[PATCH v2 1/2] wifi: b43: fix infinite loop from invalid hardware DMA RX slot
Jonas Gorski
jonas.gorski at gmail.com
Wed Apr 15 23:34:00 PDT 2026
Hi,
On Thu, Apr 16, 2026 at 12:24 AM Tristan Madani <tristmd at gmail.com> wrote:
>
> From: Tristan Madani <tristan at talencesecurity.com>
>
> b43_dma_rx() reads current_slot from hardware via get_current_rxslot().
> If the value is >= ring->nr_slots, the B43_WARN_ON only warns but
> continues. The for loop then never terminates because next_slot() wraps
> modulo nr_slots and can never reach the out-of-range current_slot.
>
> Replace the B43_WARN_ON with an explicit bounds check that returns
> early when the hardware reports an invalid slot index.
>
> Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
> Signed-off-by: Tristan Madani <tristan at talencesecurity.com>
> ---
> drivers/net/wireless/broadcom/b43/dma.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/broadcom/b43/dma.c b/drivers/net/wireless/broadcom/b43/dma.c
> index XXXXXXX..XXXXXXX 100644
> --- a/drivers/net/wireless/broadcom/b43/dma.c
> +++ b/drivers/net/wireless/broadcom/b43/dma.c
> @@ -1693,7 +1693,10 @@ void b43_dma_rx(struct b43_dmaring *ring)
> B43_WARN_ON(ring->tx);
> current_slot = ops->get_current_rxslot(ring);
> - B43_WARN_ON(!(current_slot >= 0 && current_slot < ring->nr_slots));
> + if (!(current_slot >= 0 && current_slot < ring->nr_slots)) {
> + B43_WARN_ON(1);
> + return;
> + }
B43_WARN_ON() returns the condition's result, so you can shorten this to
if (B43_WARN_ON(!(current_slot >= 0 && current_slot < ring->nr_slots)))
return;
Best regards,
Jonas
More information about the b43-dev
mailing list