[PATCH 0/3] wifi: mt76: fix DMA read beyond mapped length

public inbox for linux-wireless@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 0/3] wifi: mt76: fix DMA read beyond mapped length
@ 2026-04-06 18:45 Joshua Klinesmith
  2026-04-06 18:45 ` [PATCH 1/3] wifi: mt76: mt7615: " Joshua Klinesmith
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Joshua Klinesmith @ 2026-04-06 18:45 UTC (permalink / raw)
  To: nbd, lorenzo, ryder.lee
  Cc: shayne.chen, sean.wang, linux-wireless, linux-kernel,
	Joshua Klinesmith

tx_prepare_skb() in mt7615, mt7915, and mt7996 overrides
buf[1].len to MT_CT_PARSE_LEN (72 bytes) for firmware header
parsing, but dma_map_single() in dma.c only maps
skb_headlen(skb) bytes. When the SKB is shorter than 72 bytes
(e.g. a 54-byte TCP SYN), the DMA descriptor tells the
hardware to read past the mapped region.

On systems without IOMMU this is silently ignored. On systems
with SMMU (e.g. NXP LS1028A), the read past the page boundary
triggers an SMMU translation fault.

Cap buf[1].len to min(MT_CT_PARSE_LEN, original_mapped_len)
in all three drivers.

Joshua Klinesmith (3):
  wifi: mt76: mt7615: fix DMA read beyond mapped length
  wifi: mt76: mt7915: fix DMA read beyond mapped length
  wifi: mt76: mt7996: fix DMA read beyond mapped length

 drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c | 2 +-
 drivers/net/wireless/mediatek/mt76/mt7915/mac.c     | 2 +-
 drivers/net/wireless/mediatek/mt76/mt7996/mac.c     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 1/3] wifi: mt76: mt7615: fix DMA read beyond mapped length
  2026-04-06 18:45 [PATCH 0/3] wifi: mt76: fix DMA read beyond mapped length Joshua Klinesmith
@ 2026-04-06 18:45 ` Joshua Klinesmith
  2026-04-06 18:45 ` [PATCH 2/3] wifi: mt76: mt7915: " Joshua Klinesmith
  2026-04-06 18:45 ` [PATCH 3/3] wifi: mt76: mt7996: " Joshua Klinesmith
  2 siblings, 0 replies; 4+ messages in thread
From: Joshua Klinesmith @ 2026-04-06 18:45 UTC (permalink / raw)
  To: nbd, lorenzo, ryder.lee
  Cc: shayne.chen, sean.wang, linux-wireless, linux-kernel,
	Joshua Klinesmith, stable

tx_prepare_skb() overrides buf[1].len to MT_CT_PARSE_LEN (72)
for firmware header parsing, but dma_map_single() only maps
skb_headlen(skb) bytes. When the SKB is shorter than 72 bytes,
the hardware reads past the DMA-mapped region, causing SMMU
translation faults on IOMMU-enabled systems.

Cap the firmware parse length to the actual DMA-mapped length.

Fixes: e90354e0452d ("mt76: mt7615: move core shared code in mt7615-common module")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
 drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c
index 53cb1eed1e4f..dc7128c46a72 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c
@@ -35,7 +35,7 @@ mt7615_write_fw_txp(struct mt7615_dev *dev, struct mt76_tx_info *tx_info,
 
 	/* pass partial skb header to fw */
 	tx_info->buf[0].len = MT_TXD_SIZE + sizeof(*txp);
-	tx_info->buf[1].len = MT_CT_PARSE_LEN;
+	tx_info->buf[1].len = min_t(u32, MT_CT_PARSE_LEN, tx_info->buf[1].len);
 	tx_info->buf[1].skip_unmap = true;
 	tx_info->nbuf = MT_CT_DMA_BUF_NUM;
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/3] wifi: mt76: mt7915: fix DMA read beyond mapped length
  2026-04-06 18:45 [PATCH 0/3] wifi: mt76: fix DMA read beyond mapped length Joshua Klinesmith
  2026-04-06 18:45 ` [PATCH 1/3] wifi: mt76: mt7615: " Joshua Klinesmith
@ 2026-04-06 18:45 ` Joshua Klinesmith
  2026-04-06 18:45 ` [PATCH 3/3] wifi: mt76: mt7996: " Joshua Klinesmith
  2 siblings, 0 replies; 4+ messages in thread
From: Joshua Klinesmith @ 2026-04-06 18:45 UTC (permalink / raw)
  To: nbd, lorenzo, ryder.lee
  Cc: shayne.chen, sean.wang, linux-wireless, linux-kernel,
	Joshua Klinesmith, stable

Same bug as mt7615: buf[1].len is overridden to
MT_CT_PARSE_LEN (72) but the DMA mapping may cover fewer
bytes, causing SMMU faults when hardware reads past the
mapped region.

Cap the firmware parse length to the actual DMA-mapped
length.

Fixes: c17780e7b21e ("mt76: mt7915: add txfree event v3")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
 drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index cec2c4208255..b66c440dbef3 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -799,7 +799,7 @@ int mt7915_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
 	tx_info->skb = NULL;
 
 	/* pass partial skb header to fw */
-	tx_info->buf[1].len = MT_CT_PARSE_LEN;
+	tx_info->buf[1].len = min_t(u32, MT_CT_PARSE_LEN, tx_info->buf[1].len);
 	tx_info->buf[1].skip_unmap = true;
 	tx_info->nbuf = MT_CT_DMA_BUF_NUM;
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 3/3] wifi: mt76: mt7996: fix DMA read beyond mapped length
  2026-04-06 18:45 [PATCH 0/3] wifi: mt76: fix DMA read beyond mapped length Joshua Klinesmith
  2026-04-06 18:45 ` [PATCH 1/3] wifi: mt76: mt7615: " Joshua Klinesmith
  2026-04-06 18:45 ` [PATCH 2/3] wifi: mt76: mt7915: " Joshua Klinesmith
@ 2026-04-06 18:45 ` Joshua Klinesmith
  2 siblings, 0 replies; 4+ messages in thread
From: Joshua Klinesmith @ 2026-04-06 18:45 UTC (permalink / raw)
  To: nbd, lorenzo, ryder.lee
  Cc: shayne.chen, sean.wang, linux-wireless, linux-kernel,
	Joshua Klinesmith, stable

Same bug as mt7615/mt7915: buf[1].len is overridden to
MT_CT_PARSE_LEN (72) but the DMA mapping may cover fewer
bytes, causing SMMU faults when hardware reads past the
mapped region.

Cap the firmware parse length to the actual DMA-mapped
length.

Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index e2a83da3a09c..5c03dc163547 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -1171,7 +1171,7 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
 	tx_info->skb = NULL;
 
 	/* pass partial skb header to fw */
-	tx_info->buf[1].len = MT_CT_PARSE_LEN;
+	tx_info->buf[1].len = min_t(u32, MT_CT_PARSE_LEN, tx_info->buf[1].len);
 	tx_info->buf[1].skip_unmap = true;
 	tx_info->nbuf = MT_CT_DMA_BUF_NUM;
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-06 18:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-06 18:45 [PATCH 0/3] wifi: mt76: fix DMA read beyond mapped length Joshua Klinesmith
2026-04-06 18:45 ` [PATCH 1/3] wifi: mt76: mt7615: " Joshua Klinesmith
2026-04-06 18:45 ` [PATCH 2/3] wifi: mt76: mt7915: " Joshua Klinesmith
2026-04-06 18:45 ` [PATCH 3/3] wifi: mt76: mt7996: " Joshua Klinesmith

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox