diff --git a/mt76x02_mac.h b/mt76x02_mac.h
index c70d17b..e597a24 100644
--- a/mt76x02_mac.h
+++ b/mt76x02_mac.h
@@ -20,8 +20,8 @@ struct mt76x02_tx_status {
 	u16 rate;
 } __packed __aligned(2);
 
-#define MT_VIF_WCID(_n)		(254 - ((_n) & 7))
-#define MT_MAX_VIFS		8
+#define MT_VIF_WCID(_n)		(254 - ((_n) & 0xf))
+#define MT_MAX_VIFS		16
 
 #define MT_PKTID_RATE		GENMASK(4, 0)
 #define MT_PKTID_AC		GENMASK(6, 5)
diff --git a/mt76x2/mcu.c b/mt76x2/mcu.c
index 9635c04..6221460 100644
--- a/mt76x2/mcu.c
+++ b/mt76x2/mcu.c
@@ -32,8 +32,13 @@ int mt76x2_mcu_set_channel(struct mt76x02_dev *dev, u8 channel, u8 bw,
 		.chainmask = cpu_to_le16(dev->chainmask),
 	};
 
+	int ret;
+
 	/* first set the channel without the extension channel info */
-	mt76_mcu_send_msg(dev, CMD_SWITCH_CHANNEL_OP, &msg, sizeof(msg), true);
+	ret = mt76_mcu_send_msg(dev, CMD_SWITCH_CHANNEL_OP, &msg, sizeof(msg),
+				true);
+	if (ret)
+		return ret;
 
 	usleep_range(5000, 10000);
 
diff --git a/mt76x2/pci_mcu.c b/mt76x2/pci_mcu.c
index ec64bd8..e6abb33 100644
--- a/mt76x2/pci_mcu.c
+++ b/mt76x2/pci_mcu.c
@@ -82,7 +82,8 @@ mt76pci_load_firmware(struct mt76x02_dev *dev)
 {
 	const struct firmware *fw;
 	const struct mt76x02_fw_header *hdr;
-	int len, ret;
+	int ret;
+	u32 ilm_len, dlm_len;
 	__le32 *cur;
 	u32 offset, val;
 
@@ -95,11 +96,13 @@ mt76pci_load_firmware(struct mt76x02_dev *dev)
 
 	hdr = (const struct mt76x02_fw_header *)fw->data;
 
-	len = sizeof(*hdr);
-	len += le32_to_cpu(hdr->ilm_len);
-	len += le32_to_cpu(hdr->dlm_len);
+	ilm_len = le32_to_cpu(hdr->ilm_len);
+	dlm_len = le32_to_cpu(hdr->dlm_len);
 
-	if (fw->size != len)
+	if (ilm_len > INT_MAX || dlm_len > INT_MAX ||
+	    (ilm_len | dlm_len) & 3 ||
+	    ilm_len > fw->size - sizeof(*hdr) ||
+	    dlm_len != fw->size - sizeof(*hdr) - ilm_len)
 		goto error;
 
 	val = le16_to_cpu(hdr->fw_ver);
@@ -111,13 +114,11 @@ mt76pci_load_firmware(struct mt76x02_dev *dev)
 	dev_info(dev->mt76.dev, "Build Time: %.16s\n", hdr->build_time);
 
 	cur = (__le32 *)(fw->data + sizeof(*hdr));
-	len = le32_to_cpu(hdr->ilm_len);
 
 	mt76_wr(dev, MT_MCU_PCIE_REMAP_BASE4, MT_MCU_ILM_OFFSET);
-	mt76_wr_copy(dev, MT_MCU_ILM_ADDR, cur, len);
+	mt76_wr_copy(dev, MT_MCU_ILM_ADDR, cur, ilm_len);
 
-	cur += len / sizeof(*cur);
-	len = le32_to_cpu(hdr->dlm_len);
+	cur += ilm_len / sizeof(*cur);
 
 	if (mt76xx_rev(dev) >= MT76XX_REV_E3)
 		offset = MT_MCU_DLM_ADDR_E3;
@@ -125,7 +126,7 @@ mt76pci_load_firmware(struct mt76x02_dev *dev)
 		offset = MT_MCU_DLM_ADDR;
 
 	mt76_wr(dev, MT_MCU_PCIE_REMAP_BASE4, MT_MCU_DLM_OFFSET);
-	mt76_wr_copy(dev, offset, cur, len);
+	mt76_wr_copy(dev, offset, cur, dlm_len);
 
 	mt76_wr(dev, MT_MCU_PCIE_REMAP_BASE4, 0);
 
@@ -192,6 +193,5 @@ int mt76x2_mcu_init(struct mt76x02_dev *dev)
 	if (ret)
 		return ret;
 
-	mt76x02_mcu_function_select(dev, Q_SELECT, 1);
-	return 0;
+	return mt76x02_mcu_function_select(dev, Q_SELECT, 1);
 }
diff --git a/mt76x2/usb_mcu.c b/mt76x2/usb_mcu.c
index dd22d8a..e787608 100644
--- a/mt76x2/usb_mcu.c
+++ b/mt76x2/usb_mcu.c
@@ -145,7 +145,8 @@ static int mt76x2u_mcu_load_firmware(struct mt76x02_dev *dev)
 {
 	u32 val, dlm_offset = MT76U_MCU_DLM_OFFSET;
 	const struct mt76x02_fw_header *hdr;
-	int err, len, ilm_len, dlm_len;
+	int err;
+	u32 ilm_len, dlm_len;
 	const struct firmware *fw;
 
 	err = request_firmware(&fw, MT7662_FIRMWARE, dev->mt76.dev);
@@ -160,8 +161,10 @@ static int mt76x2u_mcu_load_firmware(struct mt76x02_dev *dev)
 	hdr = (const struct mt76x02_fw_header *)fw->data;
 	ilm_len = le32_to_cpu(hdr->ilm_len);
 	dlm_len = le32_to_cpu(hdr->dlm_len);
-	len = sizeof(*hdr) + ilm_len + dlm_len;
-	if (fw->size != len) {
+
+	if (ilm_len > INT_MAX || dlm_len > INT_MAX ||
+	    ilm_len > fw->size - sizeof(*hdr) ||
+	    dlm_len != fw->size - sizeof(*hdr) - ilm_len) {
 		err = -EINVAL;
 		goto out;
 	}