From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 60767392C4A for ; Mon, 6 Apr 2026 18:46:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501180; cv=none; b=WjPqwxscIXqJVtp+wbNdoSmP0d9ZT3Wp5KNuek0hUdA/zveSCaLM9hdttrUfEuVfxtege88Z98NiQaUKFeCjVi3YoIFwDBiWo2f6FFrHcYo0JroedcAOTdPWCOY57Vo8ypi+BqENByQ9MGBj59Trx37qY+4dL0wALAcCRB4wVAE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775501180; c=relaxed/simple; bh=1BlXWlRN49rlr8956LLGxTQhvicZChrmUTMEfYKLNeU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=HPQPrO9tIa1zxoZL4NI7fazIEVRefuOkeBJRpco422Sjuh/Hp8Ea0b/GC12J8Dop4HtTUFmWXTGFqFBflfzb6OTba0x9Fn+LDeUIeP8lkU8X8QwflKm98eKYk/uwXO9fWXq+g6vqwrS2UorjDWm0htAW1FPQtQu4QJoQM/wTubQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Zf/dkx2Y; arc=none smtp.client-ip=209.85.128.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Zf/dkx2Y" Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-7927261a3acso35057017b3.0 for ; Mon, 06 Apr 2026 11:46:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775501176; x=1776105976; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=loX0Qy4NihlN+KUtrLsqZhhdHawhctjv5xYILfNriy4=; b=Zf/dkx2Y+KQ1gfePjRUkmcjLJ+d1NvW5qY6GbnVkvqmap3pufd5URfS8nyrLc4JSE0 6Ndce0qTr08zaob6D3Bsj5LfqYGayT6HkUYlG5kYPtCQmJymlxFYvfs28igdmzIXWyFV 7tZaIbfRkh9S37sBnIR5LuyKvqeACDSoObHCPOIaeC0XxQ97HMykl2Fwo0JJRyL+2j7t vgjPRvlBQ5qBfw6pGcayzWs47zxksADpu9AkXcSp22W56bZVuf6SR4491S88CoOFqL1s h4QF5bBkWLWvN5pve0N7LcwGggQZqUeUXx7JgnXi3bsqnGGPXvOWRud2onu+E2coNdyn CmyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775501176; x=1776105976; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=loX0Qy4NihlN+KUtrLsqZhhdHawhctjv5xYILfNriy4=; b=gbJwQ/YTVsee2V3nvrbCg/0g6hp5g6AgiHPTWs45qwdp5LJTheMGMC7GRQK/qTkjur r/nvOf4WXkiEgV/wiWe/Coc/+fXe6CyjSxJCgYBKu29twGO0jgwJFtq6jx1JlIjgctUu aWcgc9nd7EdygasXpCu8fAYcGaeZrFPDFxqDuhuSrFav3Ca0+PvFRTzxL25BbYXf3iQU MAo6/g0b+qIN6xa9MFEzTrKMsSM4h42qp9ALrnfoBSyh2JdxT6ZnOAXVlH0tFCipMfyV kdarUnkrMzVoTDq1pC2rdCQ/Qff0tKYO9Ug1QKuWjH/iWgPuxE+HJ/grYUUJRh3MfF2M /pow== X-Forwarded-Encrypted: i=1; AJvYcCX6EIIiWehA4fNmBQEwip1D00tNbM3W2mahL2DsO5rfV77tLiihA8LAPUrYRmRnfaosPfwr19fyKBY0z82khg==@vger.kernel.org X-Gm-Message-State: AOJu0YzEi/iGUlQh4I0xr/XeI0ts53EWUXAY6uu1Y00HeNOKTttt/HNo XkOHm7rWUnzaz4E6UFBl5dEh/l81wcBB8KuCTzVnrD82ITUbHjfzoLDqj0DHAZwN X-Gm-Gg: AeBDievfq1m1+NLh0pe44adcbWCA3osZGkqqESttdc6aJPPEKakvIACp/++YTaLmffw tRdJaQHoGcfekkw4MlMJvbcImt3PvInmdypCHh/BL+COVjg8J3z69Jbrm2hZ0BPloB6y2CcHjAl aFvYQL9S7pcD7+Cj86AX1DU9t7gJ0xUIHnfJHiX2bLRzJqIQdwsmBJuO+XGEJ+lVD131DCOKSdv Agu6WvmeeiZEVqcUdc7I1MtOoEbYsIGl95X4LzUhJiFPrD0E5mVWNNGvJYWQwKijHFqNRB4220C jDItlucxvd5NldFhlvxMm8ATvrmqHXcEkeraeXe2DMgWtwlfVwcCQYdZR/MvXYWeSAsKzL+5Cxh 5p8y58urzYReUDOJps2SIFjiLMzyfnfIQ4S4HjY6wu+zKjwZoo32wWQ+JUjJrOgpA7DMnFVcK5U i5FAvjAk7plpZAHDrH9w8+7Jw7XnY/MRgb+9ME0m/YnlG6b8kZQMrb7EC1aRKdqLcSbpnw6NQ= X-Received: by 2002:a05:690c:6891:b0:79b:82a1:645d with SMTP id 00721157ae682-7a4d84c2b0cmr136330457b3.29.1775501176499; Mon, 06 Apr 2026 11:46:16 -0700 (PDT) Received: from DEV.lan (c-75-74-152-49.hsd1.fl.comcast.net. [75.74.152.49]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7a36e8343d3sm56288377b3.16.2026.04.06.11.46.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Apr 2026 11:46:16 -0700 (PDT) From: Joshua Klinesmith To: nbd@nbd.name, lorenzo@kernel.org, ryder.lee@mediatek.com Cc: shayne.chen@mediatek.com, sean.wang@mediatek.com, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Joshua Klinesmith , stable@vger.kernel.org Subject: [PATCH 2/3] wifi: mt76: mt7915: fix DMA read beyond mapped length Date: Mon, 6 Apr 2026 14:45:55 -0400 Message-ID: <20260406184556.8245-3-joshuaklinesmith@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260406184556.8245-1-joshuaklinesmith@gmail.com> References: <20260406184556.8245-1-joshuaklinesmith@gmail.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Same bug as mt7615: buf[1].len is overridden to MT_CT_PARSE_LEN (72) but the DMA mapping may cover fewer bytes, causing SMMU faults when hardware reads past the mapped region. Cap the firmware parse length to the actual DMA-mapped length. Fixes: c17780e7b21e ("mt76: mt7915: add txfree event v3") Cc: stable@vger.kernel.org Signed-off-by: Joshua Klinesmith --- drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c index cec2c4208255..b66c440dbef3 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c @@ -799,7 +799,7 @@ int mt7915_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr, tx_info->skb = NULL; /* pass partial skb header to fw */ - tx_info->buf[1].len = MT_CT_PARSE_LEN; + tx_info->buf[1].len = min_t(u32, MT_CT_PARSE_LEN, tx_info->buf[1].len); tx_info->buf[1].skip_unmap = true; tx_info->nbuf = MT_CT_DMA_BUF_NUM; -- 2.43.0