From nobody Sun Jun 21 06:29:10 2026 Received: from mail-yw1-f171.google.com (mail-yw1-f171.google.com [209.85.128.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A731B31E844 for ; Mon, 6 Apr 2026 18:46:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501177; cv=none; b=gU2TjV1TCpfr9orFPZzH29T/QOSEr6viHpNkzdD2yd+yWSKRxTVD12JejevxKVYfIAmuc6iEpx0Loe5MEXz/JbYo0ywAk9OPk8hFwTQHAe7xdQ58VBo+IABltD0BiyAROjgzitOScfHcyafX2y6yDVzUs84R9ewGITODffEp3gs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501177; c=relaxed/simple; bh=ZdefbzutkFBt/dtGFD2higdSGarS/PWyJySxoH0PB0o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dMRWjbXeU5/dlqMZ1U12nbYSf9UjV+uez+CwdK7XT+JFPAYeRQXbg5hpZFnbzq8Ybrif4STGpF6TQiCSELC99Y60LPhpff06CXEHrk9wfBcestF5TSkYjQJCCHKj7jVM8es6YyKVEpqnLV4sjtxRwP1CyEvjedk4z56kaG7Qkn4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CX5kmYEd; arc=none smtp.client-ip=209.85.128.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CX5kmYEd" Received: by mail-yw1-f171.google.com with SMTP id 00721157ae682-794719afcd4so39318887b3.1 for ; Mon, 06 Apr 2026 11:46:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775501176; x=1776105976; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7IEu+K66muOe6p5SNvD+q0gXGFioTV+3uz6FputpAJ4=; b=CX5kmYEddQia+xPukq2MSdwqaj144cfb77CPXpnwa/98jgo1ixD/Esa9qpsu3QNr/G TWuzGmZlyvfyIdB4JvXqJOTZiJzAdPeY2tfSLbFHr3rn1YyQ9Cr3/ntuIzI/fOeFve1M yuhHF3WMQBFSk1CmEgdXqm+Q7mfTwM+fZSnYWh0QfbmEWPS48wlQRth63ZZ4lX72Ayqi ndbhEEJXcuIEtgs07m4oI5cg3peEbtzVfWUHxyBWvPE0DUii72XPnu8OFF0GNHrBn1WA Tdz1lietf6uUPmHkSEfZVtArWMduUbWueCsI3Q4qwCACrZKDSqeDagBLgkkBuTm8nxUz 8rRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775501176; x=1776105976; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=7IEu+K66muOe6p5SNvD+q0gXGFioTV+3uz6FputpAJ4=; b=UdVPaLFadKo7wEoVf1H0jKS4XhHW6A8me9wi493pZG9vlyB6D6LJIL/oDcyLcvZwSs ww+NWk4FgCOaDxqMKh2MqnIAfuxi3adUnMCncDqtuU0t9ss/ZwYbiHXbj0xwyYs9sqGV cNKPeXTW4L5kNuOxPjnA0w1vuopaBAK2wT6mUJ301LReo/geqSCiisN3xybJbANqnwol ad+TWXACMKzBRiEWeXB8hwZKdXnxtYtIzWqH1BJO/ut85AuEb3SyGFGjwSNdEhpvZRa/ PRB5ngsIMTM9+UFO1QRNNwfknrenpYMKW8cyjsNQfq45o2tXc7lDeOIhyaWqpXVo/S3H GFwg== X-Forwarded-Encrypted: i=1; AJvYcCWtRGZZ4lD3Y5tOKTjJ7H1cIJmpd2P6StU2JuP50batdBlup2pNo3L/6TlqONSGTRY+xsSeXh+IwtTXJKM=@vger.kernel.org X-Gm-Message-State: AOJu0Yzfa2jtxE759sxrR6y9F1JPWcAIJhXgPnzlHbraIhgbRANs35sl 2fmoynZl6aefac7TUa2BJA7XmDfIKwb6n3t9MbwTQm6ILHe+SY647FI2WTWfP3aK X-Gm-Gg: AeBDiesKhq1G9jLuAIzbOEyFCJFycjBdpmsxMlRyp5OqP04gIcOVC3tPDmiN1jCnq/w QP0bzJhBLEKZASzN+ebXm7lkzFmhWuWMpca67OFICKr58ah68tOjGLvJkrY02MHNfPUEFTqis0j N8rGODQg080Tplf50Rj4GzsADa8Q87+zwnCBM53AV7l5J7O9JmSsROsuqS1xg0McIPnDjZnHAZy QPvchRuXawqa8ZTDSFhUbFffzqLr6KAy3lNqN5tTZ4DJ1XQKGEDWSyly1UQK3TIDgwcpX+57Kz3 9yW267QDPS20RCYak/swy1NF/LWjBsykpNbSIhph8DzT4Qb7IyN8IdfrBPg8kp43hF7mXjqVwW4 fLRLF1jn1lEXGwy5bCQU8QR3BKnDEqsSiQPXgnaFixOoUG3owbniI/L2Qbv9B2xqTQ0JBbBhuxa z5G7AAXl8lMIwMVjx26bMD2mw/rF2q17AcLoL87keJZ0rqWIlOow4KuTTUYWbD X-Received: by 2002:a05:690c:5604:b0:7a4:e4e5:3908 with SMTP id 00721157ae682-7a4e4e54078mr106668847b3.38.1775501175700; Mon, 06 Apr 2026 11:46:15 -0700 (PDT) Received: from DEV.lan (c-75-74-152-49.hsd1.fl.comcast.net. [75.74.152.49]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7a36e8343d3sm56288377b3.16.2026.04.06.11.46.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Apr 2026 11:46:15 -0700 (PDT) From: Joshua Klinesmith To: nbd@nbd.name, lorenzo@kernel.org, ryder.lee@mediatek.com Cc: shayne.chen@mediatek.com, sean.wang@mediatek.com, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Joshua Klinesmith , stable@vger.kernel.org Subject: [PATCH 1/3] wifi: mt76: mt7615: fix DMA read beyond mapped length Date: Mon, 6 Apr 2026 14:45:54 -0400 Message-ID: <20260406184556.8245-2-joshuaklinesmith@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260406184556.8245-1-joshuaklinesmith@gmail.com> References: <20260406184556.8245-1-joshuaklinesmith@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" tx_prepare_skb() overrides buf[1].len to MT_CT_PARSE_LEN (72) for firmware header parsing, but dma_map_single() only maps skb_headlen(skb) bytes. When the SKB is shorter than 72 bytes, the hardware reads past the DMA-mapped region, causing SMMU translation faults on IOMMU-enabled systems. Cap the firmware parse length to the actual DMA-mapped length. Fixes: e90354e0452d ("mt76: mt7615: move core shared code in mt7615-common = module") Cc: stable@vger.kernel.org Signed-off-by: Joshua Klinesmith --- drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c b/drivers/= net/wireless/mediatek/mt76/mt7615/pci_mac.c index 53cb1eed1e4f..dc7128c46a72 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c @@ -35,7 +35,7 @@ mt7615_write_fw_txp(struct mt7615_dev *dev, struct mt76_t= x_info *tx_info, =20 /* pass partial skb header to fw */ tx_info->buf[0].len =3D MT_TXD_SIZE + sizeof(*txp); - tx_info->buf[1].len =3D MT_CT_PARSE_LEN; + tx_info->buf[1].len =3D min_t(u32, MT_CT_PARSE_LEN, tx_info->buf[1].len); tx_info->buf[1].skip_unmap =3D true; tx_info->nbuf =3D MT_CT_DMA_BUF_NUM; =20 --=20 2.43.0 From nobody Sun Jun 21 06:29:10 2026 Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com [209.85.128.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A8FE394799 for ; Mon, 6 Apr 2026 18:46:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501179; cv=none; b=OWxZcqbJ5EpMtJUV+hIb1098316AcA7ordu3rSZfwaq3rHU6yDr5CGVNq8QvizHyepUrhatVAV9UF2zVbrfYNzBGpiQthSQeQ3Gj25XomKcXMelBMi9ONx4YMsdIvaGbLtElI8Gx+pZmeVGRnNueI3KEsSDFb7VOXfA59aiNCjk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501179; c=relaxed/simple; bh=1BlXWlRN49rlr8956LLGxTQhvicZChrmUTMEfYKLNeU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sfypNrDW09n/46oSN6TOmvRe71wQBHxgRHqCpQqLDqKxhP+8MLnSLBZoNSirrIazmIVj8/UF3Ckizm2VDA7D5wk0qge2Ev+0CR7ybRHy+/23M5rui+AMZXRdML1AI9HSryyVgn0OMwIErNp56OlyMyCsG0m9ICTvgQWBMZY8Z3g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Zf/dkx2Y; arc=none smtp.client-ip=209.85.128.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Zf/dkx2Y" Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-7986e538decso42552607b3.1 for ; Mon, 06 Apr 2026 11:46:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775501176; x=1776105976; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=loX0Qy4NihlN+KUtrLsqZhhdHawhctjv5xYILfNriy4=; b=Zf/dkx2Y+KQ1gfePjRUkmcjLJ+d1NvW5qY6GbnVkvqmap3pufd5URfS8nyrLc4JSE0 6Ndce0qTr08zaob6D3Bsj5LfqYGayT6HkUYlG5kYPtCQmJymlxFYvfs28igdmzIXWyFV 7tZaIbfRkh9S37sBnIR5LuyKvqeACDSoObHCPOIaeC0XxQ97HMykl2Fwo0JJRyL+2j7t vgjPRvlBQ5qBfw6pGcayzWs47zxksADpu9AkXcSp22W56bZVuf6SR4491S88CoOFqL1s h4QF5bBkWLWvN5pve0N7LcwGggQZqUeUXx7JgnXi3bsqnGGPXvOWRud2onu+E2coNdyn CmyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775501176; x=1776105976; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=loX0Qy4NihlN+KUtrLsqZhhdHawhctjv5xYILfNriy4=; b=Kf7TsrQzS2qqeyX2q3v1N5a05inXCwCCbm1QKT3yr5d0lX8DSZ0LIitlRJ+A3tFDuC pDTXOxZxbeJABY4fWG4RQE57+h1Oy3rH6m3ruNk7DYdWPCgrUTBNjS7nPS+b1xXi1B52 IpXIGgJ68mEqegzJexIgud4NueYTmAWnM84r+dquXeGEAqcbr61xoBad+w6+3+odBndk pGL1Ayh3nslWV1y3cpSyZrMpMLeHG5FYoIme/DyqXrBTqn2rwv5pTxvKVQQxQoeyuD+W TUmrqUFX9iCPN36LXn+d2hPC9hAcLJ0UnBpfZl6kRD797OgFbqh4pMLeneIIvhv9a2MN yCQw== X-Forwarded-Encrypted: i=1; AJvYcCV+LF/Vjk+l24pOOeYyWUB4TRbSKLWKhXPTiBN1JNSXCLM2DmilhXKEGeaBcSk1ElbBsLT83cVV+ICRMqY=@vger.kernel.org X-Gm-Message-State: AOJu0YxSBqseJe+a1xKccnj4adQqpybgYJBYKU2R3y9al1UhK3TpoeEM kDq4XKGMSgv94UpL3M7fKOWLrx/C7Qw+2HctOeyBMHlRxj/B6E02D65V X-Gm-Gg: AeBDieu91Pr9UsPcp4Y4dSuz7b1js2DtM3sIepUVgtVNwnP9qniHIZROHBGCetje4fc TE7lQw1pCXa8OMk0klzvmkSsMlrlwBsiczDpPC4416rCf1L3CBHlzyU/lP0rUXqjBWeuHBOGuM+ pU2liVu4wTFMl7Ha94IXBaiMNW66b25aL264veyvnN/Fmkz2FEE/Dhn+WKed+2iHbfQOkFAKpZG dsz9YTkgnZWv3jBjnYOw7NhZfLzH6N6ODNRukSg4P4WHS7C4qCu2y05w+hiNrN+rjq/8LQPQLoL LpaMMjh7OuzCCFu+0q5XxBEb3/LLfC4OrZlVa2ZKUpKlDwInXwxeaVEHOTLezPGPHcbOf+g1RE0 sjiOIR66NBtQloyoqQ/rqWa+4UBgmhME8r5txoXWpOnfZVzWpqWJFopxxEq/p/1tcbdZw5eMpVm lq7LP9W05UoZbQmxeTRiHIqRJYfBLTcV0vPKfOIX5BDdltaPCnsC1D0iBC9XW7LCu+fArqmEE= X-Received: by 2002:a05:690c:6891:b0:79b:82a1:645d with SMTP id 00721157ae682-7a4d84c2b0cmr136330457b3.29.1775501176499; Mon, 06 Apr 2026 11:46:16 -0700 (PDT) Received: from DEV.lan (c-75-74-152-49.hsd1.fl.comcast.net. [75.74.152.49]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7a36e8343d3sm56288377b3.16.2026.04.06.11.46.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Apr 2026 11:46:16 -0700 (PDT) From: Joshua Klinesmith To: nbd@nbd.name, lorenzo@kernel.org, ryder.lee@mediatek.com Cc: shayne.chen@mediatek.com, sean.wang@mediatek.com, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Joshua Klinesmith , stable@vger.kernel.org Subject: [PATCH 2/3] wifi: mt76: mt7915: fix DMA read beyond mapped length Date: Mon, 6 Apr 2026 14:45:55 -0400 Message-ID: <20260406184556.8245-3-joshuaklinesmith@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260406184556.8245-1-joshuaklinesmith@gmail.com> References: <20260406184556.8245-1-joshuaklinesmith@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Same bug as mt7615: buf[1].len is overridden to MT_CT_PARSE_LEN (72) but the DMA mapping may cover fewer bytes, causing SMMU faults when hardware reads past the mapped region. Cap the firmware parse length to the actual DMA-mapped length. Fixes: c17780e7b21e ("mt76: mt7915: add txfree event v3") Cc: stable@vger.kernel.org Signed-off-by: Joshua Klinesmith --- drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7915/mac.c index cec2c4208255..b66c440dbef3 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c @@ -799,7 +799,7 @@ int mt7915_tx_prepare_skb(struct mt76_dev *mdev, void *= txwi_ptr, tx_info->skb =3D NULL; =20 /* pass partial skb header to fw */ - tx_info->buf[1].len =3D MT_CT_PARSE_LEN; + tx_info->buf[1].len =3D min_t(u32, MT_CT_PARSE_LEN, tx_info->buf[1].len); tx_info->buf[1].skip_unmap =3D true; tx_info->nbuf =3D MT_CT_DMA_BUF_NUM; =20 --=20 2.43.0 From nobody Sun Jun 21 06:29:10 2026 Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ADDD3396B84 for ; Mon, 6 Apr 2026 18:46:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501180; cv=none; b=e1JL9htvOQ8UYqkPfJz5+5ncEboPHIGxjzi+sn+aLBvkQ+AlSjEnjuE6CUE9YIlaLVpATCr39muGNnEpdQn1zA7NmObQY7yFgU4dR5TKrABtgrDKoPIQSPDgwfrboRUAbq2ag5rnPTmQmYYKPHGNU8gYQOyH7HC6K5NKL1dnst4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501180; c=relaxed/simple; bh=TodaMl53UO3CirNfBGxleA7KOIefYV/SEGEFmuQG35s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y93REVM2KUiQWYh/9QbsjN8POh83cuhw5T6ppc2pQoxrpTRlWXGo3fPFhKtR91v9/QLeBtU2FWz+N1BduOJbU9yKciGjeWinLBaWZsJQGO0NH+v7QiR7RNwZYQ5bJWVM0UKPm2ExF4O/vHWdXdORkjn29+2ORZhfAiVkIh8vnoo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=I+D3/Ka3; arc=none smtp.client-ip=209.85.128.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="I+D3/Ka3" Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-7a43424f861so40136647b3.1 for ; Mon, 06 Apr 2026 11:46:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775501177; x=1776105977; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WZPzCplQeYw4HrNPe0mY3COLB2w8pgJ3gstqK4owbOE=; b=I+D3/Ka31lJe14KNDtXtxVBdyUZGN3IngJkpE/lGeZpLAoeecfnwGHyDunixTtSk6c Xir48p2sPXV+8HKU5W5pvGvy1+BlyBBvmVYpBnZdaS6q1/Y4QMGub2VHN1zC4C3a/vPu vP4C3drzg3tkRisCwiFtkSfoHv5+VCAAr1u0wO8YdVtBuaQcL2YNw0hp7DaskXZ6/zwK uZUb9UWjFJYF4u3+7eeHCX6nD8zcxelz1j3/04XYfz3czPe+MMjPk/8b75Qe51MUHdAL l6orLGKoEk9rP7QOthvd/ZV7ZDF/CLWDVRofgiov8h/cTQYVnAS1jxEWoARbVn59DlSR El9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775501177; x=1776105977; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=WZPzCplQeYw4HrNPe0mY3COLB2w8pgJ3gstqK4owbOE=; b=cEvWcio0xEyKDraz4fEiVKSkFXB/4mJkgetyjokLUyDU1hRZ7evG9hXU59ro31o0mm OxD3uMns/To/l1W62mHpg0YXyYVVKkqYa46IWI1fOXU4xX29S9ACQ+XY4Z9EBmH4DN3P