* [PATCH 0/2] wifi: mt76: validate WCID index before WTBL lookup
@ 2026-04-06 18:44 Joshua Klinesmith
2026-04-06 18:44 ` [PATCH 1/2] wifi: mt76: mt7915: " Joshua Klinesmith
2026-04-06 18:44 ` [PATCH 2/2] wifi: mt76: mt7996: " Joshua Klinesmith
0 siblings, 2 replies; 3+ messages in thread
From: Joshua Klinesmith @ 2026-04-06 18:44 UTC (permalink / raw)
To: nbd, lorenzo, ryder.lee
Cc: shayne.chen, sean.wang, linux-wireless, linux-kernel,
Joshua Klinesmith
The mt7915 and mt7996 drivers do not validate WCID indices
extracted from hardware TX free events and TX status reports
before using them for WTBL MMIO register accesses. The hardware
WCID field is 10 bits wide (max 1023) but the actual WTBL
capacity is only 288 (MT7915), 544 (MT7916), or variable
(MT7996). An out-of-range index causes a kernel data abort.
Reverse engineering of the MediaTek WA co-processor firmware
(NDS32/FreeRTOS) confirmed that the firmware validates WCID
for its internal table (< 786) but still emits out-of-range
values in DMA descriptors sent to the host driver.
The mt7615, mt7921, and mt7925 drivers already have these
bounds checks. This series adds the same validation to mt7915
and mt7996.
Joshua Klinesmith (2):
wifi: mt76: mt7915: validate WCID index before WTBL lookup
wifi: mt76: mt7996: validate WCID index before WTBL lookup
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 6 ++++++
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 ++++++
2 files changed, 12 insertions(+)
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] wifi: mt76: mt7915: validate WCID index before WTBL lookup
2026-04-06 18:44 [PATCH 0/2] wifi: mt76: validate WCID index before WTBL lookup Joshua Klinesmith
@ 2026-04-06 18:44 ` Joshua Klinesmith
2026-04-06 18:44 ` [PATCH 2/2] wifi: mt76: mt7996: " Joshua Klinesmith
1 sibling, 0 replies; 3+ messages in thread
From: Joshua Klinesmith @ 2026-04-06 18:44 UTC (permalink / raw)
To: nbd, lorenzo, ryder.lee
Cc: shayne.chen, sean.wang, linux-wireless, linux-kernel,
Joshua Klinesmith, stable
The mt7915 driver does not validate WCID indices extracted from
hardware TX free events and TX status reports before using them
for WTBL MMIO register accesses. The hardware WCID field is 10
bits wide (max 1023) but actual WTBL capacity is only 288
(MT7915) or 544 (MT7916). An out-of-range index causes
mt7915_mac_wtbl_lmac_addr() to compute an invalid MMIO address,
leading to a kernel data abort:
Unable to handle kernel paging request at virtual address
ffffff88d5ab0010
The mt7615, mt7921, and mt7925 drivers already validate WCID
indices against their WTBL size before use. Add the same bounds
checks in mt7915_mac_tx_free() and mt7915_mac_add_txs().
Fixes: c17780e7b21e ("mt76: mt7915: add txfree event v3")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index cec2c4208255..0acada48824f 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -901,6 +901,9 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
u16 idx;
idx = FIELD_GET(MT_TX_FREE_WLAN_ID, info);
+ if (idx >= mt7915_wtbl_size(dev))
+ continue;
+
wcid = mt76_wcid_ptr(dev, idx);
sta = wcid_to_sta(wcid);
if (!sta)
@@ -992,6 +995,9 @@ static void mt7915_mac_add_txs(struct mt7915_dev *dev, void *data)
u8 pid;
wcidx = le32_get_bits(txs_data[2], MT_TXS2_WCID);
+ if (wcidx >= mt7915_wtbl_size(dev))
+ return;
+
pid = le32_get_bits(txs_data[3], MT_TXS3_PID);
if (pid < MT_PACKET_ID_WED)
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH 2/2] wifi: mt76: mt7996: validate WCID index before WTBL lookup
2026-04-06 18:44 [PATCH 0/2] wifi: mt76: validate WCID index before WTBL lookup Joshua Klinesmith
2026-04-06 18:44 ` [PATCH 1/2] wifi: mt76: mt7915: " Joshua Klinesmith
@ 2026-04-06 18:44 ` Joshua Klinesmith
1 sibling, 0 replies; 3+ messages in thread
From: Joshua Klinesmith @ 2026-04-06 18:44 UTC (permalink / raw)
To: nbd, lorenzo, ryder.lee
Cc: shayne.chen, sean.wang, linux-wireless, linux-kernel,
Joshua Klinesmith, stable
Same class of bug as mt7915: the mt7996 driver does not validate
WCID indices from TX free events or TX status reports before
WTBL lookups. An out-of-range WCID causes invalid MMIO accesses
leading to a kernel data abort.
Add bounds checks in mt7996_mac_tx_free() and
mt7996_mac_add_txs() to match the pattern used by mt7615,
mt7921, and mt7925 drivers.
Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index e2a83da3a09c..ea775029125d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -1327,6 +1327,9 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len)
u16 idx;
idx = FIELD_GET(MT_TXFREE_INFO_WLAN_ID, info);
+ if (idx >= mt7996_wtbl_size(dev))
+ goto next;
+
wcid = mt76_wcid_ptr(dev, idx);
sta = wcid_to_sta(wcid);
if (!sta) {
@@ -1563,6 +1566,9 @@ static void mt7996_mac_add_txs(struct mt7996_dev *dev, void *data)
u8 pid;
wcidx = le32_get_bits(txs_data[2], MT_TXS2_WCID);
+ if (wcidx >= mt7996_wtbl_size(dev))
+ return;
+
pid = le32_get_bits(txs_data[3], MT_TXS3_PID);
if (pid < MT_PACKET_ID_NO_SKB)
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-04-06 18:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-06 18:44 [PATCH 0/2] wifi: mt76: validate WCID index before WTBL lookup Joshua Klinesmith
2026-04-06 18:44 ` [PATCH 1/2] wifi: mt76: mt7915: " Joshua Klinesmith
2026-04-06 18:44 ` [PATCH 2/2] wifi: mt76: mt7996: " Joshua Klinesmith
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox