From: Joshua Klinesmith <joshuaklinesmith@gmail.com>
To: nbd@nbd.name, lorenzo@kernel.org, ryder.lee@mediatek.com
Cc: shayne.chen@mediatek.com, sean.wang@mediatek.com,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
Joshua Klinesmith <joshuaklinesmith@gmail.com>
Subject: [PATCH 0/2] wifi: mt76: validate WCID index before WTBL lookup
Date: Mon, 6 Apr 2026 14:44:04 -0400 [thread overview]
Message-ID: <20260406184406.8152-1-joshuaklinesmith@gmail.com> (raw)
The mt7915 and mt7996 drivers do not validate WCID indices
extracted from hardware TX free events and TX status reports
before using them for WTBL MMIO register accesses. The hardware
WCID field is 10 bits wide (max 1023) but the actual WTBL
capacity is only 288 (MT7915), 544 (MT7916), or variable
(MT7996). An out-of-range index causes a kernel data abort.
Reverse engineering of the MediaTek WA co-processor firmware
(NDS32/FreeRTOS) confirmed that the firmware validates WCID
for its internal table (< 786) but still emits out-of-range
values in DMA descriptors sent to the host driver.
The mt7615, mt7921, and mt7925 drivers already have these
bounds checks. This series adds the same validation to mt7915
and mt7996.
Joshua Klinesmith (2):
wifi: mt76: mt7915: validate WCID index before WTBL lookup
wifi: mt76: mt7996: validate WCID index before WTBL lookup
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 6 ++++++
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 ++++++
2 files changed, 12 insertions(+)
next reply other threads:[~2026-04-06 18:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-06 18:44 Joshua Klinesmith [this message]
2026-04-06 18:44 ` [PATCH 1/2] wifi: mt76: mt7915: validate WCID index before WTBL lookup Joshua Klinesmith
2026-04-06 18:44 ` [PATCH 2/2] wifi: mt76: mt7996: " Joshua Klinesmith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260406184406.8152-1-joshuaklinesmith@gmail.com \
--to=joshuaklinesmith@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo@kernel.org \
--cc=nbd@nbd.name \
--cc=ryder.lee@mediatek.com \
--cc=sean.wang@mediatek.com \
--cc=shayne.chen@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox