rt2x00: fix memory corruption in rf cache, add a sanity check
authorPavel Roskin <proski@gnu.org>
Tue, 4 Aug 2009 21:48:16 +0000 (17:48 -0400)
committerJohn W. Linville <linville@tuxdriver.com>
Fri, 14 Aug 2009 13:06:52 +0000 (09:06 -0400)
Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
register number.  This is needed because the rf registers are enumerated
starting with one.  The size of the rf register cache is just enough to
hold all registers, so writing to the highest register was corrupting
memory.  Add a check to make sure that the rf register number is valid.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Cc: stable@kernel.org
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/rt2x00/rt2x00.h

index a498dde024e1b58c55555e00d349a5cc28846218..49c9e2c1433d98cc82c16346242fc68eb0548897 100644 (file)
@@ -849,13 +849,15 @@ struct rt2x00_dev {
 static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev,
                                  const unsigned int word, u32 *data)
 {
-       *data = rt2x00dev->rf[word];
+       BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+       *data = rt2x00dev->rf[word - 1];
 }
 
 static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev,
                                   const unsigned int word, u32 data)
 {
-       rt2x00dev->rf[word] = data;
+       BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+       rt2x00dev->rf[word - 1] = data;
 }
 
 /*