* [PATCH] wifi: mt76: fix potential tx_retries underflow
@ 2026-06-05 2:42 Ryder Lee
2026-06-05 10:17 ` Lorenzo Bianconi
0 siblings, 1 reply; 2+ messages in thread
From: Ryder Lee @ 2026-06-05 2:42 UTC (permalink / raw)
To: Felix Fietkau; +Cc: linux-mediatek, linux-wireless, Shayne Chen, Ryder Lee
When FIELD_GET returns 0 for the retry count, subtracting 1 causes
an unsigned integer underflow, resulting in tx_retries becoming a
very large value (0xFFFFFFFF for u32 or 255 for u8).
Fix by checking if count is non-zero before subtracting 1.
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
---
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 10 +++++-----
drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 5 +++--
drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 5 +++--
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 +++---
4 files changed, 14 insertions(+), 12 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index cec2c4208..334c19ab2 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -912,16 +912,16 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
}
if (!mtk_wed_device_active(&mdev->mmio.wed) && wcid) {
- u32 tx_retries = 0, tx_failed = 0;
+ u32 tx_retries = 0, tx_failed = 0, count;
if (v3 && (info & MT_TX_FREE_MPDU_HEADER_V3)) {
- tx_retries =
- FIELD_GET(MT_TX_FREE_COUNT_V3, info) - 1;
+ count = FIELD_GET(MT_TX_FREE_COUNT_V3, info);
+ tx_retries = count ? count - 1 : 0;
tx_failed = tx_retries +
!!FIELD_GET(MT_TX_FREE_STAT_V3, info);
} else if (!v3 && (info & MT_TX_FREE_MPDU_HEADER)) {
- tx_retries =
- FIELD_GET(MT_TX_FREE_COUNT, info) - 1;
+ count = FIELD_GET(MT_TX_FREE_COUNT, info);
+ tx_retries = count ? count - 1 : 0;
tx_failed = tx_retries +
!!FIELD_GET(MT_TX_FREE_STAT, info);
}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
index 03b4960db..668bfa195 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
@@ -530,8 +530,9 @@ static void mt7921_mac_tx_free(struct mt792x_dev *dev, void *data, int len)
stat = FIELD_GET(MT_TX_FREE_STATUS, info);
if (wcid) {
- wcid->stats.tx_retries +=
- FIELD_GET(MT_TX_FREE_COUNT, info) - 1;
+ u32 count = FIELD_GET(MT_TX_FREE_COUNT, info);
+
+ wcid->stats.tx_retries += count ? count - 1 : 0;
wcid->stats.tx_failed += !!stat;
}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
index c47bd812b..c56a9e530 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
@@ -1141,8 +1141,9 @@ mt7925_mac_tx_free(struct mt792x_dev *dev, void *data, int len)
if (info & MT_TXFREE_INFO_HEADER) {
if (wcid) {
- wcid->stats.tx_retries +=
- FIELD_GET(MT_TXFREE_INFO_COUNT, info) - 1;
+ u32 count = FIELD_GET(MT_TXFREE_INFO_COUNT, info);
+
+ wcid->stats.tx_retries += count ? count - 1 : 0;
wcid->stats.tx_failed +=
!!FIELD_GET(MT_TXFREE_INFO_STAT, info);
}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index a59c14c8f..3fad977ba 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -1361,13 +1361,13 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len)
cur_info++;
continue;
} else if (info & MT_TXFREE_INFO_HEADER) {
- u32 tx_retries = 0, tx_failed = 0;
+ u32 tx_retries = 0, tx_failed = 0, count;
if (!wcid)
continue;
- tx_retries =
- FIELD_GET(MT_TXFREE_INFO_COUNT, info) - 1;
+ count = FIELD_GET(MT_TXFREE_INFO_COUNT, info);
+ tx_retries = count ? count - 1 : 0;
tx_failed = tx_retries +
!!FIELD_GET(MT_TXFREE_INFO_STAT, info);
--
2.45.2
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] wifi: mt76: fix potential tx_retries underflow
2026-06-05 2:42 [PATCH] wifi: mt76: fix potential tx_retries underflow Ryder Lee
@ 2026-06-05 10:17 ` Lorenzo Bianconi
0 siblings, 0 replies; 2+ messages in thread
From: Lorenzo Bianconi @ 2026-06-05 10:17 UTC (permalink / raw)
To: Ryder Lee; +Cc: Felix Fietkau, linux-mediatek, linux-wireless, Shayne Chen
[-- Attachment #1: Type: text/plain, Size: 4406 bytes --]
> When FIELD_GET returns 0 for the retry count, subtracting 1 causes
> an unsigned integer underflow, resulting in tx_retries becoming a
> very large value (0xFFFFFFFF for u32 or 255 for u8).
