From: Mikhail Limarenko freq_to_idx() currently returns a trailing synthetic index when the requested channel frequency is not found. chan-info handlers already bound-check survey index, but an explicit error on no-match keeps semantics clear and avoids propagating a fake index value. Keep matched-frequency index progression unchanged, return -ENOENT on no match, and make callers reject negative indexes. Tested-on: QCNFA765 (WCN785x), kernel 6.18.5+deb13-amd64 Signed-off-by: Mikhail Limarenko --- v2: - drop out-of-bounds claim from commit message - keep original index progression for matched frequencies - return explicit -ENOENT on no-match and reject negative idx in callers drivers/net/wireless/ath/ath12k/wmi.c | 9 +++------ 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c index e647b84..a2f8a7c 100644 --- a/drivers/net/wireless/ath/ath12k/wmi.c +++ b/drivers/net/wireless/ath/ath12k/wmi.c @@ -6528,12 +6528,11 @@ static int freq_to_idx(struct ath12k *ar, int freq) continue; if (sband->channels[ch].center_freq == freq) - goto exit; + return idx; } } -exit: - return idx; + return -ENOENT; } static int ath12k_pull_chan_info_ev(struct ath12k_base *ab, struct sk_buff *skb, @@ -7475,7 +7474,7 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb) } idx = freq_to_idx(ar, le32_to_cpu(ch_info_ev.freq)); - if (idx >= ARRAY_SIZE(ar->survey)) { + if (idx < 0 || idx >= ARRAY_SIZE(ar->survey)) { ath12k_warn(ab, "chan info: invalid frequency %d (idx %d out of bounds)\n", ch_info_ev.freq, idx); goto exit; @@ -7550,7 +7549,7 @@ ath12k_pdev_bss_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb) spin_lock_bh(&ar->data_lock); idx = freq_to_idx(ar, le32_to_cpu(bss_ch_info_ev.freq)); - if (idx >= ARRAY_SIZE(ar->survey)) { + if (idx < 0 || idx >= ARRAY_SIZE(ar->survey)) { ath12k_warn(ab, "bss chan info: invalid frequency %d (idx %d out of bounds)\n", bss_ch_info_ev.freq, idx); goto exit; -- 2.47.3