On Sun, 5 May 2019 at 23:33, Colin King <colin.king@xxxxxxxxxxxxx> wrote:
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> The check for the u32 variable idx being less than zero is
> always false and is redundant. Remove it.
>
> Addresses-Coverity: ("Unsigned compared against 0")
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
> index 9d1f9ff25bfa..e874dddc7b7f 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
> @@ -375,7 +375,7 @@ brcmf_msgbuf_get_pktid(struct device *dev, struct brcmf_msgbuf_pktids *pktids,
> struct brcmf_msgbuf_pktid *pktid;
> struct sk_buff *skb;
>
> - if (idx < 0 || idx >= pktids->array_size) {
> + if (idx >= pktids->array_size) {
> brcmf_err("Invalid packet id %d (max %d)\n", idx,
> pktids->array_size);
> return NULL;
It was added in the commit 2d91c8ad068a ("brcmfmac: set txflow request
id from 1 to pktids array size") and was probably meant to handle a
following brcmf_msgbuf_process_txstatus() case:
idx = le32_to_cpu(tx_status->msg.request_id) - 1;
So this patch is wrong/incomplete.
You should change that to a signed value OR add an extra check in
brcmf_msgbuf_process_txstatus() to make sure it doesn't pass -1 as u32
argument.
--
Rafał
