From: Ivo van Doorn <ivdoorn@gmail.com>
To: Pavel Roskin <proski@gnu.org>
Cc: users@rt2x00.serialmonkey.com, linux-wireless@vger.kernel.org,
"John W. Linville" <linville@tuxdriver.com>,
Michael Buesch <mb@bu3sch.de>
Subject: Re: [rt2x00-users] [PATCH] rt2x00: fix memory corruption in rf cache, add a sanity check
Date: Wed, 5 Aug 2009 20:55:02 +0200 [thread overview]
Message-ID: <200908052055.02412.IvDoorn@gmail.com> (raw)
In-Reply-To: <1249422496.3489.2.camel@mj>
Hi,
> Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
> register number. This is needed because the rf registers are enumerated
> starting with one. The size of the rf register cache is just enough to
> hold all registers, so writing to the highest register was corrupting
> memory. Add a check to make sure that the rf register number is valid.
>
> Signed-off-by: Pavel Roskin <proski@gnu.org>
Good catch. Thanks!
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
> ---
>
> That's the issue reported by Michael Buesch:
> http://marc.info/?l=linux-wireless&m=124886312314098&w=2
>
> With this patch and the patch to stop works on unload, rt73usb seems
> rock solid now.
>
> drivers/net/wireless/rt2x00/rt2x00.h | 6 ++++--
> 1 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
> index cbec91e..ee9afab 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00.h
> +++ b/drivers/net/wireless/rt2x00/rt2x00.h
> @@ -836,13 +836,15 @@ struct rt2x00_dev {
> static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev,
> const unsigned int word, u32 *data)
> {
> - *data = rt2x00dev->rf[word];
> + BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
> + *data = rt2x00dev->rf[word - 1];
> }
>
> static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev,
> const unsigned int word, u32 data)
> {
> - rt2x00dev->rf[word] = data;
> + BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
> + rt2x00dev->rf[word - 1] = data;
> }
>
> /*
>
>
>
prev parent reply other threads:[~2009-08-05 18:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-04 21:48 [PATCH] rt2x00: fix memory corruption in rf cache, add a sanity check Pavel Roskin
2009-08-05 18:55 ` Ivo van Doorn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200908052055.02412.IvDoorn@gmail.com \
--to=ivdoorn@gmail.com \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=mb@bu3sch.de \
--cc=proski@gnu.org \
--cc=users@rt2x00.serialmonkey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.