diff options
author | Stanislaw Gruszka <sgruszka@redhat.com> | 2009-09-23 10:51:34 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-09-23 11:35:54 -0400 |
commit | 6c6a22e26868285dc3dac280e0e57de029bfae1b (patch) | |
tree | e935672ad4533c449dc805b0ac298abbca0cadd4 /drivers/net/wireless | |
parent | e31f7b96f0252e8da06df1bc7fd0f6dbc8cbec42 (diff) | |
download | kernel_samsung_tuna-6c6a22e26868285dc3dac280e0e57de029bfae1b.zip kernel_samsung_tuna-6c6a22e26868285dc3dac280e0e57de029bfae1b.tar.gz kernel_samsung_tuna-6c6a22e26868285dc3dac280e0e57de029bfae1b.tar.bz2 |
iwlagn: fix panic in iwl{5000,4965}_rx_reply_tx
In some cases firmware can give us bad value of index in transmit
buffers array. This patch add sanity check for such values and return
from processing function instantly when it happens.
https://bugzilla.redhat.com/show_bug.cgi?id=521931
Patch was tested by reporter on iwl5000. I think check can be also
helpful for 4965.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless')
-rw-r--r-- | drivers/net/wireless/iwlwifi/iwl-4965.c | 6 | ||||
-rw-r--r-- | drivers/net/wireless/iwlwifi/iwl-5000.c | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-4965.c b/drivers/net/wireless/iwlwifi/iwl-4965.c index ca61d37..3259b88 100644 --- a/drivers/net/wireless/iwlwifi/iwl-4965.c +++ b/drivers/net/wireless/iwlwifi/iwl-4965.c @@ -2021,6 +2021,12 @@ static int iwl4965_tx_status_reply_tx(struct iwl_priv *priv, agg->frame_count, txq_id, idx); hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx); + if (!hdr) { + IWL_ERR(priv, + "BUG_ON idx doesn't point to valid skb" + " idx=%d, txq_id=%d\n", idx, txq_id); + return -1; + } sc = le16_to_cpu(hdr->seq_ctrl); if (idx != (SEQ_TO_SN(sc) & 0xff)) { diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c index 1d539e3..a6391c7 100644 --- a/drivers/net/wireless/iwlwifi/iwl-5000.c +++ b/drivers/net/wireless/iwlwifi/iwl-5000.c @@ -1163,6 +1163,12 @@ static int iwl5000_tx_status_reply_tx(struct iwl_priv *priv, agg->frame_count, txq_id, idx); hdr = iwl_tx_queue_get_hdr(priv, txq_id, idx); + if (!hdr) { + IWL_ERR(priv, + "BUG_ON idx doesn't point to valid skb" + " idx=%d, txq_id=%d\n", idx, txq_id); + return -1; + } sc = le16_to_cpu(hdr->seq_ctrl); if (idx != (SEQ_TO_SN(sc) & 0xff)) { |