[PATCH 0/3] wifi: mt76: fix DMA read beyond mapped length

Next message: Joshua Klinesmith: "[PATCH 1/3] wifi: mt76: mt7615: fix DMA read beyond mapped length"
Previous message: Derek John Clark: "Re: [PATCH v7 10/16] platform/x86: lenovo-wmi-other: Add lwmi_attr_id() function"
Next in thread: Joshua Klinesmith: "[PATCH 1/3] wifi: mt76: mt7615: fix DMA read beyond mapped length"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Joshua Klinesmith

Date: Mon Apr 06 2026 - 14:46:25 EST

tx_prepare_skb() in mt7615, mt7915, and mt7996 overrides
buf[1].len to MT_CT_PARSE_LEN (72 bytes) for firmware header
parsing, but dma_map_single() in dma.c only maps
skb_headlen(skb) bytes. When the SKB is shorter than 72 bytes
(e.g. a 54-byte TCP SYN), the DMA descriptor tells the
hardware to read past the mapped region.

On systems without IOMMU this is silently ignored. On systems
with SMMU (e.g. NXP LS1028A), the read past the page boundary
triggers an SMMU translation fault.

Cap buf[1].len to min(MT_CT_PARSE_LEN, original_mapped_len)
in all three drivers.

Joshua Klinesmith (3):
wifi: mt76: mt7615: fix DMA read beyond mapped length
wifi: mt76: mt7915: fix DMA read beyond mapped length
wifi: mt76: mt7996: fix DMA read beyond mapped length

drivers/net/wireless/mediatek/mt76/mt7615/pci_mac.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)