[PATCH AUTOSEL 6.19-6.18] wifi: rtw89: pci: validate release report content before using for RTL8922DE

[Sasha Levin <sashal@kernel.org>]

From: Ping-Ke Shih <pkshih@realtek.com>

[ Upstream commit 5f93d611b33a05bd03d6843c8efe8cb6a1992620 ]

The commit 957eda596c76
("wifi: rtw89: pci: validate sequence number of TX release report")
does validation on existing chips, which somehow a release report of SKB
becomes malformed. As no clear cause found, add rules ahead for RTL8922DE
to avoid crash if it happens.

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260123013957.16418-11-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

### Detailed Code Change Analysis

The change modifies the `rtw89_pci_release_rpp()` function in two ways:

**OLD code:**
```c
if (unlikely(rpp_info.txch == RTW89_TXCH_CH12)) {
    rtw89_warn(rtwdev, "should no fwcmd release report\n");
    return;
}
```

**NEW code:**
```c
if (unlikely(rpp_info.txch >= RTW89_TXCH_NUM ||
             info->tx_dma_ch_mask & BIT(rpp_info.txch))) {
    rtw89_warn(rtwdev, "should no release report on txch %d\n",
               rpp_info.txch);
    return;
}
```

**What changed and why it matters:**

1. **Bounds check strengthened**: The old check only rejected `txch ==
   RTW89_TXCH_CH12` (value 12). The new check rejects `txch >=
   RTW89_TXCH_NUM` (value >= 13), which catches **out-of-bounds array
   access** when `rpp_info.txch` is used as an index into
   `rtwpci->tx.rings[]` (which has `RTW89_TXCH_NUM` = 13 elements).
   Without this check, a malformed report with `txch >= 13` would cause
   an **out-of-bounds array access**, potentially leading to a crash.

2. **Masked channel check added**: The new code also checks
   `info->tx_dma_ch_mask & BIT(rpp_info.txch)`, which rejects release
   reports for TX channels that are disabled/masked on the specific
   hardware. Accessing a ring for a masked channel could reference
   uninitialized data since those rings are not set up during
   initialization (as confirmed by the `tx_dma_ch_mask` being used to
   skip ring initialization).

3. **The old CH12 check is subsumed**: RTW89_TXCH_CH12 = 12 is the
   firmware command channel. For chips like RTL8922DE, `tx_dma_ch_mask`
   includes `BIT(RTW89_TXCH_CH12)` (since FW CMD channel is typically
   masked), so the old specific check is generalized into the broader
   mask-based check.

### 3. CLASSIFICATION

This is a **bug fix** — specifically a crash prevention fix through
input validation. It:
- Prevents out-of-bounds array access (txch >= RTW89_TXCH_NUM)
- Prevents access to uninitialized TX rings (masked channels)
- The commit message explicitly says "to avoid crash if it happens"
- This extends existing validation (from commit 957eda596c76) to cover
  additional edge cases for RTL8922DE

### 4. SCOPE AND RISK ASSESSMENT

- **Lines changed**: ~6 lines modified in a single function
- **Files touched**: 1 file (`drivers/net/wireless/realtek/rtw89/pci.c`)
- **Risk**: Very low. The change only adds/strengthens a bounds check
  and an already-masked-channel check. It's purely defensive — it only
  triggers on malformed data and returns early with a warning.
- **Subsystem**: WiFi driver (rtw89), well-maintained by Realtek
  engineers
- **The old behavior (CH12 check) is subsumed**, not removed — it's
  generalized

### 5. USER IMPACT

- **Who is affected**: Users with RTL8922DE WiFi adapters (and
  potentially other Realtek WiFi chips using the rtw89 driver)
- **Severity if triggered**: Kernel crash (NULL pointer dereference or
  out-of-bounds access) — this is HIGH severity
- **Likelihood**: The referenced commit 957eda596c76 was created because
  this actually happened with malformed release reports — the cause was
  unclear but the crash was real
- **Author**: Ping-Ke Shih from Realtek, the driver maintainer — high
  trust

### 6. STABILITY INDICATORS

- The commit comes from the rtw89 maintainer at Realtek
- It follows the pattern of an earlier validated fix (957eda596c76)
- Small, surgical change with clear defensive purpose

### 7. DEPENDENCY CHECK

- This commit depends on `957eda596c76` being present (which added the
  initial validation framework including the `rpp_info.seq >=
  RTW89_PCI_TXWD_NUM_MAX` check that remains unchanged)
- It also depends on the `tx_dma_ch_mask` field existing in `struct
  rtw89_pci_info` and the `parse_rpp` callback mechanism
- The RTL8922DE support needs to exist in the target stable tree

### Summary

This is a small, surgical crash prevention fix that strengthens input
validation for malformed TX release reports in the rtw89 WiFi driver. It
prevents:
1. **Out-of-bounds array access** when `txch >= RTW89_TXCH_NUM` (13)
2. **Access to uninitialized/disabled TX rings** when the channel is
   masked

The fix is:
- Obviously correct (bounds check + mask check before array indexing)
- Small and contained (6 lines in one function, one file)
- Fixes a real crash scenario (explicitly stated, and mirrors existing
  fix for other chips)
- Written by the driver maintainer at Realtek
- Very low regression risk (only affects error/malformed paths)

The only concern is whether the RTL8922DE support and the prerequisite
commit exist in the target stable tree. If the RTL8922DE driver and the
`tx_dma_ch_mask` infrastructure are present, this is straightforward to
backport.

**YES**

 drivers/net/wireless/realtek/rtw89/pci.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c
index 093960d7279f8..b8135cf15d13c 100644
--- a/drivers/net/wireless/realtek/rtw89/pci.c
+++ b/drivers/net/wireless/realtek/rtw89/pci.c
@@ -604,8 +604,10 @@ static void rtw89_pci_release_rpp(struct rtw89_dev *rtwdev, void *rpp)
 
 	info->parse_rpp(rtwdev, rpp, &rpp_info);
 
-	if (unlikely(rpp_info.txch == RTW89_TXCH_CH12)) {
-		rtw89_warn(rtwdev, "should no fwcmd release report\n");
+	if (unlikely(rpp_info.txch >= RTW89_TXCH_NUM ||
+		     info->tx_dma_ch_mask & BIT(rpp_info.txch))) {
+		rtw89_warn(rtwdev, "should no release report on txch %d\n",
+			   rpp_info.txch);
 		return;
 	}
 
-- 
2.51.0