wifi: rtl8xxxu: fix potential use of uninitialized value

The local variables 'mcs' and 'nss' in rtl8xxxu_update_ra_report() are
passed to rtl8xxxu_desc_to_mcsrate() as output parameters. If the helper
function encounters an unhandled rate index, it may return without setting
these values, leading to the use of uninitialized stack data.

Remove the helper rtl8xxxu_desc_to_mcsrate() and inline the logic into
rtl8xxxu_update_ra_report(). This fixes the use of uninitialized 'mcs'
and 'nss' variables for legacy rates.

The new implementation explicitly handles:
- Legacy rates: Set bitrate only.
- HT rates (MCS0-15): Set MCS flags, index, and NSS (1 or 2) directly.
- Invalid rates: Return early.

Fixes: 7de16123d9e2 ("wifi: rtl8xxxu: Introduce rtl8xxxu_update_ra_report")
Cc: stable@vger.kernel.org
Suggested-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Yi Cong <yicong@kylinos.cn>
Link: https://lore.kernel.org/all/96e31963da0c42dcb52ce44f818963d7@realtek.com/
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260306071627.56501-1-cong.yi@linux.dev

diff --git a/drivers/net/wireless/realtek/rtl8xxxu/core.c b/drivers/net/wireless/realtek/rtl8xxxu/core.c
index b4efc6f00a379ae1ff5b056fefafaaa4083abd0e..d1b1474cba6771268135d4a19feaddc985061c2d 100644 (file)
--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c
@@ -4697,20 +4697,6 @@ static const struct ieee80211_rate rtl8xxxu_legacy_ratetable[] = {
        {.bitrate = 540, .hw_value = 0x0b,},
 };
 
-static void rtl8xxxu_desc_to_mcsrate(u16 rate, u8 *mcs, u8 *nss)
-{
-       if (rate <= DESC_RATE_54M)
-               return;
-
-       if (rate >= DESC_RATE_MCS0 && rate <= DESC_RATE_MCS15) {
-               if (rate < DESC_RATE_MCS8)
-                       *nss = 1;
-               else
-                       *nss = 2;
-               *mcs = rate - DESC_RATE_MCS0;
-       }
-}
-
 static void rtl8xxxu_set_basic_rates(struct rtl8xxxu_priv *priv, u32 rate_cfg)
 {
        struct ieee80211_hw *hw = priv->hw;
@@ -4820,23 +4806,25 @@ static void rtl8xxxu_set_aifs(struct rtl8xxxu_priv *priv, u8 slot_time)
 void rtl8xxxu_update_ra_report(struct rtl8xxxu_ra_report *rarpt,
                               u8 rate, u8 sgi, u8 bw)
 {
-       u8 mcs, nss;
-
        rarpt->txrate.flags = 0;
 
        if (rate <= DESC_RATE_54M) {
                rarpt->txrate.legacy = rtl8xxxu_legacy_ratetable[rate].bitrate;
-       } else {
-               rtl8xxxu_desc_to_mcsrate(rate, &mcs, &nss);
+       } else if (rate >= DESC_RATE_MCS0 && rate <= DESC_RATE_MCS15) {
                rarpt->txrate.flags |= RATE_INFO_FLAGS_MCS;
+               if (rate < DESC_RATE_MCS8)
+                       rarpt->txrate.nss = 1;
+               else
+                       rarpt->txrate.nss = 2;
 
-               rarpt->txrate.mcs = mcs;
-               rarpt->txrate.nss = nss;
+               rarpt->txrate.mcs = rate - DESC_RATE_MCS0;
 
                if (sgi)
                        rarpt->txrate.flags |= RATE_INFO_FLAGS_SHORT_GI;
 
                rarpt->txrate.bw = bw;
+       } else {
+               return;
        }
 
        rarpt->bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);