[PATCH v2 1/2] wifi: b43: fix infinite loop from invalid hardware DMA RX slot

Wed Apr 15 15:24:24 PDT 2026

From: Tristan Madani <tristan at talencesecurity.com>

b43_dma_rx() reads current_slot from hardware via get_current_rxslot().
If the value is >= ring->nr_slots, the B43_WARN_ON only warns but
continues. The for loop then never terminates because next_slot() wraps
modulo nr_slots and can never reach the out-of-range current_slot.

Replace the B43_WARN_ON with an explicit bounds check that returns
early when the hardware reports an invalid slot index.

Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
Signed-off-by: Tristan Madani <tristan at talencesecurity.com>
---
drivers/net/wireless/broadcom/b43/dma.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/broadcom/b43/dma.c
+++ b/drivers/net/wireless/broadcom/b43/dma.c
@@ -1693,7 +1693,10 @@ void b43_dma_rx(struct b43_dmaring *ring)
 	B43_WARN_ON(ring->tx);
 	current_slot = ops->get_current_rxslot(ring);
-	B43_WARN_ON(!(current_slot >= 0 && current_slot < ring->nr_slots));
+	if (!(current_slot >= 0 && current_slot < ring->nr_slots)) {
+		B43_WARN_ON(1);
+		return;
+	}

 	slot = ring->current_slot;
 	for (; slot != current_slot; slot = next_slot(ring, slot)) {
--
2.43.0


