wifi: cfg80211: Fix bitrate calculation overflow for HE rates

An integer overflow occurs in cfg80211_calculate_bitrate_he() when
calculating bitrates for high throughput HE configurations.
For example, with 160 MHz bandwidth, HE-MCS 13, HE-NSS 4, and HE-GI 0,
the multiplication (result * rate->nss) overflows the 32-bit 'result'
variable before division by 8, leading to significantly underestimated
bitrate values.

The overflow occurs because the NSS multiplication operates on a 32-bit
integer that cannot accommodate intermediate values exceeding
4,294,967,295. When overflow happens, the value wraps around, producing
incorrect bitrates for high MCS and NSS combinations.

Fix this by utilizing the 64-bit 'tmp' variable for the NSS
multiplication and subsequent divisions via do_div(). This approach
preserves full precision throughout the entire calculation, with the
final value assigned to 'result' only after completing all operations.

Signed-off-by: Veerendranath Jakkam <veerendranath.jakkam@oss.qualcomm.com>
Link: https://patch.msgid.link/20260109-he_bitrate_overflow-v1-1-95575e466b6e@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 27e8a2f52f042eb27ef7e09770d71577d28a379c..4f581aed45b768bad1bf2696add1f0341fe1b993 100644 (file)
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1561,12 +1561,14 @@ static u32 cfg80211_calculate_bitrate_he(struct rate_info *rate)
        tmp = result;
        tmp *= SCALE;
        do_div(tmp, mcs_divisors[rate->mcs]);
-       result = tmp;
 
        /* and take NSS, DCM into account */
-       result = (result * rate->nss) / 8;
+       tmp *= rate->nss;
+       do_div(tmp, 8);
        if (rate->he_dcm)
-               result /= 2;
+               do_div(tmp, 2);
+
+       result = tmp;
 
        return result / 10000;
 }