[PATCH 1/2] wifi: mt76: mt7915: validate WCID index before WTBL lookup
From: Joshua Klinesmith
Date: Mon Apr 06 2026 - 14:45:20 EST
The mt7915 driver does not validate WCID indices extracted from
hardware TX free events and TX status reports before using them
for WTBL MMIO register accesses. The hardware WCID field is 10
bits wide (max 1023) but actual WTBL capacity is only 288
(MT7915) or 544 (MT7916). An out-of-range index causes
mt7915_mac_wtbl_lmac_addr() to compute an invalid MMIO address,
leading to a kernel data abort:
Unable to handle kernel paging request at virtual address
ffffff88d5ab0010
The mt7615, mt7921, and mt7925 drivers already validate WCID
indices against their WTBL size before use. Add the same bounds
checks in mt7915_mac_tx_free() and mt7915_mac_add_txs().
Fixes: c17780e7b21e ("mt76: mt7915: add txfree event v3")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@xxxxxxxxx>
---
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index cec2c4208255..0acada48824f 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -901,6 +901,9 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
u16 idx;
idx = FIELD_GET(MT_TX_FREE_WLAN_ID, info);
+ if (idx >= mt7915_wtbl_size(dev))
+ continue;
+
wcid = mt76_wcid_ptr(dev, idx);
sta = wcid_to_sta(wcid);
if (!sta)
@@ -992,6 +995,9 @@ static void mt7915_mac_add_txs(struct mt7915_dev *dev, void *data)
u8 pid;
wcidx = le32_get_bits(txs_data[2], MT_TXS2_WCID);
+ if (wcidx >= mt7915_wtbl_size(dev))
+ return;
+
pid = le32_get_bits(txs_data[3], MT_TXS3_PID);
if (pid < MT_PACKET_ID_WED)
--
2.43.0