Commit f8adaf0a authored by Emil Goode's avatar Emil Goode Committed by John W. Linville

brcmfmac: Fix off by one bug in brcmf_count_20mhz_channels()

In the brcmf_count_20mhz_channels function we are looping through a list
of channels received from firmware. Since the index of the first channel
is 0 the condition leads to an off by one bug. This is causing us to hit
the WARN_ON_ONCE(1) calls in the brcmu_d11n_decchspec function, which is
how I discovered the bug.

Introduced by:
commit b48d8916
("brcmfmac: rework wiphy structure setup")
Acked-by: default avatarArend van Spriel <arend@broadcom.com>
Signed-off-by: default avatarEmil Goode <emilgoode@gmail.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 2ba7d144
...@@ -4921,7 +4921,7 @@ static void brcmf_count_20mhz_channels(struct brcmf_cfg80211_info *cfg, ...@@ -4921,7 +4921,7 @@ static void brcmf_count_20mhz_channels(struct brcmf_cfg80211_info *cfg,
struct brcmu_chan ch; struct brcmu_chan ch;
int i; int i;
for (i = 0; i <= total; i++) { for (i = 0; i < total; i++) {
ch.chspec = (u16)le32_to_cpu(chlist->element[i]); ch.chspec = (u16)le32_to_cpu(chlist->element[i]);
cfg->d11inf.decchspec(&ch); cfg->d11inf.decchspec(&ch);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment