From: Felix Fietkau nbd@nbd.name
commit 850e8f6fbd5d0003b0f1119d19a01c6fef1644e2 upstream.
When beacon length is not a multiple of 4, the beacon could be sent with the last 1-3 bytes corrupted. The skb data is guaranteed to have enough room for reading beyond the end, because it is always followed by skb_shared_info, so rounding up is safe. All other callers of mt76_wr_copy have multiple-of-4 length already.
Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau nbd@nbd.name Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/net/wireless/mediatek/mt76/mmio.c | 2 +- drivers/net/wireless/mediatek/mt76/usb.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mmio.c +++ b/drivers/net/wireless/mediatek/mt76/mmio.c @@ -43,7 +43,7 @@ static u32 mt76_mmio_rmw(struct mt76_dev static void mt76_mmio_copy(struct mt76_dev *dev, u32 offset, const void *data, int len) { - __iowrite32_copy(dev->mmio.regs + offset, data, len >> 2); + __iowrite32_copy(dev->mmio.regs + offset, data, DIV_ROUND_UP(len, 4)); }
static int mt76_mmio_wr_rp(struct mt76_dev *dev, u32 base, --- a/drivers/net/wireless/mediatek/mt76/usb.c +++ b/drivers/net/wireless/mediatek/mt76/usb.c @@ -164,7 +164,7 @@ static void mt76u_copy(struct mt76_dev * int i, ret;
mutex_lock(&usb->usb_ctrl_mtx); - for (i = 0; i < (len / 4); i++) { + for (i = 0; i < DIV_ROUND_UP(len, 4); i++) { put_unaligned_le32(val[i], usb->data); ret = __mt76u_vendor_request(dev, MT_VEND_MULTI_WRITE, USB_DIR_OUT | USB_TYPE_VENDOR,