  To: gregkh; +Cc: error27, linux-staging, linux-kernel, Hungyu Lin
In-Reply-To: <20260615234340.97299-1-dennylin0707@gmail.com>

Replace goto-based error handling with direct returns and
remove the temporary res variable.

No functional change.

Signed-off-by: Hungyu Lin <dennylin0707@gmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_xmit.c | 22 +++++++---------------
 1 file changed, 7 insertions(+), 15 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
index 6ab91de472b0..69b6d3a2554a 100644
--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
+++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
@@ -664,7 +664,6 @@ static s32 update_attrib(struct adapter *padapter, struct sk_buff *pkt, struct p
 	struct sta_priv *pstapriv = &padapter->stapriv;
 	struct mlme_priv *pmlmepriv = &padapter->mlmepriv;
 	struct qos_priv *pqospriv = &pmlmepriv->qospriv;
-	signed int res = _SUCCESS;
 	int ret;
 
 	_rtw_open_pktfile(pkt, &pktfile);
@@ -741,19 +740,15 @@ static s32 update_attrib(struct adapter *padapter, struct sk_buff *pkt, struct p
 		psta = rtw_get_bcmc_stainfo(padapter);
 	} else {
 		psta = rtw_get_stainfo(pstapriv, pattrib->ra);
-		if (!psta)	{ /*  if we cannot get psta => drop the pkt */
-			res = _FAIL;
-			goto exit;
-		} else if (check_fwstate(pmlmepriv, WIFI_AP_STATE) && !(psta->state & _FW_LINKED)) {
-			res = _FAIL;
-			goto exit;
-		}
+		if (!psta)	/*  if we cannot get psta => drop the pkt */
+			return _FAIL;
+		else if (check_fwstate(pmlmepriv, WIFI_AP_STATE) && !(psta->state & _FW_LINKED))
+			return _FAIL;
 	}
 
 	if (!psta) {
 		/*  if we cannot get psta => drop the pkt */
-		res = _FAIL;
-		goto exit;
+		return _FAIL;
 	}
 
 	if (!(psta->state & _FW_LINKED))
@@ -762,8 +757,7 @@ static s32 update_attrib(struct adapter *padapter, struct sk_buff *pkt, struct p
 	spin_lock_bh(&psta->lock);
 	if (update_attrib_sec_info(padapter, pattrib, psta) == _FAIL) {
 		spin_unlock_bh(&psta->lock);
-		res = _FAIL;
-		goto exit;
+		return _FAIL;
 	}
 
 	update_attrib_phy_info(padapter, pattrib, psta);
@@ -799,9 +793,7 @@ static s32 update_attrib(struct adapter *padapter, struct sk_buff *pkt, struct p
 	}
 
 	/* pattrib->priority = 5; force to used VI queue, for testing */
-
-exit:
-	return res;
+	return _SUCCESS;
 }
 
 static s32 xmitframe_addmic(struct adapter *padapter, struct xmit_frame *pxmitframe)
-- 
2.34.1


^ permalink raw reply related

* [PATCH v2 1/4] staging: rtl8723bs: simplify update_attrib_sec_info control flow
From: Hungyu Lin @ 2026-06-15 23:43 UTC (permalink / raw)
  To: gregkh; +Cc: error27, linux-staging, linux-kernel, Hungyu Lin
In-Reply-To: <20260615234340.97299-1-dennylin0707@gmail.com>

Replace goto-based error handling with direct returns and
remove the temporary res variable.

No functional change.

Signed-off-by: Hungyu Lin <dennylin0707@gmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_xmit.c | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
index 444966c0de7f..6ab91de472b0 100644
--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
+++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
@@ -507,7 +507,6 @@ static void update_attrib_phy_info(struct adapter *padapter, struct pkt_attrib *
 
 static s32 update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *pattrib, struct sta_info *psta)
 {
-	signed int res = _SUCCESS;
 	struct mlme_priv *pmlmepriv = &padapter->mlmepriv;
 	struct security_priv *psecuritypriv = &padapter->securitypriv;
 	signed int bmcast = is_multicast_ether_addr(pattrib->ra);
@@ -519,10 +518,8 @@ static s32 update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *p
 	if (psta->ieee8021x_blocked) {
 		pattrib->encrypt = 0;
 
-		if ((pattrib->ether_type != 0x888e) && !check_fwstate(pmlmepriv, WIFI_MP_STATE)) {
-			res = _FAIL;
-			goto exit;
-		}
+		if ((pattrib->ether_type != 0x888e) && !check_fwstate(pmlmepriv, WIFI_MP_STATE))
+			return _FAIL;
 	} else {
 		GET_ENCRY_ALGO(psecuritypriv, psta, pattrib->encrypt, bmcast);
 
@@ -560,10 +557,8 @@ static s32 update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *p
 		pattrib->iv_len = 8;
 		pattrib->icv_len = 4;
 
-		if (psecuritypriv->busetkipkey == _FAIL) {
-			res = _FAIL;
-			goto exit;
-		}
+		if (psecuritypriv->busetkipkey == _FAIL)
+			return _FAIL;
 
 		if (bmcast)
 			TKIP_IV(pattrib->iv, psta->dot11txpn, pattrib->key_idx);
@@ -601,9 +596,7 @@ static s32 update_attrib_sec_info(struct adapter *padapter, struct pkt_attrib *p
 	else
 		pattrib->bswenc = false;
 
-exit:
-
-	return res;
+	return _SUCCESS;
 }
 
 u8 qos_acm(u8 acm_mask, u8 priority)
-- 
2.34.1


^ permalink raw reply related

* [PATCH v2 0/4] staging: rtl8723bs: convert update_attrib path to errno
From: Hungyu Lin @ 2026-06-15 23:43 UTC (permalink / raw)
  To: gregkh; +Cc: error27, linux-staging, linux-kernel, Hungyu Lin

Changes in v2:
 - Keep braces around the multi-line if statement in update_attrib()
 - Split errno conversion and propagation as suggested by Dan Carpenter
 - Change update_attrib_sec_info() and update_attrib() return types to int

Hungyu Lin (4):
  staging: rtl8723bs: simplify update_attrib_sec_info control flow
  staging: rtl8723bs: simplify update_attrib control flow
  staging: rtl8723bs: convert update_attrib_sec_info to return errno
  staging: rtl8723bs: convert update_attrib to return errno

 drivers/staging/rtl8723bs/core/rtw_xmit.c | 55 +++++++++--------------
 1 file changed, 20 insertions(+), 35 deletions(-)

-- 
2.34.1


^ permalink raw reply

* [PATCH v3] media: atomisp: replace kmalloc() with kmalloc_objs() in sh_css.c
From: Andrei Khomenkov @ 2026-06-15 19:45 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Andy Shevchenko; +Cc: linux-staging, linux-media

Replace arithmetic in the kmalloc() function with the kmalloc_objs()
macro, as this calculation method is unsafe.

Suggested-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Andrei Khomenkov <khomenkov@mailbox.org>
---
v3:
 - use 'kmalloc_objs()' macro instead of 'kmalloc_array()' function
 - drop unused 'GFP_KERNEL' arguments since they are default
v2:
 - use 'sizeof(*ptr)' instead of explicit type
 
v2: https://lore.kernel.org/linux-staging/20260613110712.71436-1-khomenkov@mailbox.org/
v1: https://lore.kernel.org/linux-staging/20260606095410.13968-1-khomenkov@mailbox.org/

 drivers/staging/media/atomisp/pci/sh_css.c | 34 ++++++----------------
 1 file changed, 9 insertions(+), 25 deletions(-)

diff --git a/drivers/staging/media/atomisp/pci/sh_css.c b/drivers/staging/media/atomisp/pci/sh_css.c
index 6cda5925fa45..0733d33101b2 100644
--- a/drivers/staging/media/atomisp/pci/sh_css.c
+++ b/drivers/staging/media/atomisp/pci/sh_css.c
@@ -5819,36 +5819,27 @@ static int ia_css_pipe_create_cas_scaler_desc_single_output(
 		i *= max_scale_factor_per_stage;
 	}
 
-	descr->in_info = kmalloc(descr->num_stage *
-				 sizeof(struct ia_css_frame_info),
-				 GFP_KERNEL);
+	kmalloc_objs(descr->in_info, descr->num_stage);
 	if (!descr->in_info) {
 		err = -ENOMEM;
 		goto ERR;
 	}
-	descr->internal_out_info = kmalloc(descr->num_stage *
-					   sizeof(struct ia_css_frame_info),
-					   GFP_KERNEL);
+	kmalloc_objs(descr->internal_out_info, descr->num_stage);
 	if (!descr->internal_out_info) {
 		err = -ENOMEM;
 		goto ERR;
 	}
-	descr->out_info = kmalloc(descr->num_stage *
-				  sizeof(struct ia_css_frame_info),
-				  GFP_KERNEL);
+	kmalloc_objs(descr->out_info, descr->num_stage);
 	if (!descr->out_info) {
 		err = -ENOMEM;
 		goto ERR;
 	}
-	descr->vf_info = kmalloc(descr->num_stage *
-				 sizeof(struct ia_css_frame_info),
-				 GFP_KERNEL);
+	kmalloc_objs(descr->vf_info, descr->num_stage);
 	if (!descr->vf_info) {
 		err = -ENOMEM;
 		goto ERR;
 	}
-	descr->is_output_stage = kmalloc(descr->num_stage * sizeof(bool),
-					 GFP_KERNEL);
+	kmalloc_objs(descr->is_output_stage, descr->num_stage);
 	if (!descr->is_output_stage) {
 		err = -ENOMEM;
 		goto ERR;
@@ -5974,29 +5965,22 @@ ia_css_pipe_create_cas_scaler_desc(struct ia_css_pipe *pipe,
 		err = -ENOMEM;
 		goto ERR;
 	}
-	descr->internal_out_info = kmalloc(descr->num_stage *
-					   sizeof(struct ia_css_frame_info),
-					   GFP_KERNEL);
+	kmalloc_objs(descr->internal_out_info, descr->num_stage);
 	if (!descr->internal_out_info) {
 		err = -ENOMEM;
 		goto ERR;
 	}
-	descr->out_info = kmalloc(descr->num_stage *
-				  sizeof(struct ia_css_frame_info),
-				  GFP_KERNEL);
+	kmalloc_objs(descr->out_info, descr->num_stage);
 	if (!descr->out_info) {
 		err = -ENOMEM;
 		goto ERR;
 	}
-	descr->vf_info = kmalloc(descr->num_stage *
-				 sizeof(struct ia_css_frame_info),
-				 GFP_KERNEL);
+	kmalloc_objs(descr->vf_info, descr->num_stage);
 	if (!descr->vf_info) {
 		err = -ENOMEM;
 		goto ERR;
 	}
-	descr->is_output_stage = kmalloc(descr->num_stage * sizeof(bool),
-					 GFP_KERNEL);
+	kmalloc_objs(descr->is_output_stage, descr->num_stage);
 	if (!descr->is_output_stage) {
 		err = -ENOMEM;
 		goto ERR;

^ permalink raw reply related

* [PATCH v2 2/2] staging: octeon: add missing napi_disable in cvm_oct_rx_shutdown
From: Ayush Mukkanwar @ 2026-06-15 17:27 UTC (permalink / raw)
  To: gregkh
  Cc: linux-staging, linux-kernel, linux-kernel-mentees, skhan,
	dan.carpenter, Ayush Mukkanwar, Sashiko
In-Reply-To: <20260615172734.42038-1-ayushmukkanwar@gmail.com>

cvm_oct_rx_shutdown calls free_irq and netif_napi_del without
disabling the napi instance first. As the free_irq only waits
for completion of hard interrupt handlers, the napi poll
function could still be active. If cvm_oct_remove proceeds to
free the plat structure (which holds the NAPI instances), the
active poll function will access freed memory, resulting in a
use-after-free crash.

Fixes: 3368c784bcf7 ("Staging: Octeon Ethernet: Convert to NAPI.")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260511150931.93382-1-ayushmukkanwar%40gmail.com
Signed-off-by: Ayush Mukkanwar <ayushmukkanwar@gmail.com>
---
Changes since v1:
  - Added Fixes, Reported-by and Closes tags 
  - Added compile-tested-only note

Note: This patch has only been compile tested. No runtime testing
was performed as I do not have access to Octeon hardware.

 drivers/staging/octeon/ethernet-rx.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c
index cd36b5ba6f6c..3e9d58d32156 100644
--- a/drivers/staging/octeon/ethernet-rx.c
+++ b/drivers/staging/octeon/ethernet-rx.c
@@ -535,6 +535,8 @@ void cvm_oct_rx_shutdown(struct platform_device *pdev)
 		else
 			cvmx_write_csr(CVMX_POW_WQ_INT_THRX(i), 0);
 
+		napi_disable(&plat->rx_group[i].napi);
+
 		/* Free the interrupt handler */
 		free_irq(plat->rx_group[i].irq, &plat->rx_group[i].napi);
 
-- 
2.54.0


^ permalink raw reply related

* [PATCH v2 1/2] staging: octeon: add missing tasklet_kill in cvm_oct_tx_shutdown
From: Ayush Mukkanwar @ 2026-06-15 17:27 UTC (permalink / raw)
  To: gregkh
  Cc: linux-staging, linux-kernel, linux-kernel-mentees, skhan,
	dan.carpenter, Ayush Mukkanwar, Sashiko

The TX cleanup tasklet can be scheduled by the watchdog IRQ handler
to execute cvm_oct_tx_do_cleanup. There can be a pending tasklet in
the queue which might run after the cvm_oct_remove() frees net_device
structures, causing a use-after-free in cvm_oct_tx_do_cleanup() as it
iterates cvm_oct_device[] which is an array of netdevice pointers.
Add tasklet_kill() after free_irq() to ensure the tasklet is no longer
scheduled or running before teardown proceeds.