>
> Fix by checking if count is non-zero before subtracting 1.
>
> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
I guess we need proper Fixes tags here. Moreover, if you split this patch
in three separated patches you will make life easier for guys that do
backports :)
> ---
> drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 10 +++++-----
> drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 5 +++--
> drivers/net/wireless/mediatek/mt76/mt7925/mac.c | 5 +++--
> drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 +++---
> 4 files changed, 14 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
> index cec2c4208..334c19ab2 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
> @@ -912,16 +912,16 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
> }
>
> if (!mtk_wed_device_active(&mdev->mmio.wed) && wcid) {
> - u32 tx_retries = 0, tx_failed = 0;
> + u32 tx_retries = 0, tx_failed = 0, count;
>
> if (v3 && (info & MT_TX_FREE_MPDU_HEADER_V3)) {
> - tx_retries =
> - FIELD_GET(MT_TX_FREE_COUNT_V3, info) - 1;
> + count = FIELD_GET(MT_TX_FREE_COUNT_V3, info);
> + tx_retries = count ? count - 1 : 0;
nit: I think it is more readable if you use a int for tx_retries and do
something like:
tx_retries = max_t(int, tx_retries, 0);
This is valid even for below chunks.
Regards,
Lorenzo
> tx_failed = tx_retries +
> !!FIELD_GET(MT_TX_FREE_STAT_V3, info);
> } else if (!v3 && (info & MT_TX_FREE_MPDU_HEADER)) {
> - tx_retries =
> - FIELD_GET(MT_TX_FREE_COUNT, info) - 1;
> + count = FIELD_GET(MT_TX_FREE_COUNT, info);
> + tx_retries = count ? count - 1 : 0;
> tx_failed = tx_retries +
> !!FIELD_GET(MT_TX_FREE_STAT, info);
> }
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
> index 03b4960db..668bfa195 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c
> @@ -530,8 +530,9 @@ static void mt7921_mac_tx_free(struct mt792x_dev *dev, void *data, int len)
> stat = FIELD_GET(MT_TX_FREE_STATUS, info);
>
> if (wcid) {
> - wcid->stats.tx_retries +=
> - FIELD_GET(MT_TX_FREE_COUNT, info) - 1;
> + u32 count = FIELD_GET(MT_TX_FREE_COUNT, info);
> +
> + wcid->stats.tx_retries += count ? count - 1 : 0;
> wcid->stats.tx_failed += !!stat;
> }
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
> index c47bd812b..c56a9e530 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7925/mac.c
> @@ -1141,8 +1141,9 @@ mt7925_mac_tx_free(struct mt792x_dev *dev, void *data, int len)
>
> if (info & MT_TXFREE_INFO_HEADER) {
> if (wcid) {
> - wcid->stats.tx_retries +=
> - FIELD_GET(MT_TXFREE_INFO_COUNT, info) - 1;
> + u32 count = FIELD_GET(MT_TXFREE_INFO_COUNT, info);
> +
> + wcid->stats.tx_retries += count ? count - 1 : 0;
> wcid->stats.tx_failed +=
> !!FIELD_GET(MT_TXFREE_INFO_STAT, info);
> }
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> index a59c14c8f..3fad977ba 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> @@ -1361,13 +1361,13 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len)
> cur_info++;
> continue;
> } else if (info & MT_TXFREE_INFO_HEADER) {
> - u32 tx_retries = 0, tx_failed = 0;
> + u32 tx_retries = 0, tx_failed = 0, count;
>
> if (!wcid)
> continue;
>
> - tx_retries =
> - FIELD_GET(MT_TXFREE_INFO_COUNT, info) - 1;
> + count = FIELD_GET(MT_TXFREE_INFO_COUNT, info);
> + tx_retries = count ? count - 1 : 0;
> tx_failed = tx_retries +
> !!FIELD_GET(MT_TXFREE_INFO_STAT, info);
>
> --
> 2.45.2
>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-05 10:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-05 2:42 [PATCH] wifi: mt76: fix potential tx_retries underflow Ryder Lee
2026-06-05 10:17 ` Lorenzo Bianconi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox