diff options
author | Michal Kazior <michal.kazior@tieto.com> | 2014-07-14 17:25:25 +0400 |
---|---|---|
committer | Kalle Valo <kvalo@qca.qualcomm.com> | 2014-07-15 12:19:45 +0400 |
commit | 993619443774f7ef4df3b98655df4c3bf298548c (patch) | |
tree | a0973b4fb0512fd7d606c64449f691033d9319df /drivers/net/wireless/ath | |
parent | 2374b18684dfed2a0588efe4df716d16554da467 (diff) | |
download | linux-993619443774f7ef4df3b98655df4c3bf298548c.tar.xz |
ath10k: sanitize tx ring index access properly
The tx ring index was immediately trimmed with a
bitmask. This discarded the 0xFFFFFFFF error case
(which theoretically can happen when a device is
abruptly disconnected) and led to using an invalid
tx ring index. This could lead to memory
corruption.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Diffstat (limited to 'drivers/net/wireless/ath')
-rw-r--r-- | drivers/net/wireless/ath/ath10k/ce.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c index d185dc0cd12b..4333107ecf37 100644 --- a/drivers/net/wireless/ath/ath10k/ce.c +++ b/drivers/net/wireless/ath/ath10k/ce.c @@ -603,16 +603,19 @@ static int ath10k_ce_completed_send_next_nolock(struct ath10k_ce_pipe *ce_state, if (ret) return ret; - src_ring->hw_index = - ath10k_ce_src_ring_read_index_get(ar, ctrl_addr); - src_ring->hw_index &= nentries_mask; + read_index = ath10k_ce_src_ring_read_index_get(ar, ctrl_addr); + if (read_index == 0xffffffff) + return -ENODEV; + + read_index &= nentries_mask; + src_ring->hw_index = read_index; ath10k_pci_sleep(ar); } read_index = src_ring->hw_index; - if ((read_index == sw_index) || (read_index == 0xffffffff)) + if (read_index == sw_index) return -EIO; sbase = src_ring->shadow_base; |