* [PATCH rtw-next] wifi: rtw88: Add more validation for the RX descriptor
@ 2026-05-16 14:44 Bitterblue Smith
2026-05-17 16:17 ` Oleksandr Havrylov
2026-05-18 8:14 ` Ping-Ke Shih
0 siblings, 2 replies; 5+ messages in thread
From: Bitterblue Smith @ 2026-05-16 14:44 UTC (permalink / raw)
To: linux-wireless@vger.kernel.org
Cc: Ping-Ke Shih, LB F, Martin Blumenstingl, Fiona Klute,
andrej.skvortzov, anarsoul, Zhen XIN
Some RTL8821CE cards can return frames with corrupted RX descriptor,
causing warnings and crashes if they are passed to the upper layers.
The PHY status size field is 4 bits wide, but in rtw88 its value should
only be 0 or 4. Checking this catches most of the corrupt frames.
If a PHY status is present, the PHY status size should not be 0.
The frame size should not be less than or equal to 4 and should not
exceed 11454.
Discard the frame if any of these checks fail.
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221286
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
---
drivers/net/wireless/realtek/rtw88/pci.c | 16 +++++++++------
drivers/net/wireless/realtek/rtw88/rx.c | 24 +++++++++++++++++++----
drivers/net/wireless/realtek/rtw88/rx.h | 6 +++---
drivers/net/wireless/realtek/rtw88/sdio.c | 8 +++++++-
drivers/net/wireless/realtek/rtw88/usb.c | 9 ++++++---
5 files changed, 46 insertions(+), 17 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw88/pci.c b/drivers/net/wireless/realtek/rtw88/pci.c
index c2bf44e880cf..a30467228912 100644
--- a/drivers/net/wireless/realtek/rtw88/pci.c
+++ b/drivers/net/wireless/realtek/rtw88/pci.c
@@ -1042,20 +1042,21 @@ static int rtw_pci_get_hw_rx_ring_nr(struct rtw_dev *rtwdev,
static u32 rtw_pci_rx_napi(struct rtw_dev *rtwdev, struct rtw_pci *rtwpci,
u8 hw_queue, u32 limit)
{
+ struct rtw_pci_rx_ring *ring = &rtwpci->rx_rings[RTW_RX_QUEUE_MPDU];
const struct rtw_chip_info *chip = rtwdev->chip;
struct napi_struct *napi = &rtwpci->napi;
- struct rtw_pci_rx_ring *ring = &rtwpci->rx_rings[RTW_RX_QUEUE_MPDU];
- struct rtw_rx_pkt_stat pkt_stat;
+ u32 pkt_desc_sz = chip->rx_pkt_desc_sz;
+ u32 buf_desc_sz = chip->rx_buf_desc_sz;
struct ieee80211_rx_status rx_status;
+ struct rtw_rx_pkt_stat pkt_stat;
struct sk_buff *skb, *new;
u32 cur_rp = ring->r.rp;
u32 count, rx_done = 0;
u32 pkt_offset;
- u32 pkt_desc_sz = chip->rx_pkt_desc_sz;
- u32 buf_desc_sz = chip->rx_buf_desc_sz;
+ dma_addr_t dma;
u32 new_len;
u8 *rx_desc;
- dma_addr_t dma;
+ int ret;
count = rtw_pci_get_hw_rx_ring_nr(rtwdev, rtwpci);
count = min(count, limit);
@@ -1067,7 +1068,10 @@ static u32 rtw_pci_rx_napi(struct rtw_dev *rtwdev, struct rtw_pci *rtwpci,
dma_sync_single_for_cpu(rtwdev->dev, dma, RTK_PCI_RX_BUF_SIZE,
DMA_FROM_DEVICE);
rx_desc = skb->data;
- rtw_rx_query_rx_desc(rtwdev, rx_desc, &pkt_stat, &rx_status);
+ ret = rtw_rx_query_rx_desc(rtwdev, rx_desc,
+ &pkt_stat, &rx_status);
+ if (ret)
+ goto next_rp;
/* offset from rx_desc to payload */
pkt_offset = pkt_desc_sz + pkt_stat.drv_info_sz +
diff --git a/drivers/net/wireless/realtek/rtw88/rx.c b/drivers/net/wireless/realtek/rtw88/rx.c
index d9e11343d498..65f6db3d7fcb 100644
--- a/drivers/net/wireless/realtek/rtw88/rx.c
+++ b/drivers/net/wireless/realtek/rtw88/rx.c
@@ -3,6 +3,7 @@
*/
#include "main.h"
+#include "mac.h"
#include "rx.h"
#include "ps.h"
#include "debug.h"
@@ -261,9 +262,9 @@ static void rtw_rx_fill_rx_status(struct rtw_dev *rtwdev,
}
}
