From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Bitterblue Smith <rtl8821cerfe2@gmail.com>,
Ping-Ke Shih <pkshih@realtek.com>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.19-6.12] wifi: rtw88: Fix inadvertent sharing of struct ieee80211_supported_band data
Date: Sat, 14 Feb 2026 16:23:00 -0500 [thread overview]
Message-ID: <20260214212452.782265-35-sashal@kernel.org> (raw)
In-Reply-To: <20260214212452.782265-1-sashal@kernel.org>
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit fcac0f23d4d20b11014a39f8e2527cdc12ec9c82 ]
Internally wiphy writes to individual channels in this structure,
so we must not share one static definition of channel list between
multiple device instances, because that causes hard to debug
breakage.
For example, with two rtw88 driven devices in the system, channel
information may get incoherent, preventing channel use.
Copied from commit 0ae36391c804 ("wifi: rtw89: Fix inadverent sharing
of struct ieee80211_supported_band data").
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/e94ad653-2b6d-4284-a33c-8c694f88955b@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
This is a relevant finding: `devm_kmemdup_array()` was introduced in
v6.15 cycle (February 2025). This means for older stable trees (6.12.y,
6.6.y, 6.1.y, 5.15.y), this function won't exist and the backport would
need adaptation. However, this is a minor concern - it can be replaced
with `devm_kmemdup()` with a manual size calculation.
### 6. USER IMPACT
- **Affected users:** Anyone with two or more rtw88 WiFi adapters in
their system (e.g., RTL8822CE + RTL8821CE, or built-in + USB adapter)
- **Symptom:** Channel information becomes corrupt; certain WiFi
channels become unusable
- **Severity:** Medium-High. WiFi connectivity issues are significant
for users
- **Driver popularity:** rtw88 supports many common Realtek WiFi chips
(RTL8822BE, RTL8822CE, RTL8821CE, RTL8723DE) found in many laptops
### 7. DEPENDENCY CHECK
The main dependency concern is `devm_kmemdup_array()`, which was added
in v6.15. For older stable trees, this would need to be adapted
(trivially, by using `devm_kmemdup()` with `sband->n_channels *
sizeof(*sband->channels)` manually). The rest of the code is standard
and should exist in all stable trees that have the rtw88 driver.
### Summary
**What it fixes:** Data corruption bug where multiple rtw88 WiFi device
instances share the same static channel/bitrate arrays through shallow
copying. When one device's wiphy modifies channel data, it corrupts the
other device's data.
**Stable criteria met:**
- Obviously correct (deep copy instead of shallow copy)
- Fixes a real bug (channel data corruption with multiple devices)
- Small and contained (~30 new lines in one file)
- No new features
- Already proven pattern (same fix in rtw89)
- Acked by Realtek maintainer
**Risk:** Very low. The change only affects rtw88 driver initialization,
uses standard kernel APIs, and devres handles cleanup automatically.
**Concern:** `devm_kmemdup_array()` may need adaptation for older stable
trees, but this is a trivial mechanical change.
**YES**
drivers/net/wireless/realtek/rtw88/main.c | 34 +++++++++++++++++++----
1 file changed, 29 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 2004d714530a3..e1de638164862 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -1658,16 +1658,41 @@ static u16 rtw_get_max_scan_ie_len(struct rtw_dev *rtwdev)
return len;
}
+static struct ieee80211_supported_band *
+rtw_sband_dup(struct rtw_dev *rtwdev,
+ const struct ieee80211_supported_band *sband)
+{
+ struct ieee80211_supported_band *dup;
+
+ dup = devm_kmemdup(rtwdev->dev, sband, sizeof(*sband), GFP_KERNEL);
+ if (!dup)
+ return NULL;
+
+ dup->channels = devm_kmemdup_array(rtwdev->dev, sband->channels,
+ sband->n_channels,
+ sizeof(*sband->channels),
+ GFP_KERNEL);
+ if (!dup->channels)
+ return NULL;
+
+ dup->bitrates = devm_kmemdup_array(rtwdev->dev, sband->bitrates,
+ sband->n_bitrates,
+ sizeof(*sband->bitrates),
+ GFP_KERNEL);
+ if (!dup->bitrates)
+ return NULL;
+
+ return dup;
+}
+
static void rtw_set_supported_band(struct ieee80211_hw *hw,
const struct rtw_chip_info *chip)
{
struct ieee80211_supported_band *sband;
struct rtw_dev *rtwdev = hw->priv;
- struct device *dev = rtwdev->dev;
if (chip->band & RTW_BAND_2G) {
- sband = devm_kmemdup(dev, &rtw_band_2ghz, sizeof(*sband),
- GFP_KERNEL);
+ sband = rtw_sband_dup(rtwdev, &rtw_band_2ghz);
if (!sband)
goto err_out;
if (chip->ht_supported)
@@ -1676,8 +1701,7 @@ static void rtw_set_supported_band(struct ieee80211_hw *hw,
}
if (chip->band & RTW_BAND_5G) {
- sband = devm_kmemdup(dev, &rtw_band_5ghz, sizeof(*sband),
- GFP_KERNEL);
+ sband = rtw_sband_dup(rtwdev, &rtw_band_5ghz);
if (!sband)
goto err_out;
if (chip->ht_supported)
--
2.51.0
next prev parent reply other threads:[~2026-02-14 21:25 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-14 21:22 [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: ser: enable error IMR after recovering from L1 Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] wifi: ath11k: Fix failure to connect to a 6 GHz AP Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.1] wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode() Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: 8922a: add digital compensation for 2GHz Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: pci: validate sequence number of TX release report Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.10] wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power() Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.6] wifi: rtw88: rtw8821cu: Add ID for Mercusys MU6H Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: Add support for MSI AX1800 Nano (GUAX18N) Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: mcc: reset probe counter when receiving beacon Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: setting TBTT AGG number when mac port initialization Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: disable EHT protocol by chip capabilities Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.10] wifi: ath10k: fix lock protection in ath10k_wmi_event_peer_sta_ps_state_chg() Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] wifi: cfg80211: allow only one NAN interface, also in multi radio Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.6] wifi: ath12k: fix preferred hardware mode calculation Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.1] wifi: rtw88: fix DTIM period handling when conf->dtim_period is zero Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: mac: correct page number for CSI response Sasha Levin
2026-02-14 21:23 ` Sasha Levin [this message]
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19] wifi: rtw89: 8852au: add support for TP TX30U Plus Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.6] wifi: ath11k: add pm quirk for Thinkpad Z13/Z16 Gen1 Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19] wifi: rtw89: Add default ID 28de:2432 for RTL8832CU Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: ath12k: fix mac phy capability parsing Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.1] wifi: rtw89: pci: restore LDO setting after device resume Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] wifi: iwlegacy: add missing mutex protection in il3945_store_measurement() Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19] wifi: rtw89: Add support for D-Link VR Air Bridge (DWA-F18) Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.6] wifi: rtw89: wow: add reason codes for disassociation in WoWLAN mode Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: fix unable to receive probe responses under MLO connection Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: regd: 6 GHz power type marks default when inactive Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19] wifi: cfg80211: treat deprecated INDOOR_SP_AP_OLD control value as LPI mode Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band() Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] wifi: libertas: fix WARNING in usb_tx_block Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: pci: validate release report content before using for RTL8922DE Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: 8922a: set random mac if efuse contains zeroes Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: fix potential zero beacon interval in beacon tracking Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260214212452.782265-35-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=pkshih@realtek.com \
--cc=rtl8821cerfe2@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox