From: Emil Goode Date: Mon, 22 Sep 2014 22:49:55 +0000 (+0200) Subject: brcmfmac: Fix off by one bug in brcmf_count_20mhz_channels() X-Git-Tag: firefly_0821_release~176^2~3178^2~1^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=f8adaf0ae978252c9f7e29e96aefcd8fcaf806ba;p=firefly-linux-kernel-4.4.55.git brcmfmac: Fix off by one bug in brcmf_count_20mhz_channels() In the brcmf_count_20mhz_channels function we are looping through a list of channels received from firmware. Since the index of the first channel is 0 the condition leads to an off by one bug. This is causing us to hit the WARN_ON_ONCE(1) calls in the brcmu_d11n_decchspec function, which is how I discovered the bug. Introduced by: commit b48d891676f756d48b4d0ee131e4a7a5d43ca417 ("brcmfmac: rework wiphy structure setup") Acked-by: Arend van Spriel Signed-off-by: Emil Goode Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c index f3a9804988a6..16a246bfc343 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c @@ -4921,7 +4921,7 @@ static void brcmf_count_20mhz_channels(struct brcmf_cfg80211_info *cfg, struct brcmu_chan ch; int i; - for (i = 0; i <= total; i++) { + for (i = 0; i < total; i++) { ch.chspec = (u16)le32_to_cpu(chlist->element[i]); cfg->d11inf.decchspec(&ch);