From nobody Sun Jun 21 06:28:39 2026 Received: from mail-yx1-f45.google.com (mail-yx1-f45.google.com [74.125.224.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CEA92390220 for ; Mon, 6 Apr 2026 18:44:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501093; cv=none; b=XBhuisQzuJVLfXNjkao5axKXsn7NmMqEHUKhmFHQFJP3Og80bdW0itGA96Kv8F8nM8m5P63mbe045FeGfdUaXcs4aftcjYBQP1wQLMDmFiBtxsTW1PffyfQbX+bF1tXBrKtVvKyt39x8Z+jJ3KOfw2cfK+U/GJ/R0qy44wKKAwo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501093; c=relaxed/simple; bh=WMU7EGs3jMkd5faIWQETGMP/EOvdf8l1T/tZgvHILm0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=u3K1fcbNyybazlEk+ik1nyEY7Y69CXOC/4OojwZuUvVrWm1gHUV1cOesUtzO873KcAcRds5VmVhqb1xlfLCVL5RwrlSM8NA0qvJD6bT10TazXN2XzX5sIKKbXAs0iuN0oofLYb6WWObZRWtURq18BxCnZBqh296h2TDocUcDSEU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=I7dzpaTi; arc=none smtp.client-ip=74.125.224.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="I7dzpaTi" Received: by mail-yx1-f45.google.com with SMTP id 956f58d0204a3-64e87a81639so3992464d50.0 for ; Mon, 06 Apr 2026 11:44:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775501091; x=1776105891; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iIDqed17Bi0ataxw+Ke35vc4r3g4dT4TF34U2d2sNnE=; b=I7dzpaTixqO2jj4Tb8YF/hW0L+tZTgQB5JG3Oq+aYkjsP6NByCHqdjl0+yR7LlzZy3 srkwNT8nT30IXw6d73FdQzKxBLBqB8vgpXqBk9mMEXVyzwLNMpb/ByucZdU8g0zOp837 VaR6VNl0xkDGYjfPaXbVgeK39NzBIiG32g1anBvGGWkmwoIs5c5sFFhMkwXi+I6XGIfh hzxk24jm4kyxMhOdxLWmX6GF3wiEnJLq0cK57TOrQjFyK18Fr/zymHH99A9VlEniF0zM pXtggvoNt7o12vwBa1OKoQODFOTtD/pVPjgcVroNzh1+aZNQ9audVr/DIH4Zy+EWGX+G ZB0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775501091; x=1776105891; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=iIDqed17Bi0ataxw+Ke35vc4r3g4dT4TF34U2d2sNnE=; b=nZgxov6jpo4PluA0H9G1nz7P0h9Kv1SLaFuFzPVQMGMsrCgNG2EruzLZY+Ovg40qiH 3XxzIng1bMYfxz3h3H1RwsL0kj5XuP0KOda9sJWO1DDzk5KcXU5fu3HyzU/+8SVUKa6n NvC01+pkU9oBBJBfdhMSxZ0U4fjeNtOwHC89qeO3O9YXmZCE4FAotYWDnBfqhwsuiBnu SipI5wYViojFdfK1h15cDBd+8LVAWp0m73YR8IHcs1eApLQQDUeSOSF7Fc7GTcn7Z54R Xz1XDK+9SwOAO2LytVEeuARlPKo89000jD36P7fpccaiH61j3Wbv09O9tsYK/tPhxj6X UTpQ== X-Forwarded-Encrypted: i=1; AJvYcCVRT+1pBOaHJEnyt8hXHQ8J6MunqGfe1FKT9pQn2+npa4TGJrUh+5QQjuGOfFnINX/wRONQBGZn7ZF8XJQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yx91H7+8e/arz5qOa0/7srbmNJaQ79TM0GE2s67tlNSvBCpI8FY pUXqazSxSJwi3j/o0/QzZMaa9PHHSh08V12RcdAQJi+lBEur1ducEeiM8gXSQETN X-Gm-Gg: AeBDiesrrYM5aOPn4HW06d4hBUsN7AHlRRLhQhKbzpo77Yndt3HGi+d9XsllZLEsPJB b0Z78CQ9Ha/cyxP8NW3P0iFkxRz3dP37OMRz6XCa0lpOi48ALaXw/W+e5qnEbtYgwSHHVL0JbhF QtOmzwqEwbnzv87ZryMZkroIxiCrcyzPmNHBABLJXn7q+MusbyvtvdnSjBvi3hThUnku3zefwSf 9Zz2VekWjcDrfHGI76hrdvPgBegKodZKolJMeBRrYrICr6e3i/kgkCaTGoQ/O+nPdatxKob2j/S 8p9KujmjgzqRWpzAnUnNGMp0oPz48aGGpyWomxdiYmmFOIW499B5syMpNmBl0UOARjsrHq6wM1d R+v81HN2NLdJzDuUNiEeWndKz9my5Yk+s0mewGPYXp0XEYBZEm2euDJtG1FubJ49JzYEj/9hxMF 6ZMEsgkoo0bub/3OrcdbOpYaa7oONK5M3aN3/fngjPm6AgY2bSJnM6BKRBB43B X-Received: by 2002:a05:690e:1282:b0:650:516:5ea6 with SMTP id 956f58d0204a3-650488acc93mr13212718d50.65.1775501090808; Mon, 06 Apr 2026 11:44:50 -0700 (PDT) Received: from DEV.lan (c-75-74-152-49.hsd1.fl.comcast.net. [75.74.152.49]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a9a9271sm6342830d50.15.2026.04.06.11.44.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Apr 2026 11:44:50 -0700 (PDT) From: Joshua Klinesmith To: nbd@nbd.name, lorenzo@kernel.org, ryder.lee@mediatek.com Cc: shayne.chen@mediatek.com, sean.wang@mediatek.com, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Joshua Klinesmith , stable@vger.kernel.org Subject: [PATCH 1/2] wifi: mt76: mt7915: validate WCID index before WTBL lookup Date: Mon, 6 Apr 2026 14:44:05 -0400 Message-ID: <20260406184406.8152-2-joshuaklinesmith@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260406184406.8152-1-joshuaklinesmith@gmail.com> References: <20260406184406.8152-1-joshuaklinesmith@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The mt7915 driver does not validate WCID indices extracted from hardware TX free events and TX status reports before using them for WTBL MMIO register accesses. The hardware WCID field is 10 bits wide (max 1023) but actual WTBL capacity is only 288 (MT7915) or 544 (MT7916). An out-of-range index causes mt7915_mac_wtbl_lmac_addr() to compute an invalid MMIO address, leading to a kernel data abort: Unable to handle kernel paging request at virtual address ffffff88d5ab0010 The mt7615, mt7921, and mt7925 drivers already validate WCID indices against their WTBL size before use. Add the same bounds checks in mt7915_mac_tx_free() and mt7915_mac_add_txs(). Fixes: c17780e7b21e ("mt76: mt7915: add txfree event v3") Cc: stable@vger.kernel.org Signed-off-by: Joshua Klinesmith --- drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7915/mac.c index cec2c4208255..0acada48824f 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c @@ -901,6 +901,9 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, = int len) u16 idx; =20 idx =3D FIELD_GET(MT_TX_FREE_WLAN_ID, info); + if (idx >=3D mt7915_wtbl_size(dev)) + continue; + wcid =3D mt76_wcid_ptr(dev, idx); sta =3D wcid_to_sta(wcid); if (!sta) @@ -992,6 +995,9 @@ static void mt7915_mac_add_txs(struct mt7915_dev *dev, = void *data) u8 pid; =20 wcidx =3D