* [PATCH v3] wifi: rtw89: add bounds check on firmware mac_id in link lookup
@ 2026-04-21 10:44 Tristan Madani
0 siblings, 0 replies; 6+ messages in thread
From: Tristan Madani @ 2026-04-21 10:44 UTC (permalink / raw)
To: Ping-Ke Shih; +Cc: Johannes Berg, linux-wireless
On Mon, 20 Apr 2026, Ping-Ke Shih wrote:
> Since this is used by data path, I prefer 'unlikely(macid >= RTW89_MAX_MAC_ID_NUM'.
Good point. v3 below adds unlikely().
---
From: Tristan Madani <tristan@talencesecurity.com>
Subject: [PATCH v3] wifi: rtw89: add bounds check on firmware mac_id in link lookup
The mac_id field in RX descriptors is 8 bits wide (0-255), but
assoc_link_on_macid[] has only RTW89_MAX_MAC_ID_NUM (128) entries.
While the driver currently assigns mac_id values below 128, the
descriptor value comes from firmware and is not validated before use
as an array index. Add a defensive bounds check in
rtw89_assoc_link_rcu_dereference() to guard against out-of-range
firmware values.
Fixes: 144c6cd24b35 ("wifi: rtw89: 8922a: configure AP_LINK_PS if FW supports")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Wrap check in unlikely() since this is a data path, per
Ping-Ke Shih.
Changes in v2:
- v2 resubmission with plain-text formatting (git send-email).
Per Ping-Ke Shih: defensive framing (firmware assigns < 128
today, but descriptor field is 8-bit).
drivers/net/wireless/realtek/rtw89/core.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/realtek/rtw89/core.h
+++ b/drivers/net/wireless/realtek/rtw89/core.h
@@ -6435,6 +6435,9 @@ static inline struct rtw89_sta_link *
rtw89_assoc_link_rcu_dereference(struct rtw89_dev *rtwdev, u8 macid)
{
+ if (unlikely(macid >= RTW89_MAX_MAC_ID_NUM))
+ return NULL;
+
return rcu_dereference(rtwdev->assoc_link_on_macid[macid]);
}
--
2.43.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v3] wifi: rtw89: add bounds check on firmware mac_id in link lookup
@ 2026-04-21 11:01 Tristan Madani
2026-04-21 11:05 ` Johannes Berg
0 siblings, 1 reply; 6+ messages in thread
From: Tristan Madani @ 2026-04-21 11:01 UTC (permalink / raw)
To: Ping-Ke Shih; +Cc: Johannes Berg, linux-wireless, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
The mac_id field in RX descriptors is 8 bits wide (0-255), but
assoc_link_on_macid[] has only RTW89_MAX_MAC_ID_NUM (128) entries.
While the driver currently assigns mac_id values below 128, the
descriptor value comes from firmware and is not validated before use
as an array index. Add a defensive bounds check in
rtw89_assoc_link_rcu_dereference() to guard against out-of-range
firmware values.
Fixes: 144c6cd24b35 ("wifi: rtw89: 8922a: configure AP_LINK_PS if FW supports")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Wrap check in unlikely() since this is a data path, per
Ping-Ke Shih.
Changes in v2:
- v2 resubmission with plain-text formatting (git send-email).
Per Ping-Ke Shih: defensive framing (firmware assigns < 128
today, but descriptor field is 8-bit).
drivers/net/wireless/realtek/rtw89/core.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/realtek/rtw89/core.h
+++ b/drivers/net/wireless/realtek/rtw89/core.h
@@ -6435,6 +6435,9 @@ static inline struct rtw89_sta_link *
rtw89_assoc_link_rcu_dereference(struct rtw89_dev *rtwdev, u8 macid)
{
+ if (unlikely(macid >= RTW89_MAX_MAC_ID_NUM))
+ return NULL;
+
return rcu_dereference(rtwdev->assoc_link_on_macid[macid]);
}
--
2.47.3
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3] wifi: rtw89: add bounds check on firmware mac_id in link lookup
2026-04-21 11:01 Tristan Madani
@ 2026-04-21 11:05 ` Johannes Berg
2026-04-21 11:08 ` Johannes Berg
0 siblings, 1 reply; 6+ messages in thread
From: Johannes Berg @ 2026-04-21 11:05 UTC (permalink / raw)
To: Tristan Madani, Ping-Ke Shih; +Cc: linux-wireless, Tristan Madani
On Tue, 2026-04-21 at 11:01 +0000, Tristan Madani wrote:
>
> diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h
> index XXXXXXX..XXXXXXX 100644
> --- a/drivers/net/wireless/realtek/rtw89/core.h
> +++ b/drivers/net/wireless/realtek/rtw89/core.h
> @@ -6435,6 +6435,9 @@ static inline struct rtw89_sta_link *
> rtw89_assoc_link_rcu_dereference(struct rtw89_dev *rtwdev, u8 macid)
> {
> + if (unlikely(macid >= RTW89_MAX_MAC_ID_NUM))
> + return NULL;
> +
> return rcu_dereference(rtwdev->assoc_link_on_macid[macid]);
> }
Also, I have no idea how you're generating these patches, but please
don't do whatever you're doing.
