mt76: add size check for additional rx fragments

So far the code only validates the buffer size of the first skb.
Extend this check to cover additional fragments as well, in case the size
is corrupted during a DMA reset.

Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
index e2ba26378575d93c473f766d8ec37a4a74ec6110..710a77fccf63daef4485c13d4cbb6d0c5d53c7e2 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/dma.c
+++ b/drivers/net/wireless/mediatek/mt76/dma.c
@@ -430,6 +430,14 @@ mt76_dma_rx_process(struct mt76_dev *dev, struct mt76_queue *q, int budget)
                if (!data)
                        break;
 
+               if (q->buf_size < len + q->buf_offset) {
+                       dev_kfree_skb(q->rx_head);
+                       q->rx_head = NULL;
+
+                       skb_free_frag(data);
+                       continue;
+               }
+
                if (q->rx_head) {
                        mt76_add_fragment(dev, q, data, len, more);
                        continue;