kernel/linux.git/drivers/staging/rtl8723bs, branch v6.18.22

staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie

2026-03-19T15:08:36+00:00

commit a75281626fc8fa6dc6c9cc314ee423e8bc45203b upstream. The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable Signed-off-by: Luka Gejak Reviewed-by: Dan Carpenter Link: https://patch.msgid.link/20260224132647.11642-2-luka.gejak@linux.dev Signed-off-by: Greg Kroah-Hartman

staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()

2026-03-19T15:08:35+00:00

commit f0109b9d3e1e455429279d602f6276e34689750a upstream. Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser"), we don't trust the data in the frame so we should check the length better before acting on it Cc: stable Assisted-by: gkh_clanker_2000 Tested-by: Navaneeth K Reviewed-by: Navaneeth K Link: https://patch.msgid.link/2026022336-arrange-footwork-6e54@gregkh Signed-off-by: Greg Kroah-Hartman

staging: rtl8723bs: fix null dereference in find_network

2026-03-04T12:21:25+00:00

[ Upstream commit 41460a19654c32d39fd0e3a3671cd8d4b7b8479f ] The variable pwlan has the possibility of being NULL when passed into rtw_free_network_nolock() which would later dereference the variable. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Cc: stable@vger.kernel.org Signed-off-by: Ethan Tidmore Link: https://patch.msgid.link/20260202205429.20181-1-ethantidmore06@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

staging: rtl8723bs: fix memory leak on failure path

2026-03-04T12:20:35+00:00

[ Upstream commit abe850d82c8cb72d28700673678724e779b1826e ] cfg80211_inform_bss_frame() may return NULL on failure. In that case, the allocated buffer 'buf' is not freed and the function returns early, leading to potential memory leak. Fix this by ensuring that 'buf' is freed on both success and failure paths. Signed-off-by: Diksha Kumari Reviewed-by: Mukesh Kumar Chaurasiya Link: https://patch.msgid.link/20260113091712.7071-1-dikshakdevgan@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

staging: rtl8723bs: fix missing status update on sdio_alloc_irq() failure

2026-03-04T12:20:32+00:00

[ Upstream commit 618b4aec12faabc7579a6b0df046842d798a4c7c ] The return value of sdio_alloc_irq() was not stored in status. If sdio_alloc_irq() fails after rtw_drv_register_netdev() succeeds, status remains _SUCCESS and the error path skips resource cleanup, while rtw_drv_init() still returns success. Store the return value of sdio_alloc_irq() in status and reuse the existing error handling which relies on status. Reviewed-by: fanggeng Signed-off-by: Liang Jie Link: https://patch.msgid.link/20251208092730.262499-1-buaajxlj@163.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing

2025-12-12T17:42:47+00:00

commit 502ddcc405b69fa92e0add6c1714d654504f6fd7 upstream. The Extended Supported Rates (ESR) IE handling in OnBeacon accessed *(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these offsets lie within the received frame buffer. A malformed beacon with an ESR IE positioned at the end of the buffer could cause an out-of-bounds read, potentially triggering a kernel panic. Add a boundary check to ensure that the ESR IE body and the subsequent bytes are within the limits of the frame before attempting to access them. This prevents OOB reads caused by malformed beacon frames. Signed-off-by: Navaneeth K Cc: stable Signed-off-by: Greg Kroah-Hartman

staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing

2025-12-12T17:42:47+00:00

commit 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 upstream. The Supported Rates IE length from an incoming Association Request frame was used directly as the memcpy() length when copying into a fixed-size 16-byte stack buffer (supportRate). A malicious station can advertise an IE length larger than 16 bytes, causing a stack buffer overflow. Clamp ie_len to the buffer size before copying the Supported Rates IE, and correct the bounds check when merging Extended Supported Rates to prevent a second potential overflow. This prevents kernel stack corruption triggered by malformed association requests. Signed-off-by: Navaneeth K Cc: stable Signed-off-by: Greg Kroah-Hartman

staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser

2025-12-12T17:42:47+00:00

commit 154828bf9559b9c8421fc2f0d7f7f76b3683aaed upstream. The Information Element (IE) parser rtw_get_ie() trusted the length byte of each IE without validating that the IE body (len bytes after the 2-byte header) fits inside the remaining frame buffer. A malformed frame can advertise an IE length larger than the available data, causing the parser to increment its pointer beyond the buffer end. This results in out-of-bounds reads or, depending on the pattern, an infinite loop. Fix by validating that (offset + 2 + len) does not exceed the limit before accepting the IE or advancing to the next element. This prevents OOB reads and ensures the parser terminates safely on malformed frames. Signed-off-by: Navaneeth K Cc: stable Signed-off-by: Greg Kroah-Hartman

Merge tag 'staging-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

2025-10-04T23:17:14+00:00

Pull staging driver updates from Greg KH: "Here is the 'big' set of staging driver changes for 6.18-rc1. Nothing really exciting in here they pretty much consist of: - minor coding style changes and cleanups - some api layer removals where not needed Overall a quiet development cycle. All have been in linux-next for a while with no reported issues" * tag 'staging-6.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (63 commits) staging: rtl8723bs: xmit: rephrase comment and drop extra space staging: sm750fb: rename camel case variable staging: rtl8723bs: hal: put return type and function name on one line staging: rtl8723bs: fix typo in comment staging: sm750fb: rename snake case variables staging: sm750fb: remove unnecessary volatile qualifiers staging: rtl8723bs: rtw_efuse.h: simplify copyright banner staging: rtl8723bs: remove unused tables staging: rtl8723bs: Hal_EfuseParseAntennaDiversity_8723B is empty staging: rtl8723bs: remove REG_EFUSE_ACCESS_8723 and EFUSE_ACCESS_ON_8723 staging: rtl8723bs: remove bWrite from Hal_EfusePowerSwitch staging: rtl8723bs: remove wrapper Efuse_PowerSwitch staging: octeon: Clean up dead code in ethernet-tx.c staging: rtl8723bs: fix fortify warnings by using struct_group staging: gpib: use int type to store negative error codes staging: rtl8723bs: remove include/recv_osdep.h staging: rtl8723bs: remove os_dep/recv_linux.c staging: rtl8723bs: rename rtw_os_recv_indicate_pkt staging: rtl8723bs: move rtw_os_recv_indicate_pkt to rtw_recv.c staging: rtl8723bs: rename rtw_os_alloc_msdu_pkt ...

staging: rtl8723bs: xmit: rephrase comment and drop extra space

2025-09-17T10:15:33+00:00

Rephrase the comment to avoid the "number of" construction and remove an extra leading space. Signed-off-by: Akiyoshi Kurita Link: https://lore.kernel.org/r/20250917063729.1450525-1-weibu@redadmin.org Signed-off-by: Greg Kroah-Hartman