From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 26 Nov 2019 04:49:56 +0000 (+0300)
Subject: mt76: Off by one in mt76_calc_rx_airtime()
X-Git-Tag: Ubuntu-5.13.0-19.19~6877^2~19^2~4
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=b43e36d75e8727f78892652a25967a1ffa03d1d1;p=mirror_ubuntu-jammy-kernel.git

mt76: Off by one in mt76_calc_rx_airtime()

The sband->bitrates[] array has "sband->n_bitrates" elements so this
check needs to be >= instead of > or we could read beyond the end of the
array.

These values come from when we call mt76_register_device():

	ret = mt76_register_device(&dev->mt76, true, mt7603_rates,
				   ARRAY_SIZE(mt7603_rates));

Here sband->bitrates[] is mt7603_rates[] and ->n_bitrates is the
ARRAY_SIZE()

Fixes: 5ce09c1a7907 ("mt76: track rx airtime for airtime fairness and survey")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---

diff --git a/drivers/net/wireless/mediatek/mt76/airtime.c b/drivers/net/wireless/mediatek/mt76/airtime.c
index 55116f395f9a..a4a785467748 100644
--- a/drivers/net/wireless/mediatek/mt76/airtime.c
+++ b/drivers/net/wireless/mediatek/mt76/airtime.c
@@ -242,7 +242,7 @@ u32 mt76_calc_rx_airtime(struct mt76_dev *dev, struct mt76_rx_status *status,
 			return 0;
 
 		sband = dev->hw->wiphy->bands[status->band];
-		if (!sband || status->rate_idx > sband->n_bitrates)
+		if (!sband || status->rate_idx >= sband->n_bitrates)
 			return 0;
 
 		rate = &sband->bitrates[status->rate_idx];