wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan

commit c701574c54121af2720648572efbfe77564652d1 upstream.

Update the destination index to use 'n_ssids', which is incremented only
when a valid SSID is present. Previously, both mt76_connac_mcu_hw_scan()
and mt7925_mcu_hw_scan() used the loop index 'i' for the destination
array, potentially leaving gaps if any source SSIDs had zero length.

Cc: stable@vger.kernel.org
Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Michael Lo <michael.lo@mediatek.com>
Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
Link: https://patch.msgid.link/20250612062046.160598-1-mingyen.hsieh@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
index 452579ccc492287329c457fdc4aaf9911b44f757..a6324f6ead781f032b396f8f2eb01a48c5f00846 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -1696,8 +1696,8 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif,
                if (!sreq->ssids[i].ssid_len)
                        continue;
 
-               req->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len);
-               memcpy(req->ssids[i].ssid, sreq->ssids[i].ssid,
+               req->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len);
+               memcpy(req->ssids[n_ssids].ssid, sreq->ssids[i].ssid,
                       sreq->ssids[i].ssid_len);
                n_ssids++;
        }

diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
index 57a1db394dda4629e26b05007dd105b1f276d34f..2aeb9ba4256aba4c23f2d48e62678502ae29a131 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -2823,8 +2823,8 @@ int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif,
                if (!sreq->ssids[i].ssid_len)
                        continue;
 
-               ssid->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len);
-               memcpy(ssid->ssids[i].ssid, sreq->ssids[i].ssid,
+               ssid->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len);
+               memcpy(ssid->ssids[n_ssids].ssid, sreq->ssids[i].ssid,
                       sreq->ssids[i].ssid_len);
                n_ssids++;
        }