From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Bitterblue Smith <rtl8821cerfe2@gmail.com>,
Ping-Ke Shih <pkshih@realtek.com>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org
Subject: [PATCH AUTOSEL 6.19-6.12] wifi: rtw88: Fix inadvertent sharing of struct ieee80211_supported_band data
Date: Sat, 14 Feb 2026 16:23:00 -0500 [thread overview]
Message-ID: <20260214212452.782265-35-sashal@kernel.org> (raw)
In-Reply-To: <20260214212452.782265-1-sashal@kernel.org>
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit fcac0f23d4d20b11014a39f8e2527cdc12ec9c82 ]
Internally wiphy writes to individual channels in this structure,
so we must not share one static definition of channel list between
multiple device instances, because that causes hard to debug
breakage.
For example, with two rtw88 driven devices in the system, channel
information may get incoherent, preventing channel use.
Copied from commit 0ae36391c804 ("wifi: rtw89: Fix inadverent sharing
of struct ieee80211_supported_band data").
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/e94ad653-2b6d-4284-a33c-8c694f88955b@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
This is a relevant finding: `devm_kmemdup_array()` was introduced in
v6.15 cycle (February 2025). This means for older stable trees (6.12.y,
6.6.y, 6.1.y, 5.15.y), this function won't exist and the backport would
need adaptation. However, this is a minor concern - it can be replaced
with `devm_kmemdup()` with a manual size calculation.
### 6. USER IMPACT
- **Affected users:** Anyone with two or more rtw88 WiFi adapters in
their system (e.g., RTL8822CE + RTL8821CE, or built-in + USB adapter)
- **Symptom:** Channel information becomes corrupt; certain WiFi
channels become unusable
- **Severity:** Medium-High. WiFi connectivity issues are significant
for users
- **Driver popularity:** rtw88 supports many common Realtek WiFi chips
(RTL8822BE, RTL8822CE, RTL8821CE, RTL8723DE) found in many laptops
### 7. DEPENDENCY CHECK
The main dependency concern is `devm_kmemdup_array()`, which was added
in v6.15. For older stable trees, this would need to be adapted
(trivially, by using `devm_kmemdup()` with `sband->n_channels *
sizeof(*sband->channels)` manually). The rest of the code is standard
and should exist in all stable trees that have the rtw88 driver.
### Summary
**What it fixes:** Data corruption bug where multiple rtw88 WiFi device
instances share the same static channel/bitrate arrays through shallow
copying. When one device's wiphy modifies channel data, it corrupts the
other device's data.
**Stable criteria met:**
- Obviously correct (deep copy instead of shallow copy)
- Fixes a real bug (channel data corruption with multiple devices)
- Small and contained (~30 new lines in one file)
- No new features
- Already proven pattern (same fix in rtw89)
- Acked by Realtek maintainer
**Risk:** Very low. The change only affects rtw88 driver initialization,
uses standard kernel APIs, and devres handles cleanup automatically.
**Concern:** `devm_kmemdup_array()` may need adaptation for older stable
trees, but this is a trivial mechanical change.
**YES**
drivers/net/wireless/realtek/rtw88/main.c | 34 +++++++++++++++++++----
1 file changed, 29 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 2004d714530a3..e1de638164862 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -1658,16 +1658,41 @@ static u16 rtw_get_max_scan_ie_len(struct rtw_dev *rtwdev)
return len;
}
+static struct ieee80211_supported_band *
+rtw_sband_dup(struct rtw_dev *rtwdev,
+ const struct ieee80211_supported_band *sband)
+{
+ struct ieee80211_supported_band *dup;
+
+ dup = devm_kmemdup(rtwdev->dev, sband, sizeof(*sband), GFP_KERNEL);
+ if (!dup)
+ return NULL;
+
+ dup->channels = devm_kmemdup_array(rtwdev->dev, sband->channels,
+ sband->n_channels,
+ sizeof(*sband->channels),
+ GFP_KERNEL);
+ if (!dup->channels)
+ return NULL;
+
+ dup->bitrates = devm_kmemdup_array(rtwdev->dev, sband->bitrates,
+ sband->n_bitrates,
+ sizeof(*sband->bitrates),
+ GFP_KERNEL);
+ if (!dup->bitrates)
+ return NULL;
+
+ return dup;
+}
+
static void rtw_set_supported_band(struct ieee80211_hw *hw,
const struct rtw_chip_info *chip)
{
struct ieee80211_supported_band *sband;
struct rtw_dev *rtwdev = hw->priv;
- struct device *dev = rtwdev->dev;
if (chip->band & RTW_BAND_2G) {
- sband = devm_kmemdup(dev, &rtw_band_2ghz, sizeof(*sband),
- GFP_KERNEL);
+ sband = rtw_sband_dup(rtwdev, &rtw_band_2ghz);
if (!sband)
goto err_out;
if (chip->ht_supported)
@@ -1676,8 +1701,7 @@ static void rtw_set_supported_band(struct ieee80211_hw *hw,
}
if (chip->band & RTW_BAND_5G) {
- sband = devm_kmemdup(dev, &rtw_band_5ghz, sizeof(*sband),
- GFP_KERNEL);
+ sband = rtw_sband_dup(rtwdev, &rtw_band_5ghz);
if (!sband)
goto err_out;
if (chip->ht_supported)
--
2.51.0
next prev parent reply other threads:[~2026-02-14 21:25 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-14 21:22 [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: ser: enable error IMR after recovering from L1 Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] wifi: ath11k: Fix failure to connect to a 6 GHz AP Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.10] myri10ge: avoid uninitialized variable use Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.1] wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode() Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: 8922a: add digital compensation for 2GHz Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: iwlwifi: mld: Handle rate selection for NAN interface Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: pci: validate sequence number of TX release report Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.1] net: mctp-i2c: fix duplicate reception of old data Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.15] net: hns3: extend HCLGE_FD_AD_QID to 11 bits Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.10] wifi: iwlegacy: add missing mutex protection in il4965_store_tx_power() Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.6] wifi: rtw88: rtw8821cu: Add ID for Mercusys MU6H Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.6] dm: replace -EEXIST with -EBUSY Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] driver core: faux: stop using static struct device Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] net: wwan: mhi: Add network support for Foxconn T99W760 Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: Add support for MSI AX1800 Nano (GUAX18N) Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: mcc: reset probe counter when receiving beacon Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.10] net/rds: Clear reconnect pending bit Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.10] net: usb: r8152: fix transmit queue timeout Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] PCI/bwctrl: Disable BW controller on Intel P45 using a quirk Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: setting TBTT AGG number when mac port initialization Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.10] netfilter: nf_conntrack: Add allow_clash to generic protocol handler Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: disable EHT protocol by chip capabilities Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] ipv6: annotate data-races over sysctl.flowlabel_reflect Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.10] iommu/arm-smmu-v3: Improve CMDQ lock fairness and efficiency Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.1] gro: change the BUG_ON() in gro_pull_from_frag0() Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.10] wifi: ath10k: fix lock protection in ath10k_wmi_event_peer_sta_ps_state_chg() Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] wifi: iwlwifi: mld: Fix primary link selection logic Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] wifi: cfg80211: allow only one NAN interface, also in multi radio Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] PCI: dwc: Skip PME_Turn_Off broadcast and L2/L3 transition during suspend if link is not up Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.6] wifi: ath12k: fix preferred hardware mode calculation Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.1] wifi: rtw88: fix DTIM period handling when conf->dtim_period is zero Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.18] Bluetooth: hci_qca: Fix SSR (SubSystem Restart) fail when BT_EN is pulled up by hw Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: mac: correct page number for CSI response Sasha Levin
2026-02-14 21:22 ` [PATCH AUTOSEL 6.19-5.15] ipv6: exthdrs: annotate data-race over multiple sysctl Sasha Levin
2026-02-14 21:23 ` Sasha Levin [this message]
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19] wifi: rtw89: 8852au: add support for TP TX30U Plus Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] PCI: Mark Nvidia GB10 to avoid bus reset Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.6] wifi: ath11k: add pm quirk for Thinkpad Z13/Z16 Gen1 Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] Bluetooth: btusb: Add USB ID 0489:e112 for Realtek 8851BE Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] Bluetooth: btusb: Add support for MediaTek7920 0489:e158 Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19] wifi: rtw89: Add default ID 28de:2432 for RTL8832CU Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: ath12k: fix mac phy capability parsing Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.1] wifi: rtw89: pci: restore LDO setting after device resume Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] ext4: use reserved metadata blocks when splitting extent on endio Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] jfs: Add missing set_freezable() for freezable kthread Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.1] Bluetooth: btusb: Add new VID/PID for RTL8852CE Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] octeontx2-af: Workaround SQM/PSE stalls by disabling sticky Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] vmw_vsock: bypass false-positive Wnonnull warning with gcc-16 Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] wifi: iwlegacy: add missing mutex protection in il3945_store_measurement() Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] PCI: dwc: ep: Cache MSI outbound iATU mapping Sasha Levin
2026-02-16 1:15 ` Koichiro Den
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] nfc: nxp-nci: remove interrupt trigger type Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19] wifi: rtw89: Add support for D-Link VR Air Bridge (DWA-F18) Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.15] PCI/AER: Clear stale errors on reporting agents upon probe Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] dm: remove fake timeout to avoid leak request Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] PCI: Add ACS quirk for Qualcomm Hamoa & Glymur Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19] PCI: cadence: Avoid signed 64-bit truncation and invalid sort Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: iwlwifi: mld: fix chandef start calculation Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.6] ext4: move ext4_percpu_param_init() before ext4_mb_init() Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.6] wifi: rtw89: wow: add reason codes for disassociation in WoWLAN mode Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.15] ipv6: annotate data-races in ip6_multipath_hash_{policy,fields}() Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.6] ipv4: igmp: annotate data-races around idev->mr_maxdelay Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.15] ext4: mark group add fast-commit ineligible Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: iwlwifi: fix 22000 series SMEM parsing Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] net/rds: No shortcut out of RDS_CONN_ERROR Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] ipv6: annotate data-races in net/ipv6/route.c Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.6] wifi: iwlwifi: mvm: check the validity of noa_len Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: fix unable to receive probe responses under MLO connection Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] PCI: Enable ACS after configuring IOMMU for OF platforms Sasha Levin
2026-03-18 8:21 ` Thorsten Leemhuis
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.1] PCI: dw-rockchip: Disable BAR 0 and BAR 1 for Root Port Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: regd: 6 GHz power type marks default when inactive Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19] wifi: cfg80211: treat deprecated INDOOR_SP_AP_OLD control value as LPI mode Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band() Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.6] Bluetooth: hci_conn: Set link_policy on incoming ACL connections Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] wifi: libertas: fix WARNING in usb_tx_block Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] netfilter: xt_tcpmss: check remaining length before reading optlen Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] bnxt_en: Allow ntuple filters for drops Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] ext4: propagate flags to convert_initialized_extent() Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] net: usb: sr9700: remove code to drive nonexistent multicast filter Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] ptp: ptp_vmclock: add 'VMCLOCK' to ACPI device match Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] jfs: nlink overflow in jfs_rename Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] PCI: Mark ASM1164 SATA controller to avoid bus reset Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.15] ext4: mark group extend fast-commit ineligible Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] openrisc: define arch-specific version of nop() Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] PCI: imx6: Add CLKREQ# override to enable REFCLK for i.MX95 PCIe Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.15] fsnotify: Shutdown fsnotify before destroying sb's dcache Sasha Levin
2026-02-15 8:11 ` Amir Goldstein
2026-02-17 10:00 ` Jan Kara
2026-02-26 14:09 ` Sasha Levin
2026-02-26 15:57 ` Jan Kara
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] ipv4: fib: Annotate access to struct fib_alias.fa_state Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] PCI: Fix pci_slot_lock () device locking Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] net: sfp: add quirk for Lantech 8330-265D Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: pci: validate release report content before using for RTL8922DE Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.12] wifi: rtw89: 8922a: set random mac if efuse contains zeroes Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-5.10] Bluetooth: btusb: Add device ID for Realtek RTL8761BU Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] rtla: Fix NULL pointer dereference in actions_parse Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.18] wifi: rtw89: fix potential zero beacon interval in beacon tracking Sasha Levin
2026-02-14 21:23 ` [PATCH AUTOSEL 6.19-6.6] iommu/amd: move wait_on_sem() out of spinlock Sasha Levin
2026-02-16 4:27 ` Ankit Soni
2026-02-14 21:24 ` [PATCH AUTOSEL 6.19-5.10] Bluetooth: hci_conn: use mod_delayed_work for active mode timeout Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260214212452.782265-35-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=pkshih@realtek.com \
--cc=rtl8821cerfe2@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox