From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754991AbaIWJdN (ORCPT ); Tue, 23 Sep 2014 05:33:13 -0400 Received: from mail-gw3-out.broadcom.com ([216.31.210.64]:23321 "EHLO mail-gw3-out.broadcom.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754298AbaIWJdK (ORCPT ); Tue, 23 Sep 2014 05:33:10 -0400 X-IronPort-AV: E=Sophos;i="5.04,578,1406617200"; d="scan'208";a="46343685" Message-ID: <54213E50.4020207@broadcom.com> Date: Tue, 23 Sep 2014 11:33:04 +0200 From: Arend van Spriel User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.24) Gecko/20111103 Lightning/1.0b2 Thunderbird/3.1.16 MIME-Version: 1.0 To: Emil Goode CC: Brett Rudley , "Franky (Zhenhui) Lin" , Hante Meuleman , "John W. Linville" , Pieter-Paul Giesberts , Daniel Kim , , , , , Subject: Re: [PATCH] brcmfmac: Fix off by one bug in brcmf_count_20mhz_channels() References: <1411253932-27973-1-git-send-email-emilgoode@gmail.com> <541FF25B.9000404@broadcom.com> <20140922230833.GB10356@lianli> In-Reply-To: <20140922230833.GB10356@lianli> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/23/14 01:08, Emil Goode wrote: > Hello Arend, > > Sorry for the late reply. I have attached a kernel log with brcmfmac > debugging enabled (without my patch applied). > > Let me know if I can provide any other useful information. No problem, Emil I was wondering what was returned on "chanspecs" query. So 17 channel configs which is expected. Regards, Arend > Best regards, > > Emil > > On Mon, Sep 22, 2014 at 11:56:43AM +0200, Arend van Spriel wrote: >> On 09/21/14 00:58, Emil Goode wrote: >>> In the brcmf_count_20mhz_channels function we are looping through a list >>> of channels received from firmware. Since the index of the first channel >>> is 0 the condition leads to an off by one bug. This is causing us to hit >>> the WARN_ON_ONCE(1) calls in the brcmu_d11n_decchspec function, which is >>> how I discovered the bug. >> >> The fix is fine. Would like to know what exactly is going wrong. Can you >> provide a kernel log with brcmfmac debugging enabled, ie. insmod brcmfmac.ko >> debug=0x1416 >> >> Regards, >> Arend >> >>> Introduced by: >>> commit b48d891676f756d48b4d0ee131e4a7a5d43ca417 >>> ("brcmfmac: rework wiphy structure setup") >>> >>> Signed-off-by: Emil Goode >>> --- >>> drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c >>> index 02fe706..93b5dd9 100644 >>> --- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c >>> +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c >>> @@ -4918,7 +4918,7 @@ static void brcmf_count_20mhz_channels(struct brcmf_cfg80211_info *cfg, >>> struct brcmu_chan ch; >>> int i; >>> >>> - for (i = 0; i<= total; i++) { >>> + for (i = 0; i< total; i++) { >>> ch.chspec = (u16)le32_to_cpu(chlist->element[i]); >>> cfg->d11inf.decchspec(&ch); >>> >>