[PATCH 1/2] wifi: mt76: mt76x02: do not WARN on invalid rx descriptor length

Next message: Eric Biggers: "Re: [PATCH] lib/raid/xor: x86: Add AVX-512 optimized xor_gen()"
Previous message: Sean Christopherson: "[PATCH v7 16/20] KVM: selftests: Add kvm_sched_getaffinity() wrapper and convert users"
In reply to: Devin Wittmayer: "[PATCH 0/2] wifi: mt76: mt76x02: rx fixes for fcsfail monitor mode"
Next in thread: Devin Wittmayer: "[PATCH 2/2] wifi: mt76: mt76x02: report rx FCS errors to mac80211"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Devin Wittmayer

Date: Fri Jun 12 2026 - 20:28:16 EST

The MPDU length in the rx descriptor comes from the hardware. In
monitor mode with the fcsfail filter enabled, the hardware passes up
corrupted frames, and a corrupted frame can report a length larger
than the received buffer. The bounds check correctly discards such
frames, but its WARN_ON_ONCE wrapper means any over-the-air garbage
frame taints the kernel, and panics it on the first such frame when
panic_on_warn is set.

Drop the WARN and discard the frame silently, matching what
commit c2d4c8723dbf ("mt76x2: remove some harmless WARN_ONs in tx
status and rx path") did for the neighboring rx and tx status paths.

Observed immediately on rx with an MT7612U in fcsfail monitor mode
on a busy channel.

Fixes: 7bc04215a66b ("mt76: add driver code for MT76x2e")
Signed-off-by: Devin Wittmayer <lucid_duck@xxxxxxxxxxxxx>
---
drivers/net/wireless/mediatek/mt76/mt76x02_mac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
index 14ee5b3b94d3..aa525adb6743 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c
@@ -848,7 +848,7 @@ int mt76x02_mac_process_rx(struct mt76x02_dev *dev, struct sk_buff *skb,
}
}

- if (WARN_ON_ONCE(len > skb->len))
+ if (len > skb->len)
return -EINVAL;

if (pskb_trim(skb, len))
--
2.54.0