wifi: mt76: mt7915: fix bounds checking for tx-free-done command

According to the tx-free-done documentation, the DW4 can be repeated, so have to be more careful about how we test for walking off the end of the array. Signed-off-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
author: Ben Greear <greearb@candelatech.com> 2022-09-29 08:15:25 -0700
committer: Felix Fietkau <nbd@nbd.name> 2022-12-01 17:29:12 +0100
commit: 2b685ba7d4247d7707af795719f4f33c9019feb6 (patch)
tree: 34b3668958fb875b03dd76b5a5b0b51afe4f9e1c /drivers
parent: 03c2dd4d01a20edbadee408a622dee5e8a27f1e6 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index a4bcc617c1a3..89a3810ee53f 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -905,17 +905,19 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
 
 	total = le16_get_bits(free->ctrl, MT_TX_FREE_MSDU_CNT);
 	v3 = (FIELD_GET(MT_TX_FREE_VER, txd) == 0x4);
-	if (WARN_ON_ONCE((void *)&tx_info[total >> v3] > end))
-		return;
 
 	for (cur_info = tx_info; count < total; cur_info++) {
-		u32 msdu, info = le32_to_cpu(*cur_info);
+		u32 msdu, info;
 		u8 i;
 
+		if (WARN_ON_ONCE((void *)cur_info >= end))
+			return;
+
 		/*
 		 * 1'b1: new wcid pair.
 		 * 1'b0: msdu_id with the same 'wcid pair' as above.
 		 */
+		info = le32_to_cpu(*cur_info);
 		if (info & MT_TX_FREE_PAIR) {
 			struct mt7915_sta *msta;
 			struct mt76_wcid *wcid;
author	Ben Greear <greearb@candelatech.com>	2022-09-29 08:15:25 -0700
committer	Felix Fietkau <nbd@nbd.name>	2022-12-01 17:29:12 +0100
commit	2b685ba7d4247d7707af795719f4f33c9019feb6 (patch)
tree	34b3668958fb875b03dd76b5a5b0b51afe4f9e1c /drivers
parent	03c2dd4d01a20edbadee408a622dee5e8a27f1e6 (diff)