Fixes: 4898c560103f ("Staging: Octeon:  Free transmit SKBs in a timely manner")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260511150931.93382-1-ayushmukkanwar%40gmail.com
Signed-off-by: Ayush Mukkanwar <ayushmukkanwar@gmail.com>
---
Changes since v1:
  - Added Fixes, Reported-by and Closes tags 
  - Added compile-tested-only note

Note: This patch has only been compile tested. No runtime testing was
performed as I do not have access to Octeon hardware.

Sashiko also reviewed the v1 of this patch and found that cvm_oct_xmit
can still schedule a tasklet even after tasklet_kill is called. I was
planning to reorder the tear down so that the net devs are unregistered
before the tasklet_kill is called in a follow up patch.
link to that report:
https://sashiko.dev/#/patchset/20260614114739.87061-1-ayushmukkanwar%40gmail.com

 drivers/staging/octeon/ethernet-tx.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/octeon/ethernet-tx.c b/drivers/staging/octeon/ethernet-tx.c
index 14d10659bce7..785c6492f170 100644
--- a/drivers/staging/octeon/ethernet-tx.c
+++ b/drivers/staging/octeon/ethernet-tx.c
@@ -668,4 +668,6 @@ void cvm_oct_tx_shutdown(void)
 {
 	/* Free the interrupt handler */
 	free_irq(OCTEON_IRQ_TIMER1, cvm_oct_device);
+
+	tasklet_kill(&cvm_oct_tx_cleanup_tasklet);
 }
-- 
2.54.0


^ permalink raw reply related

* Re: [PATCH v2 1/2] media: atomisp: fix memory leak in atomisp_pci_probe()
From: Dawei Feng @ 2026-06-15 15:15 UTC (permalink / raw)
  To: andriy.shevchenko
  Cc: abdelrahmanfekry375, andy, corbet, dawei.feng, error27, gregkh,
	hansg, jianhao.xu, keescook, linux-kernel, linux-media,
	linux-staging, mchehab, sakari.ailus, zilin
In-Reply-To: <ajADZZqqsFcgAPhy@ashevche-desk.local>

Hi Andy,

Thanks for the review.

On Mon, 15 Jun 2026 16:51:33 +0300, Andy Shevchenko wrote:
>But did he _develop_ any parts of this patch? Otherwise Reported-by is more
>suitable.

I agree. I will set Zilin as Reported-by in the v3 patch.

>Yes, and I still insist to move them to the cover letter. In any case those are
>not present in the second patch anyway, moving that to cover letter covers the
>entire series (and I believe you tested the entire series, didn't you?).

Yes, I compile-tested the series. I'll move those paragraphs to the v3
cover letter.

Best regards,
Dawei Feng

^ permalink raw reply

* Re: [PATCH v2] media: atomisp: replace kmalloc() with kmalloc_array() in sh_css.c
From: Andy Shevchenko @ 2026-06-15 14:09 UTC (permalink / raw)
  To: Andrei Khomenkov
  Cc: Greg Kroah-Hartman, Andy Shevchenko, Kees Cook, linux-staging,
	linux-media
In-Reply-To: <20260613110712.71436-1-khomenkov@mailbox.org>

On Sat, Jun 13, 2026 at 02:07:12PM +0300, Andrei Khomenkov wrote:
> Replace arithmetic in the kmalloc() function with the kmalloc_array()
> function, as this calculation method is unsafe.

Why not kmalloc_objs()?

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply

* [PATCH] media: meson: vdec: fix use-after-free of decode work in stop/close path
From: Doruk Tan Ozturk @ 2026-06-15 14:05 UTC (permalink / raw)
  To: neil.armstrong, mchehab, gregkh, khilman
  Cc: jbrunet, martin.blumenstingl, mjourdan, hverkuil, linux-media,
	linux-amlogic, linux-staging, linux-arm-kernel, linux-kernel,
	Doruk Tan Ozturk, stable

vdec_close() calls v4l2_m2m_ctx_release() and then kfree(sess) without
ever cancelling sess->esparser_queue_work. The worker
esparser_queue_all_src() takes sess->lock and walks the source buffers
of sess->m2m_ctx, so if it is still pending or running when the session
is torn down it dereferences freed memory.

