wifi: ath12k: Correct tid cleanup when tid setup fails

Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(),
the tid value is already incremented, even though the corresponding
TID is not actually allocated. Proceed to
ath12k_dp_rx_peer_tid_delete() starting from unallocated tid,
which might leads to freeing unallocated TID and cause potential
crash or out-of-bounds access.

Hence, fix by correctly decrementing tid before cleanup to match only
the successfully allocated TIDs.

Also, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(),
as decrementing the tid before cleanup in loop will take care of this.

Compile tested only.

Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250721061749.886732-1-quic_sarishar@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>

diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/ath/ath12k/dp.c
index d6435dad61a11175fc6cd55004b9a479e2e6621c..f893fce6d9bd736d5fe1cb4e5a818f0f196e4a4a 100644 (file)
--- a/drivers/net/wireless/ath/ath12k/dp.c
+++ b/drivers/net/wireless/ath/ath12k/dp.c
@@ -84,7 +84,6 @@ int ath12k_dp_peer_setup(struct ath12k *ar, int vdev_id, const u8 *addr)
        ret = ath12k_dp_rx_peer_frag_setup(ar, addr, vdev_id);
        if (ret) {
                ath12k_warn(ab, "failed to setup rx defrag context\n");
-               tid--;
                goto peer_clean;
        }
 
@@ -102,7 +101,7 @@ peer_clean:
                return -ENOENT;
        }
 
-       for (; tid >= 0; tid--)
+       for (tid--; tid >= 0; tid--)
                ath12k_dp_rx_peer_tid_delete(ar, peer, tid);
 
        spin_unlock_bh(&ab->base_lock);