From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 40AF63EDE59; Tue, 12 May 2026 18:03:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778609013; cv=none; b=YP/G/V45Tc5Or39ECkza1EwEoZ3PA3qr0EZdHw6na5eFTl+fL6MavwzMlhRdAPbGNBBvW9cujpKYvhMhcpucjSPYYl7Yo9ol5anoLAehgujQn6j8CGDjmcAKCiZTrAswjCsA61CyOfElnu3yEijQy45rc4MAByB/L1qsfVaKbYI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778609013; c=relaxed/simple; bh=U77YnOn2ZtVAdVIkIJrRuhCoBNSMBr6G3OZO8Ld6DZo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CPtnrd1uzIdf2xQekmKqOfr2Fgb7LRV1Bx2HQIv75Cig4JZ2AHEalUmac+1BDtAqxxae2W81FFVB9i+rJ6P0GLRCl8wyZ8cI6DNbWNalNFLXwRQ98qVfqQ45ZcoExRxV6EZflC94QWlkGmZe6Rz5cb3ikRFQfcOl7OqX6BZtj9I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=PTVy5B27; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="PTVy5B27" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 94D62C2BCB0; Tue, 12 May 2026 18:03:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778609012; bh=U77YnOn2ZtVAdVIkIJrRuhCoBNSMBr6G3OZO8Ld6DZo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PTVy5B27G/BxGFUlBPfSVHwBAbfsz8S/AcrKMb2t1TSYB81hDkkeQwyXhepG5aYEv n0gYVxdzpJOoe902xYTHzYe7qPjEcSsL9G4Isf34FobubSQX2C5KOebsu3mImBj5CS GjsY0KDbA+jVWyvFt8RlbvRMu/XRLSrgC6MyIVq4= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Leon Yen , Ming Yen Hsieh , Felix Fietkau Subject: [PATCH 7.0 024/307] wifi: mt76: mt7921: fix a potential clc buffer length underflow Date: Tue, 12 May 2026 19:36:59 +0200 Message-ID: <20260512173940.636777144@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260512173940.117428952@linuxfoundation.org> References: <20260512173940.117428952@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 7.0-stable review patch. If anyone has any objections, please let me know. ------------------ From: Leon Yen commit 5373f8b19e568b5c217832b9bbef165bd2b2df14 upstream. The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC. This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure. Cc: stable@vger.kernel.org Fixes: fa6ad88e023d ("wifi: mt76: mt7921: fix country count limitation for CLC") Signed-off-by: Leon Yen Signed-off-by: Ming Yen Hsieh Link: https://patch.msgid.link/20251009020158.1923429-1-mingyen.hsieh@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_d u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] ||