pkg10/csJewD5WuDqAa9oE3I8oLCSjlZS6v3FIQVJAzuAKnQ2OkkKeM0VPSFjstcqDvH 4pPiyJAMMttoZFxZmjdVYGYycmvJliEO4lCHi55TjAngKNpPXBH+pMCAc9Q8d8/PH0B3 YGRasQF23LXr0zmKiz5ViaD49Mu4QPjQ0NpUC2+HyknjFGMDBqTzZ3Ls11IrUqFCwPrz Sccw== X-Forwarded-Encrypted: i=1; AJvYcCVocTlvp80SPi51liyXPw6haou9XrVhLH3tsvM04OZ0HpnA59t1V4FvJTLYxIedtxwfGsfrhIcc2k2CBkM=@vger.kernel.org X-Gm-Message-State: AOJu0Yy7mmPu3uedRnLdebgn9rfwza/QxaD5Ew5KGApfB+1oZhz1ooY4 0XVPrhjHlRpXOWgsIxKlkZKmTJb8ycUJ3t1ATDDOyWU9md0pscG3zaFl X-Gm-Gg: AeBDiesQegssDEaYuc7IbtZ7JENqYJ2c3U6QonI5O3vbqsBK7qndEQwTdsBZEPFVFDh LC/uTOD7U3VuGk09y6maiRyLaIr/wz2pm48EJhPf4EGckNxkuNzZzh9uDKUJ0xCA9dnCbEsaaqM RzcxDbsOSwfo50raidr+EdaXqBnmuDssTG0Vt+hpXY/qtyfI0TlB9cY5nUrBo8HIbIbVFAt/QJ4 DUn4D3fiAip1kPNNl+SKJbwRDLGSu/3KQjUM+FXV1doyx6rBMzzEO0rMrVJdl4Z3StHoo07XLkN VhceCgKJYft0rtzMpksKvMZbtOwC+CN+PuRHu31G6lSRx12uRuz3sjvqncikT+DPODupITK2JPQ 8mIt7JUE8bggQjVW3Gp3cASOQ4XDAXLs34hfbTbfOr+9j1fpiobYSps6FnhncZ5Xu3j1TinCPYf LlKIuvD8VGjNU7w9IvXb0KbCSlhOdR1mTWgj5BdLtH32FCu8UCD/3vRUX5I7X1 X-Received: by 2002:a05:690c:dc9:b0:79a:6751:1489 with SMTP id 00721157ae682-7a4d5c5bbf6mr138049557b3.38.1775501177568; Mon, 06 Apr 2026 11:46:17 -0700 (PDT) Received: from DEV.lan (c-75-74-152-49.hsd1.fl.comcast.net. [75.74.152.49]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7a36e8343d3sm56288377b3.16.2026.04.06.11.46.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Apr 2026 11:46:17 -0700 (PDT) From: Joshua Klinesmith To: nbd@nbd.name, lorenzo@kernel.org, ryder.lee@mediatek.com Cc: shayne.chen@mediatek.com, sean.wang@mediatek.com, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Joshua Klinesmith , stable@vger.kernel.org Subject: [PATCH 3/3] wifi: mt76: mt7996: fix DMA read beyond mapped length Date: Mon, 6 Apr 2026 14:45:56 -0400 Message-ID: <20260406184556.8245-4-joshuaklinesmith@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260406184556.8245-1-joshuaklinesmith@gmail.com> References: <20260406184556.8245-1-joshuaklinesmith@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Same bug as mt7615/mt7915: buf[1].len is overridden to MT_CT_PARSE_LEN (72) but the DMA mapping may cover fewer bytes, causing SMMU faults when hardware reads past the mapped region. Cap the firmware parse length to the actual DMA-mapped length. Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (= 802.11be) devices") Cc: stable@vger.kernel.org Signed-off-by: Joshua Klinesmith --- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/= wireless/mediatek/mt76/mt7996/mac.c index e2a83da3a09c..5c03dc163547 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c @@ -1171,7 +1171,7 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void= *txwi_ptr, tx_info->skb =3D NULL; =20 /* pass partial skb header to fw */ - tx_info->buf[1].len =3D MT_CT_PARSE_LEN; + tx_info->buf[1].len =3D min_t(u32, MT_CT_PARSE_LEN, tx_info->buf[1].len); tx_info->buf[1].skip_unmap =3D true; tx_info->nbuf =3D MT_CT_DMA_BUF_NUM; =20 --=20 2.43.0