* [PATCH -stable] rt2x00: fix memory corruption in rf cache, add a sanity check
@ 2009-08-14 10:59 Stanislaw Gruszka
2009-08-14 12:27 ` John W. Linville
0 siblings, 1 reply; 2+ messages in thread
From: Stanislaw Gruszka @ 2009-08-14 10:59 UTC (permalink / raw)
To: stable
Cc: linux-wireless, John W. Linville, Ivo van Doorn, Pavel Roskin,
Stanislaw Gruszka
From: Pavel Roskin <proski@gnu.org>
Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
register number. This is needed because the rf registers are enumerated
starting with one. The size of the rf register cache is just enough to
hold all registers, so writing to the highest register was corrupting
memory. Add a check to make sure that the rf register number is valid.
Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
---
I think nobody send this patch against stable yet. I have problem with
rt73usb memory corruption on 2.6.30, this patch solve it. Not sure if
patch is also useful for 2.6.27.
drivers/net/wireless/rt2x00/rt2x00.h | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
index 84bd6f1..c242b54 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -814,13 +814,15 @@ struct rt2x00_dev {
static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev,
const unsigned int word, u32 *data)
{
- *data = rt2x00dev->rf[word];
+ BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+ *data = rt2x00dev->rf[word - 1];
}
static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev,
const unsigned int word, u32 data)
{
- rt2x00dev->rf[word] = data;
+ BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+ rt2x00dev->rf[word - 1] = data;
}
/*
--
1.6.2.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH -stable] rt2x00: fix memory corruption in rf cache, add a sanity check
2009-08-14 10:59 [PATCH -stable] rt2x00: fix memory corruption in rf cache, add a sanity check Stanislaw Gruszka
@ 2009-08-14 12:27 ` John W. Linville
0 siblings, 0 replies; 2+ messages in thread
From: John W. Linville @ 2009-08-14 12:27 UTC (permalink / raw)
To: Stanislaw Gruszka; +Cc: stable, linux-wireless, Ivo van Doorn, Pavel Roskin
On Fri, Aug 14, 2009 at 12:59:08PM +0200, Stanislaw Gruszka wrote:
> From: Pavel Roskin <proski@gnu.org>
>
> Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
> register number. This is needed because the rf registers are enumerated
> starting with one. The size of the rf register cache is just enough to
> hold all registers, so writing to the highest register was corrupting
> memory. Add a check to make sure that the rf register number is valid.
>
> Signed-off-by: Pavel Roskin <proski@gnu.org>
> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> ---
> I think nobody send this patch against stable yet. I have problem with
> rt73usb memory corruption on 2.6.30, this patch solve it. Not sure if
> patch is also useful for 2.6.27.
Thanks for pointing this out, I missed the memory corruption comment.
Since this hasn't gone to Linus yet, I don't think the stable guys
will take it. I'll add a "Cc: stable@kernel.org" when I send it to
Dave/Linus so that the stable guys will see it automatically.
John
--
John W. Linville Someday the world will need a hero, and you
linville@tuxdriver.com might be all we have. Be ready.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-08-14 12:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-08-14 10:59 [PATCH -stable] rt2x00: fix memory corruption in rf cache, add a sanity check Stanislaw Gruszka
2009-08-14 12:27 ` John W. Linville
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).