You have "X-Mailer: git-send-email 2.47.3" in there, but there's no way
git would have created such corrupt patches. Also the "index XXXXX"
thing seems to point to some (fairly pointless since it's just hashes)
post-processing.
Please stop sending patches until you've figured out how to generate
patches that can actually (and reproducibly) be *applied*.
johannes
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3] wifi: rtw89: add bounds check on firmware mac_id in link lookup
2026-04-21 11:05 ` Johannes Berg
@ 2026-04-21 11:08 ` Johannes Berg
0 siblings, 0 replies; 6+ messages in thread
From: Johannes Berg @ 2026-04-21 11:08 UTC (permalink / raw)
To: Tristan Madani, Ping-Ke Shih; +Cc: linux-wireless, Tristan Madani
On Tue, 2026-04-21 at 13:05 +0200, Johannes Berg wrote:
>
> Please stop sending patches until you've figured out how to generate
> patches that can actually (and reproducibly) be *applied*.
FWIW, I've just dropped *all* of your wireless related patches except
three that provably worked, you can see it here:
https://patchwork.kernel.org/project/linux-wireless/list/?submitter=221411&state=*
Feel free to resend after you figure out how your sending email path has
(not even subtly) corrupted most of your patches.
johannes
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v3] wifi: rtw89: add bounds check on firmware mac_id in link lookup
@ 2026-04-21 11:14 Tristan Madani
2026-04-29 5:43 ` Ping-Ke Shih
0 siblings, 1 reply; 6+ messages in thread
From: Tristan Madani @ 2026-04-21 11:14 UTC (permalink / raw)
To: Ping-Ke Shih; +Cc: Johannes Berg, linux-wireless, Tristan Madani
From: Tristan Madani <tristan@talencesecurity.com>
The mac_id field in RX descriptors is 8 bits wide (0-255), but
assoc_link_on_macid[] has only RTW89_MAX_MAC_ID_NUM (128) entries.
While the driver currently assigns mac_id values below 128, the
descriptor value comes from firmware and is not validated before use
as an array index. Add a defensive bounds check in
rtw89_assoc_link_rcu_dereference() to guard against out-of-range
firmware values.
Fixes: 144c6cd24b35 ("wifi: rtw89: 8922a: configure AP_LINK_PS if FW supports")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Changes in v3:
- Wrap check in unlikely() since this is a data path, per
Ping-Ke Shih.
Changes in v2:
- Plain-text formatting via git send-email. Per Ping-Ke Shih:
defensive framing (firmware assigns < 128 today, but descriptor
field is 8-bit).
drivers/net/wireless/realtek/rtw89/core.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h
index fd29dbbb120d2..05adf20a65be1 100644
--- a/drivers/net/wireless/realtek/rtw89/core.h
+++ b/drivers/net/wireless/realtek/rtw89/core.h
@@ -6492,6 +6492,9 @@ static inline void rtw89_assoc_link_clr(struct rtw89_sta_link *rtwsta_link)
static inline struct rtw89_sta_link *
rtw89_assoc_link_rcu_dereference(struct rtw89_dev *rtwdev, u8 macid)
{
+ if (unlikely(macid >= RTW89_MAX_MAC_ID_NUM))
+ return NULL;
+
return rcu_dereference(rtwdev->assoc_link_on_macid[macid]);
}
--
2.47.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v3] wifi: rtw89: add bounds check on firmware mac_id in link lookup
2026-04-21 11:14 [PATCH v3] wifi: rtw89: add bounds check on firmware mac_id in link lookup Tristan Madani
@ 2026-04-29 5:43 ` Ping-Ke Shih
0 siblings, 0 replies; 6+ messages in thread
From: Ping-Ke Shih @ 2026-04-29 5:43 UTC (permalink / raw)
To: Tristan Madani, Ping-Ke Shih
Cc: Johannes Berg, linux-wireless, Tristan Madani
Tristan Madani <tristmd@gmail.com> wrote:
> From: Tristan Madani <tristan@talencesecurity.com>
>
> The mac_id field in RX descriptors is 8 bits wide (0-255), but
> assoc_link_on_macid[] has only RTW89_MAX_MAC_ID_NUM (128) entries.
> While the driver currently assigns mac_id values below 128, the
> descriptor value comes from firmware and is not validated before use
> as an array index. Add a defensive bounds check in
> rtw89_assoc_link_rcu_dereference() to guard against out-of-range
> firmware values.
>
> Fixes: 144c6cd24b35 ("wifi: rtw89: 8922a: configure AP_LINK_PS if FW supports")
> Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
1 patch(es) applied to rtw-next branch of rtw.git, thanks.
6d88244bb129 wifi: rtw89: add bounds check on firmware mac_id in link lookup
---
https://github.com/pkshih/rtw.git
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-04-29 5:43 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-21 11:14 [PATCH v3] wifi: rtw89: add bounds check on firmware mac_id in link lookup Tristan Madani
2026-04-29 5:43 ` Ping-Ke Shih
-- strict thread matches above, loose matches on Subject: below --
2026-04-21 11:01 Tristan Madani
2026-04-21 11:05 ` Johannes Berg
2026-04-21 11:08 ` Johannes Berg
2026-04-21 10:44 Tristan Madani
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox