From: Michal Kazior Date: Mon, 14 Jul 2014 13:25:25 +0000 (+0300) Subject: ath10k: sanitize tx ring index access properly X-Git-Tag: firefly_0821_release~176^2~3474^2~12^2~85^2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=993619443774f7ef4df3b98655df4c3bf298548c;p=firefly-linux-kernel-4.4.55.git ath10k: sanitize tx ring index access properly The tx ring index was immediately trimmed with a bitmask. This discarded the 0xFFFFFFFF error case (which theoretically can happen when a device is abruptly disconnected) and led to using an invalid tx ring index. This could lead to memory corruption. Signed-off-by: Michal Kazior Signed-off-by: Kalle Valo --- diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c index d185dc0cd12b..4333107ecf37 100644 --- a/drivers/net/wireless/ath/ath10k/ce.c +++ b/drivers/net/wireless/ath/ath10k/ce.c @@ -603,16 +603,19 @@ static int ath10k_ce_completed_send_next_nolock(struct ath10k_ce_pipe *ce_state, if (ret) return ret; - src_ring->hw_index = - ath10k_ce_src_ring_read_index_get(ar, ctrl_addr); - src_ring->hw_index &= nentries_mask; + read_index = ath10k_ce_src_ring_read_index_get(ar, ctrl_addr); + if (read_index == 0xffffffff) + return -ENODEV; + + read_index &= nentries_mask; + src_ring->hw_index = read_index; ath10k_pci_sleep(ar); } read_index = src_ring->hw_index; - if ((read_index == sw_index) || (read_index == 0xffffffff)) + if (read_index == sw_index) return -EIO; sbase = src_ring->shadow_base;