aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStanislaw Gruszka <sgruszka@redhat.com>2009-09-23 04:51:34 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-09-23 11:35:54 -0400
commit6c6a22e26868285dc3dac280e0e57de029bfae1b (patch)
treee935672ad4533c449dc805b0ac298abbca0cadd4
parente31f7b96f0252e8da06df1bc7fd0f6dbc8cbec42 (diff)
iwlagn: fix panic in iwl{5000,4965}_rx_reply_tx
In some cases firmware can give us bad value of index in transmit buffers array. This patch add sanity check for such values and return from processing function instantly when it happens. https://bugzilla.redhat.com/show_bug.cgi?id=521931 Patch was tested by reporter on iwl5000. I think check can be also helpful for 4965. Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-4965.c6
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-5000.c6
2 files changed, 12 insertions, 0 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-4965.c b/drivers/net/wireless/iwlwifi/iwl-4965.c
index ca61d3796cef..3259b8841544 100644
--- a/drivers/net/wireless/iwlwifi/iwl-4965.c
+++ b/drivers/net/wireless/iwlwifi/iwl-4965.c
@@ -2021,6 +2021,12 @@ static int iwl4965_tx_status_reply_tx(struct iwl_priv *priv,
2021 agg->frame_count, txq_id, idx); 2021 agg->frame_count, txq_id, idx);
2022 2022
2023 hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx); 2023 hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx);
2024 if (!hdr) {
2025 IWL_ERR(priv,
2026 "BUG_ON idx doesn't point to valid skb"
2027 " idx=%d, txq_id=%d\n", idx, txq_id);
2028 return -1;
2029 }
2024 2030
2025 sc = le16_to_cpu(hdr->seq_ctrl); 2031 sc = le16_to_cpu(hdr->seq_ctrl);
2026 if (idx != (SEQ_TO_SN(sc) & 0xff)) { 2032 if (idx != (SEQ_TO_SN(sc) & 0xff)) {
diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c
index 1d539e3b8db1..a6391c7fea53 100644
--- a/drivers/net/wireless/iwlwifi/iwl-5000.c
+++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
@@ -1163,6 +1163,12 @@ static int iwl5000_tx_status_reply_tx(struct iwl_priv *priv,
1163 agg->frame_count, txq_id, idx); 1163 agg->frame_count, txq_id, idx);
1164 1164
1165 hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx); 1165 hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx);
1166 if (!hdr) {
1167 IWL_ERR(priv,
1168 "BUG_ON idx doesn't point to valid skb"
1169 " idx=%d, txq_id=%d\n", idx, txq_id);
1170 return -1;
1171 }
1166 1172
1167 sc = le16_to_cpu(hdr->seq_ctrl); 1173 sc = le16_to_cpu(hdr->seq_ctrl);
1168 if (idx != (SEQ_TO_SN(sc) & 0xff)) { 1174 if (idx != (SEQ_TO_SN(sc) & 0xff)) {