From patchwork Sat Sep 20 22:58:52 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emil Goode X-Patchwork-Id: 391591 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 39B0814011E for ; Sun, 21 Sep 2014 08:59:46 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751235AbaITW7J (ORCPT ); Sat, 20 Sep 2014 18:59:09 -0400 Received: from mail-lb0-f178.google.com ([209.85.217.178]:58126 "EHLO mail-lb0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750834AbaITW7H (ORCPT ); Sat, 20 Sep 2014 18:59:07 -0400 Received: by mail-lb0-f178.google.com with SMTP id z12so2346951lbi.37 for ; Sat, 20 Sep 2014 15:59:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=73UfL2RkmK1Lw5jCgxS667PmJ3rwqUPZuDTQVqPfCOI=; b=mLKLrN+hFHRfstlel9+FryoUXJepQPymg4OChGgrNXGa6QFRdYmvPHimhQ5G3a9yT/ 7dWnz/hMqTNcCQx4idWzPUPkd7pKbttjOICgW3RKDoYleOMuZF566Oa3nNBAlV6bqb1u cL2609X2mfcst7TPBE8nGiUUcBR4xxAfHZ3+52EGB3ZCczQHH9wwhr19GB8L8ktTlTT9 m/ybaUrvH/gQM2INB/6tCAXuuHhpq1oN0hgV3i03y6MLJ20/08Rg9KyLZOX8Qgf5f7sw z8p9PQ72LdfGPmuZmCHZBKdxkeFSPV29MFPK8JDelMWYg/pf6qiR1h7Lf43G5ywoj8VQ E9vg== X-Received: by 10.152.204.231 with SMTP id lb7mr15736059lac.44.1411253944083; Sat, 20 Sep 2014 15:59:04 -0700 (PDT) Received: from localhost.localdomain (c193-14-112-131.cust.tele2.se. [193.14.112.131]) by mx.google.com with ESMTPSA id r6sm2080786lbp.29.2014.09.20.15.59.03 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 20 Sep 2014 15:59:03 -0700 (PDT) From: Emil Goode To: Arend van Spriel , Brett Rudley , "Franky (Zhenhui) Lin" , Hante Meuleman , "John W. Linville" , Pieter-Paul Giesberts , Daniel Kim Cc: linux-wireless@vger.kernel.org, brcm80211-dev-list@broadcom.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Emil Goode Subject: [PATCH] brcmfmac: Fix off by one bug in brcmf_count_20mhz_channels() Date: Sun, 21 Sep 2014 00:58:52 +0200 Message-Id: <1411253932-27973-1-git-send-email-emilgoode@gmail.com> X-Mailer: git-send-email 2.1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In the brcmf_count_20mhz_channels function we are looping through a list of channels received from firmware. Since the index of the first channel is 0 the condition leads to an off by one bug. This is causing us to hit the WARN_ON_ONCE(1) calls in the brcmu_d11n_decchspec function, which is how I discovered the bug. Introduced by: commit b48d891676f756d48b4d0ee131e4a7a5d43ca417 ("brcmfmac: rework wiphy structure setup") Signed-off-by: Emil Goode Acked-by: Arend van Spriel --- drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c index 02fe706..93b5dd9 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c @@ -4918,7 +4918,7 @@ static void brcmf_count_20mhz_channels(struct brcmf_cfg80211_info *cfg, struct brcmu_chan ch; int i; - for (i = 0; i <= total; i++) { + for (i = 0; i < total; i++) { ch.chspec = (u16)le32_to_cpu(chlist->element[i]); cfg->d11inf.decchspec(&ch);