aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorPavel Roskin <proski@gnu.org>2009-08-04 17:48:16 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-08-14 09:06:52 -0400
commit6b26dead3ce97d016b57724b01974d5ca5c84bd5 (patch)
treed6968f04884bcb8bf28f29a6ed8f0dc73ea191ef /drivers
parent416fbdff2137e8d8cc8f23f517bee3a26b11526f (diff)
rt2x00: fix memory corruption in rf cache, add a sanity check
Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf register number. This is needed because the rf registers are enumerated starting with one. The size of the rf register cache is just enough to hold all registers, so writing to the highest register was corrupting memory. Add a check to make sure that the rf register number is valid. Signed-off-by: Pavel Roskin <proski@gnu.org> Cc: stable@kernel.org Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/rt2x00/rt2x00.h6
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
index a498dde024e1..49c9e2c1433d 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -849,13 +849,15 @@ struct rt2x00_dev {
849static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev, 849static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev,
850 const unsigned int word, u32 *data) 850 const unsigned int word, u32 *data)
851{ 851{
852 *data = rt2x00dev->rf[word]; 852 BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
853 *data = rt2x00dev->rf[word - 1];
853} 854}
854 855
855static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev, 856static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev,
856 const unsigned int word, u32 data) 857 const unsigned int word, u32 data)
857{ 858{
858 rt2x00dev->rf[word] = data; 859 BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
860 rt2x00dev->rf[word - 1] = data;
859} 861}
860 862
861/* 863/*