[lvc-project] [PATCH 2/2] wifi: brcmsmac: two thoughts around low-level phy operations

[Dmitry Antipov]

It's hardly possible to say whether these two are really correct
and/or important without testing on a real hardware, but I assume
that it may be interesting for the maintainer to look through at
least.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Antipov <dmantipov at yandex.ru>
---
 .../wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
index d69879e1bd87..2bcc8aa58cfe 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
@@ -16477,8 +16477,12 @@ static void wlc_phy_workarounds_nphy_rev7(struct brcms_phy *pi)
 	pdetrange = (CHSPEC_IS5G(pi->radio_chanspec)) ?
 		    pi->srom_fem5g.pdetrange : pi->srom_fem2g.pdetrange;
 
+	/* FIXME: shouldn't this be called before
+	 * applying the rest of the workarounds?
+	 */
+	chan_freq_range = wlc_phy_get_chan_freq_range_nphy(pi, 0);
+
 	if (pdetrange == 0) {
-		chan_freq_range = wlc_phy_get_chan_freq_range_nphy(pi, 0);
 		if (chan_freq_range != WL_CHAN_FREQ_RANGE_2G) {
 			aux_adc_vmid_rev7_core0[3] = 0x70;
 			aux_adc_vmid_rev7_core1[3] = 0x70;
@@ -23423,6 +23427,12 @@ wlc_phy_iqcal_gainparams_nphy(struct brcms_phy *pi, u16 core_no,
 				break;
 		}
 
+		/* FIXME: there might (?) be an out-of-bounds
+		 * array access if k == NPHY_IQCAL_NUMGAINS
+		 */
+		if (WARN_ON(k == NPHY_IQCAL_NUMGAINS))
+			return;
+
 		params->txgm = tbl_iqcal_gainparams_nphy[band_idx][k][1];
 		params->pga = tbl_iqcal_gainparams_nphy[band_idx][k][2];
 		params->pad = tbl_iqcal_gainparams_nphy[band_idx][k][3];
-- 
2.44.0