-void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
- struct rtw_rx_pkt_stat *pkt_stat,
- struct ieee80211_rx_status *rx_status)
+int rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
+ struct rtw_rx_pkt_stat *pkt_stat,
+ struct ieee80211_rx_status *rx_status)
{
u32 desc_sz = rtwdev->chip->rx_pkt_desc_sz;
struct rtw_rx_desc *rx_desc = rx_desc8;
@@ -303,12 +304,25 @@ void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
pkt_stat->bw = RTW_CHANNEL_WIDTH_20;
}
+ if (unlikely(pkt_stat->drv_info_sz &&
+ pkt_stat->drv_info_sz != PHY_STATUS_SIZE))
+ return -EINVAL;
+
+ if (unlikely(pkt_stat->phy_status && !pkt_stat->drv_info_sz))
+ return -EINVAL;
+
+ if (unlikely(pkt_stat->pkt_len > IEEE80211_MAX_MPDU_LEN_VHT_11454))
+ return -EINVAL;
+
/* drv_info_sz is in unit of 8-bytes */
pkt_stat->drv_info_sz *= 8;
/* c2h cmd pkt's rx/phy status is not interested */
if (pkt_stat->is_c2h)
- return;
+ return 0;
+
+ if (unlikely(pkt_stat->pkt_len <= FCS_LEN))
+ return -EINVAL;
phy_status = rx_desc8 + desc_sz + pkt_stat->shift;
hdr = phy_status + pkt_stat->drv_info_sz;
@@ -318,5 +332,7 @@ void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
rtwdev->chip->ops->query_phy_status(rtwdev, phy_status, pkt_stat);
rtw_rx_fill_rx_status(rtwdev, pkt_stat, hdr, rx_status);
+
+ return 0;
}
EXPORT_SYMBOL(rtw_rx_query_rx_desc);
diff --git a/drivers/net/wireless/realtek/rtw88/rx.h b/drivers/net/wireless/realtek/rtw88/rx.h
index 6b7dee245c0a..74359f641c76 100644
--- a/drivers/net/wireless/realtek/rtw88/rx.h
+++ b/drivers/net/wireless/realtek/rtw88/rx.h
@@ -45,9 +45,9 @@ struct rtw_rx_desc {
void rtw_rx_stats(struct rtw_dev *rtwdev, struct ieee80211_vif *vif,
struct sk_buff *skb);
-void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
- struct rtw_rx_pkt_stat *pkt_stat,
- struct ieee80211_rx_status *rx_status);
+int rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
+ struct rtw_rx_pkt_stat *pkt_stat,
+ struct ieee80211_rx_status *rx_status);
void rtw_update_rx_freq_from_ie(struct rtw_dev *rtwdev, struct sk_buff *skb,
struct ieee80211_rx_status *rx_status,
struct rtw_rx_pkt_stat *pkt_stat);
diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
index 1318e94f8524..5b40d74b16ee 100644
--- a/drivers/net/wireless/realtek/rtw88/sdio.c
+++ b/drivers/net/wireless/realtek/rtw88/sdio.c
@@ -995,7 +995,13 @@ static void rtw_sdio_rxfifo_recv(struct rtw_dev *rtwdev, u32 rx_len)
while (true) {
rx_desc = skb->data;
- rtw_rx_query_rx_desc(rtwdev, rx_desc, &pkt_stat, &rx_status);
+ ret = rtw_rx_query_rx_desc(rtwdev, rx_desc,
+ &pkt_stat, &rx_status);
+ if (ret) {
+ dev_kfree_skb_any(skb);
+ return;
+ }
+
pkt_offset = pkt_desc_sz + pkt_stat.drv_info_sz +
pkt_stat.shift;
diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c
index 718940ebba31..6dd8ffedab9a 100644
--- a/drivers/net/wireless/realtek/rtw88/usb.c
+++ b/drivers/net/wireless/realtek/rtw88/usb.c
@@ -610,8 +610,8 @@ static void rtw_usb_rx_handler(struct work_struct *work)
u32 max_skb_len = pkt_desc_sz + PHY_STATUS_SIZE * 8 +
IEEE80211_MAX_MPDU_LEN_VHT_11454;
u32 pkt_offset, next_pkt, skb_len;
+ int limit, ret;
u8 *rx_desc;
- int limit;
for (limit = 0; limit < 200; limit++) {
rx_skb = skb_dequeue(&rtwusb->rx_queue);
@@ -627,8 +627,11 @@ static void rtw_usb_rx_handler(struct work_struct *work)
rx_desc = rx_skb->data;
do {
- rtw_rx_query_rx_desc(rtwdev, rx_desc, &pkt_stat,
- &rx_status);
+ ret = rtw_rx_query_rx_desc(rtwdev, rx_desc,
+ &pkt_stat, &rx_status);
+ if (ret)
+ break;
+
pkt_offset = pkt_desc_sz + pkt_stat.drv_info_sz +
pkt_stat.shift;
--
2.53.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH rtw-next] wifi: rtw88: Add more validation for the RX descriptor
2026-05-16 14:44 [PATCH rtw-next] wifi: rtw88: Add more validation for the RX descriptor Bitterblue Smith
@ 2026-05-17 16:17 ` Oleksandr Havrylov
2026-05-18 8:14 ` Ping-Ke Shih
1 sibling, 0 replies; 5+ messages in thread
From: Oleksandr Havrylov @ 2026-05-17 16:17 UTC (permalink / raw)
To: Bitterblue Smith
Cc: linux-wireless@vger.kernel.org, Ping-Ke Shih, Martin Blumenstingl,
Fiona Klute, andrej.skvortzov, anarsoul, Zhen XIN
Hi Bitterblue,
Thank you for the patch.
I have manually applied and tested this patch on top of kernel
7.0.7-1-default (x86_64) running on openSUSE Slowroll.
The test was conducted on the following hardware:
Machine: HP Notebook (SKU: P3S95EA#ACB)
Adapter: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe
Wireless Network Adapter [10ec:c821]
I verified the driver stability through a series of rigorous tests:
1. Heavy Concurrent Load: Downloading a 1.5GB Linux ISO image while
running a continuous flood ping.
2. Wi-Fi/BT Coexistence: The load test was performed while maintaining
an active Bluetooth audio stream (AVRCP profile) to check for
coexistence issues.
3. Interface Toggling: Repeatedly turning the Wi-Fi radio off and on
to simulate the network stack behavior.
4. Power Management (S3 Sleep & S4 Hibernation): Forced the system
into Suspend-to-RAM and Suspend-to-Disk (via rtcwake) and verified
that the driver successfully resumed, reinitialized the firmware, and
automatically re-associated with the AP without any lockups or
descriptor errors upon waking up.
The driver handled all tests flawlessly without any connection drops
or hangs. The new RX descriptor validation checks work exactly as
intended—they successfully caught and discarded malformed frames,
completely preventing the kernel crashes and warnings that were
previously triggered by corrupted descriptors. No regressions were
observed in network throughput, coexistence, or power management
flows.
Tested-by: Oleksandr Havrylov <goainwo@gmail.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [PATCH rtw-next] wifi: rtw88: Add more validation for the RX descriptor
2026-05-16 14:44 [PATCH rtw-next] wifi: rtw88: Add more validation for the RX descriptor Bitterblue Smith
2026-05-17 16:17 ` Oleksandr Havrylov
@ 2026-05-18 8:14 ` Ping-Ke Shih
2026-05-19 17:59 ` Bitterblue Smith
1 sibling, 1 reply; 5+ messages in thread
From: Ping-Ke Shih @ 2026-05-18 8:14 UTC (permalink / raw)
To: Bitterblue Smith, linux-wireless@vger.kernel.org
Cc: LB F, Martin Blumenstingl, Fiona Klute,
andrej.skvortzov@gmail.com, anarsoul@gmail.com, Zhen XIN
Bitterblue Smith <rtl8821cerfe2@gmail.com> wrote:
> Some RTL8821CE cards can return frames with corrupted RX descriptor,
> causing warnings and crashes if they are passed to the upper layers.
Not sure if this is the reason Larry uploaded a copy of vendor driver
to his repository [1].
Recently, we received vulnerability report of rtw_mp_efuse_set() in
vendor driver. I'd like to know if people are still using the vendor
driver [1]. If not, is it possible to remove it? If people still need it,
I will share the fix made by our internal later.
[1] https://github.com/lwfinger/rtw88/tree/master/alt_rtl8821ce
>
> The PHY status size field is 4 bits wide, but in rtw88 its value should
> only be 0 or 4. Checking this catches most of the corrupt frames.
>
> If a PHY status is present, the PHY status size should not be 0.
>
> The frame size should not be less than or equal to 4 and should not
> exceed 11454.
>
> Discard the frame if any of these checks fail.
>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221286
> Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
[...]
> diff --git a/drivers/net/wireless/realtek/rtw88/rx.c b/drivers/net/wireless/realtek/rtw88/rx.c
> index d9e11343d498..65f6db3d7fcb 100644
> --- a/drivers/net/wireless/realtek/rtw88/rx.c
> +++ b/drivers/net/wireless/realtek/rtw88/rx.c
> @@ -3,6 +3,7 @@
> */
>
> #include "main.h"
> +#include "mac.h"
> #include "rx.h"
> #include "ps.h"
> #include "debug.h"
> @@ -261,9 +262,9 @@ static void rtw_rx_fill_rx_status(struct rtw_dev *rtwdev,
> }
> }
>
> -void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
> - struct rtw_rx_pkt_stat *pkt_stat,
> - struct ieee80211_rx_status *rx_status)
> +int rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
> + struct rtw_rx_pkt_stat *pkt_stat,
> + struct ieee80211_rx_status *rx_status)
> {
> u32 desc_sz = rtwdev->chip->rx_pkt_desc_sz;
> struct rtw_rx_desc *rx_desc = rx_desc8;
> @@ -303,12 +304,25 @@ void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
> pkt_stat->bw = RTW_CHANNEL_WIDTH_20;
Do you think if we should return -EINVAL for this case too?
> }
>
> + if (unlikely(pkt_stat->drv_info_sz &&
> + pkt_stat->drv_info_sz != PHY_STATUS_SIZE))
> + return -EINVAL;
> +
> + if (unlikely(pkt_stat->phy_status && !pkt_stat->drv_info_sz))
> + return -EINVAL;
> +
> + if (unlikely(pkt_stat->pkt_len > IEEE80211_MAX_MPDU_LEN_VHT_11454))
> + return -EINVAL;
> +
> /* drv_info_sz is in unit of 8-bytes */
> pkt_stat->drv_info_sz *= 8;
>
> /* c2h cmd pkt's rx/phy status is not interested */
> if (pkt_stat->is_c2h)
> - return;
> + return 0;
> +
> + if (unlikely(pkt_stat->pkt_len <= FCS_LEN))
> + return -EINVAL;
>
> phy_status = rx_desc8 + desc_sz + pkt_stat->shift;
> hdr = phy_status + pkt_stat->drv_info_sz;
[...]
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH rtw-next] wifi: rtw88: Add more validation for the RX descriptor
2026-05-18 8:14 ` Ping-Ke Shih
@ 2026-05-19 17:59 ` Bitterblue Smith
2026-05-20 1:45 ` Ping-Ke Shih
0 siblings, 1 reply; 5+ messages in thread
From: Bitterblue Smith @ 2026-05-19 17:59 UTC (permalink / raw)
To: Ping-Ke Shih, linux-wireless@vger.kernel.org
Cc: LB F, Martin Blumenstingl, Fiona Klute,
andrej.skvortzov@gmail.com, anarsoul@gmail.com, Zhen XIN
On 18/05/2026 11:14, Ping-Ke Shih wrote:
> Bitterblue Smith <rtl8821cerfe2@gmail.com> wrote:
>> Some RTL8821CE cards can return frames with corrupted RX descriptor,
>> causing warnings and crashes if they are passed to the upper layers.
>
> Not sure if this is the reason Larry uploaded a copy of vendor driver
> to his repository [1].
>
He added it for someone whose wifi card sometimes wasn't powering on:
https://github.com/lwfinger/rtw88/issues/98#issuecomment-1263962943
> Recently, we received vulnerability report of rtw_mp_efuse_set() in
> vendor driver. I'd like to know if people are still using the vendor
> driver [1]. If not, is it possible to remove it? If people still need it,
> I will share the fix made by our internal later.
>
> [1] https://github.com/lwfinger/rtw88/tree/master/alt_rtl8821ce
>
We haven't been updating it for the kernel API changes, so I think we
can remove it.
