From: Lorenzo Bianconi <lorenzo@kernel.org>
To: Ryder Lee <ryder.lee@mediatek.com>
Cc: Felix Fietkau <nbd@nbd.name>,
linux-mediatek@lists.infradead.org,
linux-wireless@vger.kernel.org,
Shayne Chen <shayne.chen@mediatek.com>
Subject: Re: [PATCH] wifi: mt76: fix potential tx_retries underflow
Date: Fri, 5 Jun 2026 12:17:50 +0200 [thread overview]
Message-ID: <aiKiTk32PW3_0pDg@lore-desk> (raw)
In-Reply-To: <20260605024222.3388222-1-ryder.lee@mediatek.com>
[-- Attachment #1: Type: text/plain, Size: 4406 bytes --]
> When FIELD_GET returns 0 for the retry count, subtracting 1 causes
> an unsigned integer underflow, resulting in tx_retries becoming a
> very large value (0xFFFFFFFF for u32 or 255 for u8).
>
> Fix by checking if count is non-zero before subtracting 1.
>
> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
I guess we need proper Fixes tags here. Moreover, if you split this patch
in three separated patches you will make life easier for guys that do
backports :)
> ---
> drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 10 +++++-----
> drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 5 +++--
> drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 5 +++--
> drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 +++---
> 4 files changed, 14 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
> index cec2c4208..334c19ab2 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
> @@ -912,16 +912,16 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
> }
>
> if (!mtk_wed_device_active(&mdev->mmio.wed) && wcid) {
> - u32 tx_retries = 0, tx_failed = 0;
> + u32 tx_retries = 0, tx_failed = 0, count;
>
> if (v3 && (info & MT_TX_FREE_MPDU_HEADER_V3)) {
> - tx_retries =
> - FIELD_GET(MT_TX_FREE_COUNT_V3, info) - 1;
> + count = FIELD_GET(MT_TX_FREE_COUNT_V3, info);
> + tx_retries = count ? count - 1 : 0;
nit: I think it is more readable if you use a int for tx_retries and do
something like:
tx_retries = max_t(int, tx_retries, 0);
This is valid even for below chunks.
Regards,
Lorenzo
> tx_failed = tx_retries +
> !!FIELD_GET(MT_TX_FREE_STAT_V3, info);
> } else if (!v3 && (info & MT_TX_FREE_MPDU_HEADER)) {
> - tx_retries =
> - FIELD_GET(MT_TX_FREE_COUNT, info) - 1;
> + count = FIELD_GET(MT_TX_FREE_COUNT, info);
> + tx_retries = count ? count - 1 : 0;
> tx_failed = tx_retries +
> !!FIELD_GET(MT_TX_FREE_STAT, info);
> }
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
> index 03b4960db..668bfa195 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
> @@ -530,8 +530,9 @@ static void mt7921_mac_tx_free(struct mt792x_dev *dev, void *data, int len)
> stat = FIELD_GET(MT_TX_FREE_STATUS, info);
>
> if (wcid) {
> - wcid->stats.tx_retries +=
> - FIELD_GET(MT_TX_FREE_COUNT, info) - 1;
> + u32 count = FIELD_GET(MT_TX_FREE_COUNT, info);
> +
> + wcid->stats.tx_retries += count ? count - 1 : 0;
> wcid->stats.tx_failed += !!stat;
> }
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
> index c47bd812b..c56a9e530 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
> @@ -1141,8 +1141,9 @@ mt7925_mac_tx_free(struct mt792x_dev *dev, void *data, int len)
>
> if (info & MT_TXFREE_INFO_HEADER) {
> if (wcid) {
> - wcid->stats.tx_retries +=
> - FIELD_GET(MT_TXFREE_INFO_COUNT, info) - 1;
> + u32 count = FIELD_GET(MT_TXFREE_INFO_COUNT, info);
> +
> + wcid->stats.tx_retries += count ? count - 1 : 0;
> wcid->stats.tx_failed +=
> !!FIELD_GET(MT_TXFREE_INFO_STAT, info);
> }
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> index a59c14c8f..3fad977ba 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> @@ -1361,13 +1361,13 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len)
> cur_info++;
> continue;
> } else if (info & MT_TXFREE_INFO_HEADER) {
> - u32 tx_retries = 0, tx_failed = 0;
> + u32 tx_retries = 0, tx_failed = 0, count;
>
> if (!wcid)
> continue;
>
> - tx_retries =
> - FIELD_GET(MT_TXFREE_INFO_COUNT, info) - 1;
> + count = FIELD_GET(MT_TXFREE_INFO_COUNT, info);
> + tx_retries = count ? count - 1 : 0;
> tx_failed = tx_retries +
> !!FIELD_GET(MT_TXFREE_INFO_STAT, info);
>
> --
> 2.45.2
>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
prev parent reply other threads:[~2026-06-05 10:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-05 2:42 [PATCH] wifi: mt76: fix potential tx_retries underflow Ryder Lee
2026-06-05 10:17 ` Lorenzo Bianconi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiKiTk32PW3_0pDg@lore-desk \
--to=lorenzo@kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=nbd@nbd.name \
--cc=ryder.lee@mediatek.com \
--cc=shayne.chen@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox