Re: [PATCH v4] staging: rtl8723bs: fix unchecked return value of skb_copy_bits

Next message: Paul E. McKenney: "Re: [next-20260120] KASAN: maybe wild-memory-access in select_task_rq_fair"
Previous message: Zhu Yanjun: "Re: [PATCH] RDMA/rxe: Fix race condition in QP timer handlers"
In reply to: Minu Jin: "[PATCH v4] staging: rtl8723bs: fix unchecked return value of skb_copy_bits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Wed Jan 21 2026 - 00:05:58 EST

On Wed, Jan 21, 2026 at 11:33:12AM +0900, Minu Jin wrote:
> The function _rtw_pktfile_read() incorrectly updated the file pointer
> even when skb_copy_bits() failed.
>
> This patch fixes the issue by:
>
> 1. Propagating the negative error code from skb_copy_bits() if
> it fails, preventing internal pointer updates.
>
> 2. Updating all callers (including set_qos) to check the return value
> and handle errors appropriately.
>
> Signed-off-by: Minu Jin <s9430939@xxxxxxxxx>
> ---
> Changes in v4:
> - Modify _rtw_pktfile_read() to return -EINVAL if the remaining data
> is less than the requested length (suggested by Greg KH).

You do a lot more than just that in that function change.

This needs to be a patch series, each only doing one logical thing.
Please break it up into multiple changes, because as-is, this is hard to
review and verify it is correct.

Also, have you tested this on real hardware?

> -uint _rtw_pktfile_read(struct pkt_file *pfile, u8 *rmem, uint rlen)
> +int _rtw_pktfile_read(struct pkt_file *pfile, u8 *rmem, unsigned int rlen)
> {
> - uint len = 0;
> + int ret;
>
> - len = rtw_remainder_len(pfile);
> - len = (rlen > len) ? len : rlen;
> + if (rtw_remainder_len(pfile) < rlen)
> + return -EINVAL;

Why change the logic here? Are you sure it is correct? Why not
document that in the changelog?

thanks,

greg k-h