wilc1000: add valid vmm_entry check before fetching from TX queue

'vmm_table' array contains the size of data buffer length including host
header length. In 'vmm_table' array, the Zero value means the end of
vmm_entries that needs to transfer to firmware which is calculated based on
VMM free size in firmware.

Use 'vmm_table' valid entry check before fetching the entry from TX queue to
only copy valid number of entries to avoid possible NULL pointer exception
observed sometimes during large file transfers.

Signed-off-by: Ajay Singh <ajay.kathat@microchip.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220504161924.2146601-5-ajay.kathat@microchip.com

diff --git a/drivers/net/wireless/microchip/wilc1000/wlan.c b/drivers/net/wireless/microchip/wilc1000/wlan.c
index fb5633a..48441f0 100644 (file)
--- a/drivers/net/wireless/microchip/wilc1000/wlan.c
+++ b/drivers/net/wireless/microchip/wilc1000/wlan.c
@@ -875,14 +875,15 @@ int wilc_wlan_handle_txq(struct wilc *wilc, u32 *txq_count)
                char *bssid;
                u8 mgmt_ptk = 0;
 
+               if (vmm_table[i] == 0 || vmm_entries_ac[i] >= NQUEUES)
+                       break;
+
                tqe = wilc_wlan_txq_remove_from_head(wilc, vmm_entries_ac[i]);
-               ac_pkt_num_to_chip[vmm_entries_ac[i]]++;
                if (!tqe)
                        break;
 
+               ac_pkt_num_to_chip[vmm_entries_ac[i]]++;
                vif = tqe->vif;
-               if (vmm_table[i] == 0)
-                       break;
 
                le32_to_cpus(&vmm_table[i]);
                vmm_sz = FIELD_GET(WILC_VMM_BUFFER_SIZE, vmm_table[i]);