From: Ben Greear <greearb@xxxxxxxxxxxxxxx>
According to the tx-free-done documentation, the DW4 can be repeated,
so have to be more careful about how we test for walking off the
end of the array.
Signed-off-by: Ben Greear <greearb@xxxxxxxxxxxxxxx>
---
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index 4e70f5d050ea..bbaa77af387c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -1116,14 +1116,16 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
total = le16_get_bits(free->ctrl, MT_TX_FREE_MSDU_CNT);
/* NOTE: 'v3' actually is checking for API version 4 */
v3 = (FIELD_GET(MT_TX_FREE_VER, txd) == 0x4);
- if (WARN_ON_ONCE((void *)&tx_info[total >> v3] > end))
- return;
for (cur_info = tx_info; count < total; cur_info++) {
- u32 msdu, info = le32_to_cpu(*cur_info);
+ u32 msdu, info;
u8 i;
u32 tx_cnt, tx_status, ampdu;
+ if (WARN_ON_ONCE((void*)cur_info > end))
+ return;
+
+ info = le32_to_cpu(*cur_info);
/*
* 1'b1: new wcid pair.
* 1'b0: msdu_id with the same 'wcid pair' as above.
--
2.20.1
