[PATCH v3] iwlwifi: compare with actual number of IRQs requested for, not number of CPUs

[Hao Wei Tee <angelsl@xxxxxxx>]

When there are 16 or more logical CPUs, we request for `IWL_MAX_RX_HW_QUEUES` (16)
IRQs only as we limit to that number of IRQs, but later on we compare the
number of IRQs returned to nr_online_cpus+2 instead of max_irqs, the latter
being what we actually asked for. This ends up setting num_rx_queues to 17
which causes lots of out-of-bounds array accesses later on.

Compare to max_irqs instead, and also add an assertion in case num_rx_queues
> IWM_MAX_RX_HW_QUEUES.

Signed-off-by: Hao Wei Tee <angelsl@xxxxxxx>
---
I think this is a better fix than what I sent previously.

But you guys are probably looking into it now, so please disregard my
probably-incorrect fix.

Thanks.

 drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
index 6e9a9ecfb11c..aa469046f86c 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
@@ -1633,16 +1633,17 @@ static void iwl_pcie_set_interrupt_capa(struct pci_dev *pdev,
 	 * Two interrupts less: non rx causes shared with FBQ and RSS.
 	 * More than two interrupts: we will use fewer RSS queues.
 	 */
-	if (num_irqs <= nr_online_cpus) {
+	if (num_irqs <= max_irqs - 2) {
 		trans_pcie->trans->num_rx_queues = num_irqs + 1;
 		trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX |
 			IWL_SHARED_IRQ_FIRST_RSS;
-	} else if (num_irqs == nr_online_cpus + 1) {
+	} else if (num_irqs == max_irqs - 1) {
 		trans_pcie->trans->num_rx_queues = num_irqs;
 		trans_pcie->shared_vec_mask = IWL_SHARED_IRQ_NON_RX;
 	} else {
 		trans_pcie->trans->num_rx_queues = num_irqs - 1;
 	}
+	WARN_ON(trans_pcie->trans->num_rx_queues > IWL_MAX_RX_HW_QUEUES);
 
 	trans_pcie->alloc_vecs = num_irqs;
 	trans_pcie->msix_enabled = true;
-- 
2.17.0