[PATCH v3 0/5] wifi: rsi: firmware trust boundary hardening

Next message: Tiezhu Yang: "Re: [PATCH v3 0/5] LoongArch: BPF: Support more atomic instructions"
Previous message: Stephan Gerhold: "Re: [PATCH 2/2] remoteproc: qcom: Check glink-&gt;edge in glink_subdev_stop()"
Next in thread: Tristan Madani: "[PATCH v3 5/5] wifi: rsi: fix OOB read from firmware offset field in SDIO RX path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Tue Apr 21 2026 - 09:50:48 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

This series adds missing bounds checks for firmware-controlled fields
in the RSI 91x driver (rsi_91x_main.c, rsi_91x_core.c, rsi_91x_mgmt.c).

Each patch addresses a specific field that the firmware can set to an
out-of-range value, causing OOB reads or infinite loops in the host
driver.

Changes in v3:
- Regenerated from wireless-next with proper git format-patch to
produce valid index hashes and clean diffs (v2 had post-processed
index lines that prevented git-am application).

Changes in v2:
- Clarify firmware trust model in commit messages.

Tristan Madani (5):
wifi: rsi: fix integer underflow from firmware extended_desc in
rsi_prepare_skb()
wifi: rsi: fix OOB read from firmware-claimed length exceeding actual
frame size
wifi: rsi: fix OOB read from firmware pad_bytes in management RX path
wifi: rsi: fix infinite loop when firmware sends zero-length packet
wifi: rsi: fix OOB read from firmware offset field in SDIO RX path

drivers/net/wireless/rsi/rsi_91x_main.c | 20 ++++++++++++++++++++
drivers/net/wireless/rsi/rsi_91x_mgmt.c | 6 ++++++
2 files changed, 26 insertions(+)

--
2.47.3