If "axq_qnum >= ARRAY_SIZE(sc->tx.txq)", then the call to ath9k_hw_releasetxqueue() would read beyond the end of the ah->txq[] array and possibly corrupt memory. Fortunately, ath9k_hw_setuptxqueue() doesn't return high values of "axq_qnum" and this code can be removed. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index fa3dcfd..fa1c85d 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -1255,7 +1255,6 @@ static void ath_txq_drain_pending_buffers(struct ath_softc *sc, struct ath_txq *ath_txq_setup(struct ath_softc *sc, int qtype, int subtype) { struct ath_hw *ah = sc->sc_ah; - struct ath_common *common = ath9k_hw_common(ah); struct ath9k_tx_queue_info qi; static const int subtype_txq_to_hwq[] = { [WME_AC_BE] = ATH_TXQ_AC_BE, @@ -1305,12 +1304,6 @@ struct ath_txq *ath_txq_setup(struct ath_softc *sc, int qtype, int subtype) */ return NULL; } - if (axq_qnum >= ARRAY_SIZE(sc->tx.txq)) { - ath_err(common, "qnum %u out of range, max %zu!\n", - axq_qnum, ARRAY_SIZE(sc->tx.txq)); - ath9k_hw_releasetxqueue(ah, axq_qnum); - return NULL; - } if (!ATH_TXQ_SETUP(sc, axq_qnum)) { struct ath_txq *txq = &sc->tx.txq[axq_qnum]; -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html