Since adding __counted_by(n_channels) to struct cfg80211_scan_request, anything adding to the channels array must increment n_channels first. Move n_channels increment earlier. Reported-by: John Rowley <lkml@xxxxxxxxxxxxx> Closes: https://lore.kernel.org/stable/1815535c709ba9d9.156c6a5c9cdf6e59.b249b6b6a5ee4634@localhost.localdomain/ Fixes: aa4ec06c455d ("wifi: cfg80211: use __counted_by where appropriate") Signed-off-by: Kees Cook <kees@xxxxxxxxxx> --- Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx> Cc: Dmitry Antipov <dmantipov@xxxxxxxxx> Cc: Nathan Chancellor <nathan@xxxxxxxxxx> Cc: linux-wireless@xxxxxxxxxxxxxxx --- net/wireless/scan.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 1c6fd45aa809..ccdbeb604639 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -763,12 +763,11 @@ static void cfg80211_scan_req_add_chan(struct cfg80211_scan_request *request, } } + request->n_channels++; request->channels[n_channels] = chan; if (add_to_6ghz) request->scan_6ghz_params[request->n_6ghz_params].channel_idx = n_channels; - - request->n_channels++; } static bool cfg80211_find_ssid_match(struct cfg80211_colocated_ap *ap, -- 2.34.1