le32_get_bits(txs_data[2], MT_TXS2_WCID); + if (wcidx >=3D mt7915_wtbl_size(dev)) + return; + pid =3D le32_get_bits(txs_data[3], MT_TXS3_PID); =20 if (pid < MT_PACKET_ID_WED) --=20 2.43.0 From nobody Sun Jun 21 06:28:39 2026 Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9DB7C393DD1 for ; Mon, 6 Apr 2026 18:44:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501093; cv=none; b=t+d8HLZyOuatci2iBVVin7auxD53DUp10MDVIKSPPBN9cgaRAi6snFZku5d70DNcL/mV5j1DDnrXnzgVUIhbG34MDrrqzjAuT+TCyyu5MnxRk+XsI8vBvxOs97mFliFdNdDI3eanSXhiuhjKu/boTodS1bxbXoRCVzNU9dqk13o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501093; c=relaxed/simple; bh=pEvU+QYTdAtxGpbqErFvleuuq2RzHaUh40Ae5euTQOc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cAkgwxQvpGVfuNbaJTcvbZYlR1jthtx8TpQe0gJZ8hzRrWkQIO6FgqAYl1MqoCRdsdfjH2ezytEIUShq2xn5I9csv2DVLaWpS+0TsUC1JJFU/TbIcbpXsluk2r6kNS779VIUcW1QgQR/IAMPp+TF2aSGJ9gofrkpfETjQAMi0oU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kvyjnwoZ; arc=none smtp.client-ip=209.85.128.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kvyjnwoZ" Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-79db5e18ac6so47107197b3.1 for ; Mon, 06 Apr 2026 11:44:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775501092; x=1776105892; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NQoz1d8ovhjDJHF4BWKEq+W4S1EYJTMp42UIwuuSZLQ=; b=kvyjnwoZGoxAq1ocHumgip16t+Em4S7Agp2d7+5B8P9LqhL4jagYmjwb8jK2JMvHoj illfD5+48JW4aT+SIs0tEnmRp/OWSR0EuWs/CfewCAZVO0/AMBpDO6rdX8I+gBrMTMWS Xw0h4xBKLxdTu55QEqrj9u79kt1ovT0JC+fytT6RKxIsqL+gVj8lx0Q87CP7FF0FJk7I P8cTvRKwoTE6g2392uA+S55X7pBPrf0pyVQYyctjKTZ5UjcBQCOonYUlCF2Nb2dF/vDM SOEUWYPaEVH62SucDNdB6lfgYJChDvwAa9qgTVlt03jKJmm9jotqwmqZjCr9Xm03MEpD lyOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775501092; x=1776105892; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=NQoz1d8ovhjDJHF4BWKEq+W4S1EYJTMp42UIwuuSZLQ=; b=Cvo2N+WxdwfR+JKEJtsQVT79fiO5ZiQKqhukYJ07pCqA08gSVmUgtD9SQuL67aLZut dA1PMoeaejBYg37PKw5VflWC/ld7JatLo5ny1Bodw4KJyHp5TsIyFVXztjovQp3wExsk CVNI7UnpaXpHQHmgDgDBBS6h2YGemmMU7yT5+w/QZr6wydmOTw/s+/mgvvKGWNqwI7uG zZfj+4eXgpTkMSxqW2U+h5YqRCvz/JzdJBDVpN8Ek5SzykLEeTopTRhoPXgGihm+6EeI 5bFePJQnRnblJwetCtpLRMabtdECDBxHpvPRSyDRpSfQXey6Il7EOxd7mejiXcTj+dWx 7moQ== X-Forwarded-Encrypted: i=1; AJvYcCXKe3H0fQ8+QlkgJzf2ejeE8jCQ3tivWa2Hkw5iIxcjdT/ljbBwuaHCwmj0z2CohBrpw+UjJqVYQBDYzSU=@vger.kernel.org X-Gm-Message-State: AOJu0YwAzrZTd8rlvrEPTaux39zFUABtawiHTDOqlPJJsVY45WVgRtTR A3VYrrXtUrpapW9F2RtpbfzPJjL/nTOyHuphO7AcXwjj34IX8sFdbMg3 X-Gm-Gg: AeBDiesccoiEXT9MFxDmNgNN9lq10rgREnpwos1sk3a+a5qgI+iyQbra/FyCTIhftC8 wY9CaI6DAcXdRPQpSizJUNpOP7LVuXZGrVdCTNQoUzTK9J7CKfGd1EA4/5UbPmazBXjH4vD11PN