提交 6b26dead 编写于 作者: P Pavel Roskin 提交者: John W. Linville

rt2x00: fix memory corruption in rf cache, add a sanity check

Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
register number.  This is needed because the rf registers are enumerated
starting with one.  The size of the rf register cache is just enough to
hold all registers, so writing to the highest register was corrupting
memory.  Add a check to make sure that the rf register number is valid.
Signed-off-by: NPavel Roskin <proski@gnu.org>
Cc: stable@kernel.org
Acked-by: NIvo van Doorn <IvDoorn@gmail.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
上级 416fbdff
...@@ -849,13 +849,15 @@ struct rt2x00_dev { ...@@ -849,13 +849,15 @@ struct rt2x00_dev {
static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev, static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev,
const unsigned int word, u32 *data) const unsigned int word, u32 *data)
{ {
*data = rt2x00dev->rf[word]; BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
*data = rt2x00dev->rf[word - 1];
} }
static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev, static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev,
const unsigned int word, u32 data) const unsigned int word, u32 data)
{ {
rt2x00dev->rf[word] = data; BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
rt2x00dev->rf[word - 1] = data;
} }
/* /*
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册