[PATCH] wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()

[PATCH] wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()

[Dan Carpenter]

The "i" iterator variable is used to count two different things but
unfortunately we can't store two different numbers in the same variable.
Use "i" for the outside loop and "j" for the inside loop.

Cc: stable@vger.kernel.org
Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
This was found via static analysis so I'm not positive on the impact
of this bug.

 drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
index 90831a1350f5..91166b89f918 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
@@ -826,7 +826,7 @@ void mwifiex_update_rxreor_flags(struct mwifiex_adapter *adapter, u8 flags)
 static void mwifiex_update_ampdu_rxwinsize(struct mwifiex_adapter *adapter,
 					   bool coex_flag)
 {
-	u8 i;
+	u8 i, j;
 	u32 rx_win_size;
 	struct mwifiex_private *priv;
 
@@ -864,8 +864,8 @@ static void mwifiex_update_ampdu_rxwinsize(struct mwifiex_adapter *adapter,
 		if (rx_win_size != priv->add_ba_param.rx_win_size) {
 			if (!priv->media_connected)
 				continue;
-			for (i = 0; i < MAX_NUM_TID; i++)
-				mwifiex_11n_delba(priv, i);
+			for (j = 0; j < MAX_NUM_TID; j++)
+				mwifiex_11n_delba(priv, j);
 		}
 	}
 }
-- 
2.51.0

Re: [PATCH] wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()

[Johannes Berg]

On Thu, 2026-01-08 at 23:00 +0300, Dan Carpenter wrote:
> The "i" iterator variable is used to count two different things but

nice catch

> unfortunately we can't store two different numbers in the same variable.

:-)

> This was found via static analysis so I'm not positive on the impact
> of this bug.

I think it basically means anything other than the first interface
(using adapter->priv[i] with i>0) will not be updated correctly for A-
MPDU buffer usage (?) if you use more than two interfaces. Given that
most people probably only use a single interface, I suppose the impact
would be rather low.

johannes

Re: [PATCH] wifi: mwifiex: Fix a loop in mwifiex_update_ampdu_rxwinsize()

[Jeff Chen]

On Thu, Jan 08, 2026 at 09:58:46 PM +0100, Johannes Berg wrote:
> On Thu, 2026-01-08 at 23:00 +0300, Dan Carpenter wrote:
> > The "i" iterator variable is used to count two different things but
> 
> nice catch
> 
> > unfortunately we can't store two different numbers in the same variable.
> 
> :-)
> 
> > This was found via static analysis so I'm not positive on the impact
> > of this bug.
> 
> I think it basically means anything other than the first interface
> (using adapter->priv[i] with i>0) will not be updated correctly for A-
> MPDU buffer usage (?) if you use more than two interfaces. Given that
> most people probably only use a single interface, I suppose the impact
> would be rather low.
> 
> johannes
> 

Johannes is right — with AP and STA both active, whichever interface first meets
media_connected (AP or STA) will trigger the inner loop to overwrite the outer
interface index, so only that first interface gets the per‑TID delba while the
other is skipped.
For reference: mwifiex_update_ampdu_txwinsize() already uses separate iterators
, so aligning the RX-side loop to the same pattern makes sense.

Dan’s change to use a distinct inner iterator (j) here is correct.
Please apply.

Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com>