[PATCH 0/2] wifi: mt76: validate WCID index before WTBL lookup

Next message: Joshua Klinesmith: "[PATCH 1/2] wifi: mt76: mt7915: validate WCID index before WTBL lookup"
Previous message: Derek John Clark: "Re: [PATCH v7 08/16] platform/x86: lenovo-wmi-helpers: Move gamezone enums to wmi-helpers"
Next in thread: Joshua Klinesmith: "[PATCH 1/2] wifi: mt76: mt7915: validate WCID index before WTBL lookup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Joshua Klinesmith

Date: Mon Apr 06 2026 - 14:44:59 EST

The mt7915 and mt7996 drivers do not validate WCID indices
extracted from hardware TX free events and TX status reports
before using them for WTBL MMIO register accesses. The hardware
WCID field is 10 bits wide (max 1023) but the actual WTBL
capacity is only 288 (MT7915), 544 (MT7916), or variable
(MT7996). An out-of-range index causes a kernel data abort.

Reverse engineering of the MediaTek WA co-processor firmware
(NDS32/FreeRTOS) confirmed that the firmware validates WCID
for its internal table (< 786) but still emits out-of-range
values in DMA descriptors sent to the host driver.

The mt7615, mt7921, and mt7925 drivers already have these
bounds checks. This series adds the same validation to mt7915
and mt7996.

Joshua Klinesmith (2):
wifi: mt76: mt7915: validate WCID index before WTBL lookup
wifi: mt76: mt7996: validate WCID index before WTBL lookup

drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 6 ++++++
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 6 ++++++
2 files changed, 12 insertions(+)