On Wednesday, November 1, 2017 9:37:53 PM CET Sebastian Gottschall wrote: > a additional array bounds check would be good Ah, about that: the bw variable in ath10k_htt_rx_h_rates() is extracted from info2 in the following way [0]: | bw = info2 & 3; the txrate.bw variable in ath10k_update_per_peer_tx_stats() is set by [1]: | txrate.bw = ATH10K_HW_BW(peer_stats->flags); ATH10K_HW_BW is a macro defined as [2]: | #define ATH10K_HW_BW(flags) (((flags) >> 3) & 0x3) In both cases the bandwidth values already are limited to 0-3 by the "and 3" operation. [0] <https://elixir.free-electrons.com/linux/v4.14-rc7/source/drivers/net/wireless/ath/ath10k/htt_rx.c#L646> [1] <https://elixir.free-electrons.com/linux/v4.14-rc7/source/drivers/net/wireless/ath/ath10k/htt_rx.c#L2254> [2] <https://elixir.free-electrons.com/linux/v4.14-rc7/source/drivers/net/wireless/ath/ath10k/wmi.h#L4810> > > @@ -592,6 +592,9 @@ struct amsdu_subframe_hdr { > > > > #define GROUP_ID_IS_SU_MIMO(x) ((x) == 0 || (x) == 63) > > > > +static const u8 ath10k_bw_to_mac80211[] = { RATE_INFO_BW_20, RATE_INFO_BW_40, > > + RATE_INFO_BW_80, RATE_INFO_BW_160 }; > > + > > static void ath10k_htt_rx_h_rates(struct ath10k *ar, > > struct ieee80211_rx_status *status, > > struct htt_rx_desc *rxd) > > @@ -694,23 +697,7 @@ static void ath10k_htt_rx_h_rates(struct ath10k *ar, > > if (sgi) > > status->enc_flags |= RX_ENC_FLAG_SHORT_GI; > > > > [...] > > + status->bw = ath10k_bw_to_mac80211[bw]; > > status->encoding = RX_ENC_VHT; > > break; > > default: > > @@ -2297,7 +2284,7 @@ ath10k_update_per_peer_tx_stats(struct ath10k *ar, > > arsta->txrate.flags |= RATE_INFO_FLAGS_SHORT_GI; > > > > arsta->txrate.nss = txrate.nss; > > - arsta->txrate.bw = txrate.bw + RATE_INFO_BW_20; > > + arsta->txrate.bw = ath10k_bw_to_mac80211[txrate.bw]; > > } > > > > static void ath10k_htt_fetch_peer_stats(struct ath10k *ar,
