mt76: mt7915: fix potential overflow of eeprom page index

[ Upstream commit 82a980f82a511ce74ab57eb9f692d02225eb32f4 ]

If total eeprom size is divisible by per-page size, the i in for loop
will exceed max page index, which happens in our newer chipset.

Fixes: 26f18380e6ca ("mt76: mt7915: add support for flash mode")
Signed-off-by: Bo Jiao <bo.jiao@mediatek.com>
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index c08c7398f9b855b045c357cddce0e01a08088e13..e7e396f58c92c3e45c635d795d830e1fe90798e8 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -3391,20 +3391,20 @@ int mt7915_mcu_set_chan_info(struct mt7915_phy *phy, int cmd)
 
 static int mt7915_mcu_set_eeprom_flash(struct mt7915_dev *dev)
 {
-#define TOTAL_PAGE_MASK                GENMASK(7, 5)
+#define MAX_PAGE_IDX_MASK      GENMASK(7, 5)
 #define PAGE_IDX_MASK          GENMASK(4, 2)
 #define PER_PAGE_SIZE          0x400
        struct mt7915_mcu_eeprom req = { .buffer_mode = EE_MODE_BUFFER };
-       u8 total = MT7915_EEPROM_SIZE / PER_PAGE_SIZE;
+       u8 total = DIV_ROUND_UP(MT7915_EEPROM_SIZE, PER_PAGE_SIZE);
        u8 *eep = (u8 *)dev->mt76.eeprom.data;
        int eep_len;
        int i;
 
-       for (i = 0; i <= total; i++, eep += eep_len) {
+       for (i = 0; i < total; i++, eep += eep_len) {
                struct sk_buff *skb;
                int ret;
 
-               if (i == total)
+               if (i == total - 1 && !!(MT7915_EEPROM_SIZE % PER_PAGE_SIZE))
                        eep_len = MT7915_EEPROM_SIZE % PER_PAGE_SIZE;
                else
                        eep_len = PER_PAGE_SIZE;
@@ -3414,7 +3414,7 @@ static int mt7915_mcu_set_eeprom_flash(struct mt7915_dev *dev)
                if (!skb)
                        return -ENOMEM;
 
-               req.format = FIELD_PREP(TOTAL_PAGE_MASK, total) |
+               req.format = FIELD_PREP(MAX_PAGE_IDX_MASK, total - 1) |
                             FIELD_PREP(PAGE_IDX_MASK, i) | EE_FORMAT_WHOLE;
                req.len = cpu_to_le16(eep_len);