[1/2] wifi: mt76: mt7915: fix bounds checking for tx-free-done command

Commit Message

Ben Greear Sept. 29, 2022, 3:15 p.m. UTC

From: Ben Greear <greearb@candelatech.com>

According to the tx-free-done documentation, the DW4 can be repeated,
so have to be more careful about how we test for walking off the
end of the array.

Signed-off-by: Ben Greear <greearb@candelatech.com>
---
 drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Patch

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index 4e70f5d050ea..bbaa77af387c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -1116,14 +1116,16 @@  mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
 	total = le16_get_bits(free->ctrl, MT_TX_FREE_MSDU_CNT);
 	/* NOTE: 'v3' actually is checking for API version 4 */
 	v3 = (FIELD_GET(MT_TX_FREE_VER, txd) == 0x4);
-	if (WARN_ON_ONCE((void *)&tx_info[total >> v3] > end))
-		return;
 
 	for (cur_info = tx_info; count < total; cur_info++) {
-		u32 msdu, info = le32_to_cpu(*cur_info);
+		u32 msdu, info;
 		u8 i;
 		u32 tx_cnt, tx_status, ampdu;
 
+		if (WARN_ON_ONCE((void*)cur_info > end))
+			return;
+
+		info = le32_to_cpu(*cur_info);
 		/*
 		 * 1'b1: new wcid pair.
 		 * 1'b0: msdu_id with the same 'wcid pair' as above.