--- /dev/null
+From b897577af85bb5e5638efa780bc3716fae5212d3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Mon, 8 Apr 2019 09:45:56 +0200
+Subject: [PATCH] mwl8k: Fix rate_idx underflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It was reported on OpenWrt bug tracking system[1], that several users
+are affected by the endless reboot of their routers if they configure
+5GHz interface with channel 44 or 48.
+
+The reboot loop is caused by the following excessive number of WARN_ON
+messages:
+
+ WARNING: CPU: 0 PID: 0 at backports-4.19.23-1/net/mac80211/rx.c:4516
+ ieee80211_rx_napi+0x1fc/0xa54 [mac80211]
+
+as the messages are being correctly emitted by the following guard:
+
+ case RX_ENC_LEGACY:
+ if (WARN_ON(status->rate_idx >= sband->n_bitrates))
+
+as the rate_idx is in this case erroneously set to 251 (0xfb). This fix
+simply converts previously used magic number to proper constant and
+guards against substraction which is leading to the currently observed
+underflow.
+
+1. https://bugs.openwrt.org/index.php?do=details&task_id=2218
+
+Fixes: 854783444bab ("mwl8k: properly set receive status rate index on 5 GHz receive")
+Cc: <stable@vger.kernel.org>
+Tested-by: Eubert Bao <bunnier@gmail.com>
+Reported-by: Eubert Bao <bunnier@gmail.com>
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ drivers/net/wireless/marvell/mwl8k.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
+index 8e4e9b6..ffc565a 100644
+--- a/drivers/net/wireless/marvell/mwl8k.c
++++ b/drivers/net/wireless/marvell/mwl8k.c
+@@ -441,6 +441,9 @@ struct mwl8k_sta {
+ #define MWL8K_CMD_UPDATE_STADB 0x1123
+ #define MWL8K_CMD_BASTREAM 0x1125
+
++#define MWL8K_LEGACY_5G_RATE_OFFSET \
++ (ARRAY_SIZE(mwl8k_rates_24) - ARRAY_SIZE(mwl8k_rates_50))
++
+ static const char *mwl8k_cmd_name(__le16 cmd, char *buf, int bufsize)
+ {
+ u16 command = le16_to_cpu(cmd);
+@@ -1016,8 +1019,9 @@ static void mwl8k_rxd_ap_refill(void *_rxd, dma_addr_t addr, int len)
+
+ if (rxd->channel > 14) {
+ status->band = NL80211_BAND_5GHZ;
+- if (!(status->encoding == RX_ENC_HT))
+- status->rate_idx -= 5;
++ if (!(status->encoding == RX_ENC_HT) &&
++ status->rate_idx >= MWL8K_LEGACY_5G_RATE_OFFSET)
++ status->rate_idx -= MWL8K_LEGACY_5G_RATE_OFFSET;
+ } else {
+ status->band = NL80211_BAND_2GHZ;
+ }
+@@ -1124,8 +1128,9 @@ static void mwl8k_rxd_sta_refill(void *_rxd, dma_addr_t addr, int len)
+
+ if (rxd->channel > 14) {
+ status->band = NL80211_BAND_5GHZ;
+- if (!(status->encoding == RX_ENC_HT))
+- status->rate_idx -= 5;
++ if (!(status->encoding == RX_ENC_HT) &&
++ status->rate_idx >= MWL8K_LEGACY_5G_RATE_OFFSET)
++ status->rate_idx -= MWL8K_LEGACY_5G_RATE_OFFSET;
+ } else {
+ status->band = NL80211_BAND_2GHZ;
+ }
+--
+1.9.1
+