>>
>> The PHY status size field is 4 bits wide, but in rtw88 its value should
>> only be 0 or 4. Checking this catches most of the corrupt frames.
>>
>> If a PHY status is present, the PHY status size should not be 0.
>>
>> The frame size should not be less than or equal to 4 and should not
>> exceed 11454.
>>
>> Discard the frame if any of these checks fail.
>>
>> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221286
>> Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
>
> Acked-by: Ping-Ke Shih <pkshih@realtek.com>
>
> [...]
>
>> diff --git a/drivers/net/wireless/realtek/rtw88/rx.c b/drivers/net/wireless/realtek/rtw88/rx.c
>> index d9e11343d498..65f6db3d7fcb 100644
>> --- a/drivers/net/wireless/realtek/rtw88/rx.c
>> +++ b/drivers/net/wireless/realtek/rtw88/rx.c
>> @@ -3,6 +3,7 @@
>> */
>>
>> #include "main.h"
>> +#include "mac.h"
>> #include "rx.h"
>> #include "ps.h"
>> #include "debug.h"
>> @@ -261,9 +262,9 @@ static void rtw_rx_fill_rx_status(struct rtw_dev *rtwdev,
>> }
>> }
>>
>> -void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
>> - struct rtw_rx_pkt_stat *pkt_stat,
>> - struct ieee80211_rx_status *rx_status)
>> +int rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
>> + struct rtw_rx_pkt_stat *pkt_stat,
>> + struct ieee80211_rx_status *rx_status)
>> {
>> u32 desc_sz = rtwdev->chip->rx_pkt_desc_sz;
>> struct rtw_rx_desc *rx_desc = rx_desc8;
>> @@ -303,12 +304,25 @@ void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
>> pkt_stat->bw = RTW_CHANNEL_WIDTH_20;
>
> Do you think if we should return -EINVAL for this case too?
>
Yes. What do we do with the debug message? Should the other
conditions also have a debug message?
>> }
>>
>> + if (unlikely(pkt_stat->drv_info_sz &&
>> + pkt_stat->drv_info_sz != PHY_STATUS_SIZE))
>> + return -EINVAL;
>> +
>> + if (unlikely(pkt_stat->phy_status && !pkt_stat->drv_info_sz))
>> + return -EINVAL;
>> +
>> + if (unlikely(pkt_stat->pkt_len > IEEE80211_MAX_MPDU_LEN_VHT_11454))
>> + return -EINVAL;
>> +
>> /* drv_info_sz is in unit of 8-bytes */
>> pkt_stat->drv_info_sz *= 8;
>>
>> /* c2h cmd pkt's rx/phy status is not interested */
>> if (pkt_stat->is_c2h)
>> - return;
>> + return 0;
>> +
>> + if (unlikely(pkt_stat->pkt_len <= FCS_LEN))
>> + return -EINVAL;
>>
>> phy_status = rx_desc8 + desc_sz + pkt_stat->shift;
>> hdr = phy_status + pkt_stat->drv_info_sz;
>
> [...]
>
^ permalink raw reply [flat|nested] 5+ messages in thread* RE: [PATCH rtw-next] wifi: rtw88: Add more validation for the RX descriptor
2026-05-19 17:59 ` Bitterblue Smith
@ 2026-05-20 1:45 ` Ping-Ke Shih
0 siblings, 0 replies; 5+ messages in thread
From: Ping-Ke Shih @ 2026-05-20 1:45 UTC (permalink / raw)
To: Bitterblue Smith, linux-wireless@vger.kernel.org
Cc: LB F, Martin Blumenstingl, Fiona Klute,
andrej.skvortzov@gmail.com, anarsoul@gmail.com, Zhen XIN
Bitterblue Smith <rtl8821cerfe2@gmail.com> wrote:
> On 18/05/2026 11:14, Ping-Ke Shih wrote:
> > Bitterblue Smith <rtl8821cerfe2@gmail.com> wrote:
> >> Some RTL8821CE cards can return frames with corrupted RX descriptor,
> >> causing warnings and crashes if they are passed to the upper layers.
> >
> > Not sure if this is the reason Larry uploaded a copy of vendor driver
> > to his repository [1].
> >
>
> He added it for someone whose wifi card sometimes wasn't powering on:
>
> https://github.com/lwfinger/rtw88/issues/98#issuecomment-1263962943
>
> > Recently, we received vulnerability report of rtw_mp_efuse_set() in
> > vendor driver. I'd like to know if people are still using the vendor
> > driver [1]. If not, is it possible to remove it? If people still need it,
> > I will share the fix made by our internal later.
> >
> > [1] https://github.com/lwfinger/rtw88/tree/master/alt_rtl8821ce
> >
>
> We haven't been updating it for the kernel API changes, so I think we
> can remove it.
Agree. As current users don't report power-on issue on rtw88.
If the problem presents again, we can spend time to dig the difference
of power-on sequence between vendor driver and rtw88.
>
> >>
> >> The PHY status size field is 4 bits wide, but in rtw88 its value should
> >> only be 0 or 4. Checking this catches most of the corrupt frames.
> >>
> >> If a PHY status is present, the PHY status size should not be 0.
> >>
> >> The frame size should not be less than or equal to 4 and should not
> >> exceed 11454.
> >>
> >> Discard the frame if any of these checks fail.
> >>
> >> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221286
> >> Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
> >
> > Acked-by: Ping-Ke Shih <pkshih@realtek.com>
> >
> > [...]
> >
> >> diff --git a/drivers/net/wireless/realtek/rtw88/rx.c b/drivers/net/wireless/realtek/rtw88/rx.c
> >> index d9e11343d498..65f6db3d7fcb 100644
> >> --- a/drivers/net/wireless/realtek/rtw88/rx.c
> >> +++ b/drivers/net/wireless/realtek/rtw88/rx.c
> >> @@ -3,6 +3,7 @@
> >> */
> >>
> >> #include "main.h"
> >> +#include "mac.h"
> >> #include "rx.h"
> >> #include "ps.h"
> >> #include "debug.h"
> >> @@ -261,9 +262,9 @@ static void rtw_rx_fill_rx_status(struct rtw_dev *rtwdev,
> >> }
> >> }
> >>
> >> -void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
> >> - struct rtw_rx_pkt_stat *pkt_stat,
> >> - struct ieee80211_rx_status *rx_status)
> >> +int rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
> >> + struct rtw_rx_pkt_stat *pkt_stat,
> >> + struct ieee80211_rx_status *rx_status)
> >> {
> >> u32 desc_sz = rtwdev->chip->rx_pkt_desc_sz;
> >> struct rtw_rx_desc *rx_desc = rx_desc8;
> >> @@ -303,12 +304,25 @@ void rtw_rx_query_rx_desc(struct rtw_dev *rtwdev, void *rx_desc8,
> >> pkt_stat->bw = RTW_CHANNEL_WIDTH_20;
> >
> > Do you think if we should return -EINVAL for this case too?
> >
>
> Yes. What do we do with the debug message? Should the other
> conditions also have a debug message?
Personally I'd remove the debug message. If you think they are helpful to
dig problems (for unconsidered corner cases), it is fine to me to add
a message for each condition.
I suppose you will send a new patch, and I'll wait for v2.
>
> >> }
> >>
> >> + if (unlikely(pkt_stat->drv_info_sz &&
> >> + pkt_stat->drv_info_sz != PHY_STATUS_SIZE))
> >> + return -EINVAL;
> >> +
> >> + if (unlikely(pkt_stat->phy_status && !pkt_stat->drv_info_sz))
> >> + return -EINVAL;
> >> +
> >> + if (unlikely(pkt_stat->pkt_len > IEEE80211_MAX_MPDU_LEN_VHT_11454))
> >> + return -EINVAL;
> >> +
> >> /* drv_info_sz is in unit of 8-bytes */
> >> pkt_stat->drv_info_sz *= 8;
> >>
> >> /* c2h cmd pkt's rx/phy status is not interested */
> >> if (pkt_stat->is_c2h)
> >> - return;
> >> + return 0;
> >> +
> >> + if (unlikely(pkt_stat->pkt_len <= FCS_LEN))
> >> + return -EINVAL;
> >>
> >> phy_status = rx_desc8 + desc_sz + pkt_stat->shift;
> >> hdr = phy_status + pkt_stat->drv_info_sz;
> >
> > [...]
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-05-20 1:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-16 14:44 [PATCH rtw-next] wifi: rtw88: Add more validation for the RX descriptor Bitterblue Smith
2026-05-17 16:17 ` Oleksandr Havrylov
2026-05-18 8:14 ` Ping-Ke Shih
2026-05-19 17:59 ` Bitterblue Smith
2026-05-20 1:45 ` Ping-Ke Shih
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox