[PATCH] rt2x00: fix memory corruption in rf cache, add a sanity check

[PATCH] rt2x00: fix memory corruption in rf cache, add a sanity check

[Pavel Roskin]

Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
register number.  This is needed because the rf registers are enumerated
starting with one.  The size of the rf register cache is just enough to
hold all registers, so writing to the highest register was corrupting
memory.  Add a check to make sure that the rf register number is valid.

Signed-off-by: Pavel Roskin <proski@gnu.org>
---

That's the issue reported by Michael Buesch:
http://marc.info/?l=linux-wireless&m=124886312314098&w=2

With this patch and the patch to stop works on unload, rt73usb seems
rock solid now. 

 drivers/net/wireless/rt2x00/rt2x00.h |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
index cbec91e..ee9afab 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -836,13 +836,15 @@ struct rt2x00_dev {
 static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev,
 				  const unsigned int word, u32 *data)
 {
-	*data = rt2x00dev->rf[word];
+	BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+	*data = rt2x00dev->rf[word - 1];
 }
 
 static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev,
 				   const unsigned int word, u32 data)
 {
-	rt2x00dev->rf[word] = data;
+	BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+	rt2x00dev->rf[word - 1] = data;
 }
 
 /*



-- 
Regards,
Pavel Roskin

Re: [rt2x00-users] [PATCH] rt2x00: fix memory corruption in rf cache, add a sanity check

[Ivo van Doorn]

Hi,

> Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
> register number.  This is needed because the rf registers are enumerated
> starting with one.  The size of the rf register cache is just enough to
> hold all registers, so writing to the highest register was corrupting
> memory.  Add a check to make sure that the rf register number is valid.
> 
> Signed-off-by: Pavel Roskin <proski@gnu.org>

Good catch. Thanks!

Acked-by: Ivo van Doorn <IvDoorn@gmail.com>

> ---
> 
> That's the issue reported by Michael Buesch:
> http://marc.info/?l=linux-wireless&m=124886312314098&w=2
> 
> With this patch and the patch to stop works on unload, rt73usb seems
> rock solid now. 
>
>  drivers/net/wireless/rt2x00/rt2x00.h |    6 ++++--
>  1 files changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
> index cbec91e..ee9afab 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00.h
> +++ b/drivers/net/wireless/rt2x00/rt2x00.h
> @@ -836,13 +836,15 @@ struct rt2x00_dev {
>  static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev,
>  				  const unsigned int word, u32 *data)
>  {
> -	*data = rt2x00dev->rf[word];
> +	BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
> +	*data = rt2x00dev->rf[word - 1];
>  }
>  
>  static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev,
>  				   const unsigned int word, u32 data)
>  {
> -	rt2x00dev->rf[word] = data;
> +	BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
> +	rt2x00dev->rf[word - 1] = data;
>  }
>  
>  /*
> 
> 
>