From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99E393955D5; Tue, 12 May 2026 17:51:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778608306; cv=none; b=Yk2fuNziiMty+s5BgZUKaqjTfh6DQ6IhCEDgrBBIg1OALsWPCdQI53orccsSpOWbCsvr0O0AiXSoTfjptVkTvbZCsqr0BMvqKi4V63tlH3h9h3DBBYPnU95pgYJgwEyQuSDIt9/uE7w4Zo5cngBbx1YMhs6zhMUYSvbBr7jvbpA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778608306; c=relaxed/simple; bh=wfGUJ1/N87diKd+oslWOwBAUENLMpieCuJDPXkqO1Lw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PQLAbqqBHEQczrTAQr2u9rVNFKAh7KzhetNC9jzjK3oY0x853Hg6CrLG/UG+1JMzwkhyEdUin3Vl1DJsQTvkD1ySeDlFm+OB6N8QmieBGV+SCBvkGswqgqejOcacwsLqVL9Pz9c3Sjy50SCK/lHSXMi82Tp47GZXFYcIAFO88ho= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=q9HFE4cd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="q9HFE4cd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 32BBEC2BCC7; Tue, 12 May 2026 17:51:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778608306; bh=wfGUJ1/N87diKd+oslWOwBAUENLMpieCuJDPXkqO1Lw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=q9HFE4cdHCjWFRu8012CuP3H9rf19XahN6QWQn4Tx4wjJLVfkdBdchLit2A+DwOrb p8TY+C/mFFpDdHks4Lb6WNUH59CpYKbRWJ6LherFwRaCygmLFkcfAb0r0iBwzyY9ZZ 23BJ1PeteNarb27NYiZZPm1psq1dch9HoJfxj7aM= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Leon Yen , Ming Yen Hsieh , Felix Fietkau Subject: [PATCH 6.18 028/270] wifi: mt76: mt7921: fix a potential clc buffer length underflow Date: Tue, 12 May 2026 19:37:09 +0200 Message-ID: <20260512173939.050329152@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260512173938.452574370@linuxfoundation.org> References: <20260512173938.452574370@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Leon Yen commit 5373f8b19e568b5c217832b9bbef165bd2b2df14 upstream. The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC. This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure. Cc: stable@vger.kernel.org Fixes: fa6ad88e023d ("wifi: mt76: mt7921: fix country count limitation for CLC") Signed-off-by: Leon Yen Signed-off-by: Ming Yen Hsieh Link: https://patch.msgid.link/20251009020158.1923429-1-mingyen.hsieh@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c @@ -1353,6 +1353,9 @@ int __mt7921_mcu_set_clc(struct mt792x_d u16 len = le16_to_cpu(rule->len); u16 offset = len + sizeof(*rule); + if (buf_len < offset) + break; + pos += offset; buf_len -= offset; if (rule->alpha2[0] != alpha2[0] ||