[lvc-project] [PATCH] wifi: mt7601u: fix possible index-out-of-bound in mt76_init_sband_2g()

Tue Apr 22 14:07:26 MSK 2025

In 'mt76_init_sband_2g', add return with '-EINVAL' in case of register
channel start bound exceeds size of 'mt76_channels_2ghz' array.
Compile tested only.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Kandybka <d.kandybka at gmail.com>
---
 drivers/net/wireless/mediatek/mt7601u/init.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt7601u/init.c b/drivers/net/wireless/mediatek/mt7601u/init.c
index 5d9e952b2966..d2e0f2af4f79 100644
--- a/drivers/net/wireless/mediatek/mt7601u/init.c
+++ b/drivers/net/wireless/mediatek/mt7601u/init.c
@@ -562,8 +562,9 @@ mt76_init_sband_2g(struct mt7601u_dev *dev)
 
 	dev->hw->wiphy->bands[NL80211_BAND_2GHZ] = dev->sband_2g;
 
-	WARN_ON(dev->ee->reg.start - 1 + dev->ee->reg.num >
-		ARRAY_SIZE(mt76_channels_2ghz));
+	if (WARN_ON(dev->ee->reg.start - 1 + dev->ee->reg.num >
+		ARRAY_SIZE(mt76_channels_2ghz)))
+		return -EINVAL;
 
 	return mt76_init_sband(dev, dev->sband_2g,
 			       &mt76_channels_2ghz[dev->ee->reg.start - 1],
-- 
2.43.5