H7ak6cSTTb/nX5XHeIK0MSGgJx1QIPHn7RqBO8jgCP8MRNFldLuZV84pJK0tvlrE9vF+j+jFWOP y+7/GVqDE3mLuLd9uj53wJx0Baix5Fwc59Mx2ZGtqZbRHvGX0FfpZCqoUsI5nrqrFH8oqhXAw6g ao4wuCr2q6NyBx9fivOCyIR7t5m9TX2aOctozVcKQ1Ud84WfPCiJ5OuymUHtJ/0yl0o3U9SQAAN auI3uoJu7YHN0TnS53KtEkiM1HSk8Wlbjz4YyXdD9kMzoTJnCjl3EcG32XPBdiJGARzGFNSrFDR l8bOVEn4TB6AAK2+wjgoiyYh73FMZQUcZpiFdVKMHr45JUR0LBXN6ernmfWY79 X-Received: by 2002:a05:690e:440c:b0:650:3363:ff81 with SMTP id 956f58d0204a3-65047fc62edmr5918011d50.4.1775501091704; Mon, 06 Apr 2026 11:44:51 -0700 (PDT) Received: from DEV.lan (c-75-74-152-49.hsd1.fl.comcast.net. [75.74.152.49]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-6503a9a9271sm6342830d50.15.2026.04.06.11.44.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Apr 2026 11:44:51 -0700 (PDT) From: Joshua Klinesmith To: nbd@nbd.name, lorenzo@kernel.org, ryder.lee@mediatek.com Cc: shayne.chen@mediatek.com, sean.wang@mediatek.com, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Joshua Klinesmith , stable@vger.kernel.org Subject: [PATCH 2/2] wifi: mt76: mt7996: validate WCID index before WTBL lookup Date: Mon, 6 Apr 2026 14:44:06 -0400 Message-ID: <20260406184406.8152-3-joshuaklinesmith@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260406184406.8152-1-joshuaklinesmith@gmail.com> References: <20260406184406.8152-1-joshuaklinesmith@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Same class of bug as mt7915: the mt7996 driver does not validate WCID indices from TX free events or TX status reports before WTBL lookups. An out-of-range WCID causes invalid MMIO accesses leading to a kernel data abort. Add bounds checks in mt7996_mac_tx_free() and mt7996_mac_add_txs() to match the pattern used by mt7615, mt7921, and mt7925 drivers. Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (= 802.11be) devices") Cc: stable@vger.kernel.org Signed-off-by: Joshua Klinesmith --- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7996/mac.c index e2a83da3a09c..ea775029125d 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c @@ -1327,6 +1327,9 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data= , int len) u16 idx; =20 idx =3D FIELD_GET(MT_TXFREE_INFO_WLAN_ID, info); + if (idx >=3D mt7996_wtbl_size(dev)) + goto next; + wcid =3D mt76_wcid_ptr(dev, idx); sta =3D wcid_to_sta(wcid); if (!sta) { @@ -1563,6 +1566,9 @@ static void mt7996_mac_add_txs(struct mt7996_dev *dev= , void *data) u8 pid; =20 wcidx =3D le32_get_bits(txs_data[2], MT_TXS2_WCID); + if (wcidx >=3D mt7996_wtbl_size(dev)) + return; + pid =3D le32_get_bits(txs_data[3], MT_TXS3_PID); =20 if (pid < MT_PACKET_ID_NO_SKB) --=20 2.43.0