The work is (re-)armed from several places, including amvdec_buf_done(),
which runs from the decode-completion/IRQ path. That makes the obvious
fixes insufficient:

  - v4l2_m2m_ctx_release() frees m2m_ctx (and runs stop_streaming via
    vb2_queue_release()), but never cancels the work. Cancelling in
    vdec_close() after v4l2_m2m_ctx_release() would wait on a worker that
    may already be dereferencing the now-freed m2m_ctx.

  - Cancelling in vdec_close() before v4l2_m2m_ctx_release() keeps
    m2m_ctx valid, but the hardware is still live, so amvdec_buf_done()
    can re-arm the work right after the cancel, reintroducing the UAF.

Cancel the work in vdec_stop_streaming() instead, right after
vdec_poweroff() has quiesced the hardware (so its IRQ can no longer
re-arm the work) and while sess->m2m_ctx is still valid. Because
v4l2_m2m_ctx_release() always tears the queues down through
vb2_queue_release() -> __vb2_queue_cancel() -> stop_streaming, this
single cancel covers both the STREAMOFF and the close paths.

This does not deadlock: the queue lock (sess->lock, shared by both vb2
queues) is taken by the worker, but neither the STREAMOFF path
(video_ioctl2 serialises on vdev->lock == core->lock, and
v4l2_m2m_streamoff() calls the lockless vb2_streamoff()) nor the close
path (vb2_queue_release()) holds sess->lock when stop_streaming runs, so
cancel_work_sync() can safely wait for the worker.

Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver")
Cc: stable@vger.kernel.org
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
---
 drivers/staging/media/meson/vdec/vdec.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
index 4b77ec1af5a7..42822064cf8d 100644
--- a/drivers/staging/media/meson/vdec/vdec.c
+++ b/drivers/staging/media/meson/vdec/vdec.c
@@ -419,6 +419,16 @@ static void vdec_stop_streaming(struct vb2_queue *q)
 		sess->status = STATUS_STOPPED;
 	}
 
+	/*
+	 * The esparser_queue_work worker dereferences sess->m2m_ctx and
+	 * sess->lock. The hardware (and its IRQ, which re-arms the work via
+	 * amvdec_buf_done()) has been quiesced by vdec_poweroff() above, so
+	 * no new work can be scheduled past this point. m2m_ctx is still
+	 * valid here. Wait for any in-flight worker to finish before the
+	 * buffers and (on the close path) m2m_ctx are torn down.
+	 */
+	cancel_work_sync(&sess->esparser_queue_work);
+
 	if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) {
 		while ((buf = v4l2_m2m_src_buf_remove(sess->m2m_ctx)))
 			v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR);
-- 
2.43.0


^ permalink raw reply related

* Re: [PATCH v2 1/2] media: atomisp: fix memory leak in atomisp_pci_probe()
From: Dan Carpenter @ 2026-06-15 13:53 UTC (permalink / raw)
  To: Andy Shevchenko
  Cc: Dawei Feng, andy, hansg, mchehab, sakari.ailus, gregkh,
	abdelrahmanfekry375, linux-kernel, linux-media, linux-staging,
	jianhao.xu, Zilin Guan, Kees Cook, Jonathan Corbet
In-Reply-To: <ajAC6E3Pc0edjySZ@ashevche-desk.local>

On Mon, Jun 15, 2026 at 04:49:28PM +0300, Andy Shevchenko wrote:
> On Mon, Jun 15, 2026 at 02:39:42PM +0300, Dan Carpenter wrote:
> > On Mon, Jun 15, 2026 at 02:11:12PM +0300, Andy Shevchenko wrote:
> 
> ...
> 
> > > > The bug was first flagged by an experimental analysis tool we are
> > > > developing for kernel memory-management bugs while analyzing
> > > > v6.13-rc1. The tool is still under development and is not yet publicly
> > > > available. Manual inspection confirms that the bug is still present in
> > > > v7.1-rc7.
> > > > 
> > > > An x86_64 allyesconfig build showed no new warnings. As we do not have
> > > > an Intel Atom ISP platform with the required camera sensor hardware to
> > > > test with, no runtime testing was able to be performed.
> > > 
> > > These last two paragraphs do not suit the commit message. Please, drop them
> > > here and better to describe all this in the cover letter (if not yet).
> > 
> > This is how the documentation says to write commit messages.
> > 
> > https://lore.kernel.org/all/ahgaOigklcDCYvRp@stanley.mountain/
> 
> Isn't it enough to have in the cover letter?
> 
> Thanks for commenting there, but I would insist to move these two paragraphs
> from the commit message here. Maybe Kees is okay with that, I'm thinking that
> this is too much (since we have lore archives).

To me the "An x86_64 allyesconfig build showed no new warnings" information
adds no value at all.  It is assumed and if you didn't do that then a lot
of people are going to know and complain.

regards,
dan carpenter

^ permalink raw reply

* Re: [PATCH v2 1/2] media: atomisp: fix memory leak in atomisp_pci_probe()
From: Andy Shevchenko @ 2026-06-15 13:51 UTC (permalink / raw)
  To: Dawei Feng
  Cc: abdelrahmanfekry375, error27, andy, corbet, gregkh, hansg,
	jianhao.xu, keescook, linux-kernel, linux-media, linux-staging,
	mchehab, sakari.ailus, zilin
In-Reply-To: <20260615123515.3289855-1-dawei.feng@seu.edu.cn>

On Mon, Jun 15, 2026 at 08:35:15PM +0800, Dawei Feng wrote:
> On Mon, Jun 15, 2026 at 02:11:12PM +0300, Andy Shevchenko wrote:
> >> Fixes: 9d4fa1a16b28 ("media: atomisp: cleanup directory hierarchy")
> >> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> >> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
> >
> >This SoB chain is wrong. Who is Zilin and why is he here?
> 
> Zilin is the discoverer of this bug. We are in the same research group,
> and he actively participated in reviewing this patch. 

> To better align with the kernel submission guidelines, I will add a
> "Co-developed-by:" tag in the v3 patch for Zilin to properly reflect his
> contributions. Would this be acceptable?

But did he _develop_ any parts of this patch? Otherwise Reported-by is more
suitable.

> >These last two paragraphs do not suit the commit message. Please, drop them
> >here and better to describe all this in the cover letter (if not yet).
> 
> As Dan mentioned, I included those paragraphs following the exapmle in
> researcher-guidelines[1].

Yes, and I still insist to move them to the cover letter. In any case those are
not present in the second patch anyway, moving that to cover letter covers the
entire series (and I believe you tested the entire series, didn't you?).

> [1] https://docs.kernel.org/process/researcher-guidelines.html

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply

* Re: [PATCH v2 1/2] media: atomisp: fix memory leak in atomisp_pci_probe()
From: Andy Shevchenko @ 2026-06-15 13:49 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Dawei Feng, andy, hansg, mchehab, sakari.ailus, gregkh,
	abdelrahmanfekry375, linux-kernel, linux-media, linux-staging,
	jianhao.xu, Zilin Guan, Kees Cook, Jonathan Corbet
In-Reply-To: <ai_kfgkuDYcFd0bG@stanley.mountain>

On Mon, Jun 15, 2026 at 02:39:42PM +0300, Dan Carpenter wrote:
> On Mon, Jun 15, 2026 at 02:11:12PM +0300, Andy Shevchenko wrote:

...

> > > The bug was first flagged by an experimental analysis tool we are
> > > developing for kernel memory-management bugs while analyzing
> > > v6.13-rc1. The tool is still under development and is not yet publicly
> > > available. Manual inspection confirms that the bug is still present in
> > > v7.1-rc7.
> > > 
> > > An x86_64 allyesconfig build showed no new warnings. As we do not have
> > > an Intel Atom ISP platform with the required camera sensor hardware to
> > > test with, no runtime testing was able to be performed.
> > 
> > These last two paragraphs do not suit the commit message. Please, drop them
> > here and better to describe all this in the cover letter (if not yet).
> 
> This is how the documentation says to write commit messages.
> 
> https://lore.kernel.org/all/ahgaOigklcDCYvRp@stanley.mountain/

Isn't it enough to have in the cover letter?

Thanks for commenting there, but I would insist to move these two paragraphs
from the commit message here. Maybe Kees is okay with that, I'm thinking that
this is too much (since we have lore archives).

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply

* Re: [PATCH v2] staging: rtl8723bs: wrap long pointer arithmetic line
From: Dan Carpenter @ 2026-06-15 12:54 UTC (permalink / raw)
  To: Devansh Soni; +Cc: gregkh, linux-staging, linux-kernel
In-Reply-To: <20260615122822.31103-1-devanshsoni874@gmail.com>

On Mon, Jun 15, 2026 at 05:58:22PM +0530, Devansh Soni wrote:
> Wrap a long pointer arithmetic line to resolve a checkpatch.pl
> line length warning.
> 
> Signed-off-by: Devansh Soni <devanshsoni874@gmail.com>
> ---

Please wait a day between resends.  Follow all the other v2 rules
etc.

https://staticthinking.wordpress.com/2022/07/27/how-to-send-a-v2-patch/

regards,
dan carpenter


^ permalink raw reply

* Re: [PATCH] staging: rtl8723bs: fix line length checkpatch warning
From: Dan Carpenter @ 2026-06-15 12:52 UTC (permalink / raw)
  To: Devansh Soni; +Cc: gregkh, linux-staging, linux-kernel
In-Reply-To: <20260615121838.30825-1-devanshsoni874@gmail.com>

On Mon, Jun 15, 2026 at 05:48:38PM +0530, Devansh Soni wrote:
> Wrap a long pointer arithmetic line to resolve a checkpatch.pl line length warning.
> 
> Signed-off-by: Devansh Soni <devanshsoni874@gmail.com>
> ---
>  drivers/staging/rtl8723bs/core/rtw_cmd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/rtl8723bs/core/rtw_cmd.c b/drivers/staging/rtl8723bs/core/rtw_cmd.c
> index c1185c25e..d727a00f2 100644
> --- a/drivers/staging/rtl8723bs/core/rtw_cmd.c
> +++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c
> @@ -184,7 +184,8 @@ int rtw_init_cmd_priv(struct	cmd_priv *pcmdpriv)
>  		return -ENOMEM;
>  	}
>  
> -	pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 - ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3);
> +	pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 -
> +			    ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3);

This code is ALIGN() the pointer to the 4 byte boundary.  We have a macro
for that.  But also I bet that the pointer is already aligned to start
with.  Also check that we allocated enough space to align it.  (I have
not looked at this code outside of what I can see in this email).

regards,
dan carpenter


^ permalink raw reply

* Re: [PATCH v2 1/2] media: atomisp: fix memory leak in atomisp_pci_probe()
From: Dawei Feng @ 2026-06-15 12:35 UTC (permalink / raw)
  To: andriy.shevchenko
  Cc: abdelrahmanfekry375, error27, andy, corbet, dawei.feng, gregkh,
	hansg, jianhao.xu, keescook, linux-kernel, linux-media,
	linux-staging, mchehab, sakari.ailus, zilin
In-Reply-To: <ai_kfgkuDYcFd0bG@stanley.mountain>

Hi Andy,

Thanks for the review.

On Mon, Jun 15, 2026 at 02:11:12PM +0300, Andy Shevchenko wrote:
>> Fixes: 9d4fa1a16b28 ("media: atomisp: cleanup directory hierarchy")
>> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
>> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
>
>This SoB chain is wrong. Who is Zilin and why is he here?

Zilin is the discoverer of this bug. We are in the same research group,
and he actively participated in reviewing this patch. 

To better align with the kernel submission guidelines, I will add a
"Co-developed-by:" tag in the v3 patch for Zilin to properly reflect his
contributions. Would this be acceptable?

>These last two paragraphs do not suit the commit message. Please, drop them
>here and better to describe all this in the cover letter (if not yet).

As Dan mentioned, I included those paragraphs following the exapmle in
researcher-guidelines[1].

[1] https://docs.kernel.org/process/researcher-guidelines.html

Best regards,
Dawei Feng

^ permalink raw reply

* [PATCH v2] staging: rtl8723bs: wrap long pointer arithmetic line
From: Devansh Soni @ 2026-06-15 12:28 UTC (permalink / raw)
  To: gregkh; +Cc: linux-staging, linux-kernel, Devansh Soni

Wrap a long pointer arithmetic line to resolve a checkpatch.pl
line length warning.

Signed-off-by: Devansh Soni <devanshsoni874@gmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_cmd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_cmd.c b/drivers/staging/rtl8723bs/core/rtw_cmd.c
index c1185c25e..d727a00f2 100644
--- a/drivers/staging/rtl8723bs/core/rtw_cmd.c
+++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c
@@ -184,7 +184,8 @@ int rtw_init_cmd_priv(struct	cmd_priv *pcmdpriv)
 		return -ENOMEM;
 	}
 
-	pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 - ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3);
+	pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 -
+			    ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3);
 
 	pcmdpriv->cmd_issued_cnt = 0;
 	pcmdpriv->cmd_done_cnt = 0;
-- 
2.54.0


^ permalink raw reply related

* Re: [PATCH] staging: rtl8723bs: fix line length checkpatch warning
From: Greg KH @ 2026-06-15 12:23 UTC (permalink / raw)
  To: Devansh Soni; +Cc: linux-staging, linux-kernel
In-Reply-To: <20260615121838.30825-1-devanshsoni874@gmail.com>

On Mon, Jun 15, 2026 at 05:48:38PM +0530, Devansh Soni wrote:
> Wrap a long pointer arithmetic line to resolve a checkpatch.pl line length warning.

Ironically, this text is too wide :(

Didn't checkpatch complain about that?

thanks,

greg k-h

^ permalink raw reply

* Re: [PATCH v2 1/1] MAINTAINERS: Camera sensor and Intel IPU driver changes
From: David Heidelberg @ 2026-06-15 12:19 UTC (permalink / raw)
  To: Sakari Ailus, linux-media
  Cc: Yong Zhi, Mauro Carvalho Chehab, Greg Kroah-Hartman, Lixu Zhang,
	linux-kernel, linux-staging, Bingbu Cao, Dave Stevenson,
	Richard Acayan
In-Reply-To: <20260605074944.666654-1-sakari.ailus@linux.intel.com>



On 05/06/2026 09:49, Sakari Ailus wrote:
> From: Dave Hansen <dave.hansen@linux.intel.com>
> 
> Tian Shu Qiu and Bingbu Cao are maintainers and reviewers of a bunch of
> media drivers (7 and 9 respectively). Bingbu's e-mail address has changed
> and Tian Shu's is bouncing.
> 
> Update Bingbu's e-mail address, remove Bingbu as a maintainer from Intel
> specific drivers and and remove Tian Shu as maintainer. Also add Dave
> Stevenson as a maintainer and David Heidelberg as a reviewer for the
> imx355 driver.
> 
> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
> Cc: Yong Zhi <yong.zhi@intel.com>
> Cc: Dan Scally <dan.scally@ideasonboard.com>
> Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Lixu Zhang <lixu.zhang@intel.com>
> Cc: linux-media@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-staging@lists.linux.dev
> Co-developed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
> ---
>   MAINTAINERS | 29 ++++++++++++-----------------
>   1 file changed, 12 insertions(+), 17 deletions(-)
> 

Acked-by: David Heidelberg <david@ixit.cz>

^ permalink raw reply

* Re: [PATCH v13 17/22] media: i2c: maxim-serdes: add MAX96724 driver
From: Dan Carpenter @ 2026-06-15 12:19 UTC (permalink / raw)
  To: Niklas Söderlund
  Cc: dumitru.ceclan, Tomi Valkeinen, Mauro Carvalho Chehab,
	Sakari Ailus, Laurent Pinchart, Julien Massot, Rob Herring,
	Greg Kroah-Hartman, mitrutzceclan, linux-media, linux-kernel,
	devicetree, linux-staging, linux-gpio, Martin Hecht,
	Cosmin Tanislav, Cory Keitz
In-Reply-To: <ail9bHXL_NV2DZK5@stanley.mountain>

On Wed, Jun 10, 2026 at 06:06:20PM +0300, Dan Carpenter wrote:
> On Wed, Jun 10, 2026 at 04:42:42PM +0200, Niklas Söderlund wrote:
> > Hi,
> > 
> > Thanks for your work.
> > 
> > This patch gives me new compiler warnings, can they be avoided?
> > 
> >   .../max96724.c:402 max96724_log_phy_status() warn: subtract is higher precedence than shift
> >   .../max96724.c:409 max96724_log_phy_status() warn: subtract is higher precedence than shift
> >   .../max96724.c:588 max96724_init_phy() warn: subtract is higher precedence than shift
> >   .../max96724.c:756 max96724_set_pipe_remap() warn: subtract is higher precedence than shift
> >   .../max96724.c:796 max96724_set_pipe_phy() warn: subtract is higher precedence than shift
> >   .../max96724.c:818 max96724_set_pipe_stream_id() warn: subtract is higher precedence than shift
> >   .../max96724.c:830 max96724_set_pipe_link() warn: subtract is higher precedence than shift
> >   .../max96724.c:942 max96724_set_link_version() warn: subtract is higher precedence than shift
> > 
> 
> These are Smatch warnings.  I appologize for them.  I know about them
> but I haven't looked at them.  I'll fix them by the end of the week.

I've pushed a fix for these to the devel branch of Smatch.

regards,
dan carpenter


^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox