Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 99361944 authored by Michal Kazior's avatar Michal Kazior Committed by Kalle Valo
Browse files

ath10k: sanitize tx ring index access properly 



The tx ring index was immediately trimmed with a
bitmask. This discarded the 0xFFFFFFFF error case
(which theoretically can happen when a device is
abruptly disconnected) and led to using an invalid
tx ring index. This could lead to memory
corruption.

Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
parent 2374b186

drivers/net/wireless/ath/ath10k/ce.c

+7 −4
Original line number Original line Diff line number Diff line
@@ -603,16 +603,19 @@ static int ath10k_ce_completed_send_next_nolock(struct ath10k_ce_pipe *ce_state, 
		if (ret)

		if (ret)

			return ret;

			return ret;





		src_ring->hw_index =

		read_index = ath10k_ce_src_ring_read_index_get(ar, ctrl_addr);

			ath10k_ce_src_ring_read_index_get(ar, ctrl_addr);

		if (read_index == 0xffffffff)

		src_ring->hw_index &= nentries_mask;

			return -ENODEV;



		read_index &= nentries_mask;

		src_ring->hw_index = read_index;





		ath10k_pci_sleep(ar);

		ath10k_pci_sleep(ar);

	}

	}





	read_index = src_ring->hw_index;

	read_index = src_ring->hw_index;





	if ((read_index == sw_index) || (read_index == 0xffffffff))

	if (read_index == sw_index)

		return -EIO;

		return -EIO;





	sbase = src_ring->shadow_base;

	sbase = src_ring->shadow_base;