wifi: mt76: mt7915: fix bounds checking for tx-free-done command

According to the tx-free-done documentation, the DW4 can be repeated,
so have to be more careful about how we test for walking off the
end of the array.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index a4bcc617c1a34c497092f010f8896b7ca40556dd..89a3810ee53f5e96229773f4e1a424124594ab08 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -905,17 +905,19 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
 
        total = le16_get_bits(free->ctrl, MT_TX_FREE_MSDU_CNT);
        v3 = (FIELD_GET(MT_TX_FREE_VER, txd) == 0x4);
-       if (WARN_ON_ONCE((void *)&tx_info[total >> v3] > end))
-               return;
 
        for (cur_info = tx_info; count < total; cur_info++) {
-               u32 msdu, info = le32_to_cpu(*cur_info);
+               u32 msdu, info;
                u8 i;
 
+               if (WARN_ON_ONCE((void *)cur_info >= end))
+                       return;
+
                /*
                 * 1'b1: new wcid pair.
                 * 1'b0: msdu_id with the same 'wcid pair' as above.
                 */
+               info = le32_to_cpu(*cur_info);
                if (info & MT_TX_FREE_PAIR) {
                        struct mt7915_sta *msta;
                        struct mt76_wcid *wcid;