Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6c6a22e2 authored Sep 23, 2009 by Stanislaw Gruszka Committed by John W. Linville Sep 23, 2009

iwlagn: fix panic in iwl{5000,4965}_rx_reply_tx

In some cases firmware can give us bad value of index in transmit
buffers array. This patch add sanity check for such values and return
from processing function instantly when it happens.

https://bugzilla.redhat.com/show_bug.cgi?id=521931



Patch was tested by reporter on iwl5000. I think check can be also
helpful for 4965.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

parent e31f7b96

drivers/net/wireless/iwlwifi/iwl-4965.c

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -2021,6 +2021,12 @@ static int iwl4965_tx_status_reply_tx(struct iwl_priv *priv,
	agg->frame_count, txq_id, idx);		agg->frame_count, txq_id, idx);

	hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx);		hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx);
			if (!hdr) {
			IWL_ERR(priv,
			"BUG_ON idx doesn't point to valid skb"
			" idx=%d, txq_id=%d\n", idx, txq_id);
			return -1;
			}

	sc = le16_to_cpu(hdr->seq_ctrl);		sc = le16_to_cpu(hdr->seq_ctrl);
	if (idx != (SEQ_TO_SN(sc) & 0xff)) {		if (idx != (SEQ_TO_SN(sc) & 0xff)) {

drivers/net/wireless/iwlwifi/iwl-5000.c

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -1163,6 +1163,12 @@ static int iwl5000_tx_status_reply_tx(struct iwl_priv *priv,
	agg->frame_count, txq_id, idx);		agg->frame_count, txq_id, idx);

	hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx);		hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx);
			if (!hdr) {
			IWL_ERR(priv,
			"BUG_ON idx doesn't point to valid skb"
			" idx=%d, txq_id=%d\n", idx, txq_id);
			return -1;
			}

	sc = le16_to_cpu(hdr->seq_ctrl);		sc = le16_to_cpu(hdr->seq_ctrl);
	if (idx != (SEQ_TO_SN(sc) & 0xff)) {		if (idx != (SEQ_TO_SN(sc) & 0xff)) {