Same class of bug as mt7915: the mt7996 driver does not validate WCID indices from TX free events or TX status reports before WTBL lookups. An out-of-range WCID causes invalid MMIO accesses leading to a kernel data abort. Add bounds checks in mt7996_mac_tx_free() and mt7996_mac_add_txs() to match the pattern used by mt7615, mt7921, and mt7925 drivers. Additionally, clear the carried wcid and link_sta state when a WCID pair lookup fails (either out of range or not a station), so that subsequent header and MSDU entries in the same TX free event do not attribute statistics or free tokens against a stale WCID from a previous pair. Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Cc: stable@vger.kernel.org Signed-off-by: Joshua Klinesmith --- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c index 3d9648fb6773..f962ad398e04 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c @@ -1248,9 +1248,16 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len) u16 idx; idx = FIELD_GET(MT_TXFREE_INFO_WLAN_ID, info); + if (idx >= mt7996_wtbl_size(dev)) { + wcid = NULL; + link_sta = NULL; + goto next; + } + wcid = mt76_wcid_ptr(dev, idx); sta = wcid_to_sta(wcid); if (!sta) { + wcid = NULL; link_sta = NULL; goto next; } @@ -1482,6 +1489,9 @@ static void mt7996_mac_add_txs(struct mt7996_dev *dev, void *data) u8 pid; wcidx = le32_get_bits(txs_data[2], MT_TXS2_WCID); + if (wcidx >= mt7996_wtbl_size(dev)) + return; + pid = le32_get_bits(txs_data[3], MT_TXS3_PID); if (pid < MT_PACKET_ID_NO_SKB) -- 2.43.0