From patchwork Tue Aug  4 21:48:16 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pavel Roskin <proski@gnu.org>
X-Patchwork-Id: 39214
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n74LmNXc030434
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Tue, 4 Aug 2009 21:48:23 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932893AbZHDVsV (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Tue, 4 Aug 2009 17:48:21 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S932777AbZHDVsV
	(ORCPT <rfc822;linux-wireless-outgoing>);
	Tue, 4 Aug 2009 17:48:21 -0400
Received: from c60.cesmail.net ([216.154.195.49]:27203 "EHLO c60.cesmail.net"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932733AbZHDVsU (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
	Tue, 4 Aug 2009 17:48:20 -0400
Received: from unknown (HELO smtprelay1.cesmail.net) ([192.168.1.111])
	by c60.cesmail.net with ESMTP; 04 Aug 2009 17:48:21 -0400
Received: from [192.168.0.22] (static-72-92-88-10.phlapa.fios.verizon.net
	[72.92.88.10])
	by smtprelay1.cesmail.net (Postfix) with ESMTPSA id 46F4634C69;
	Tue,  4 Aug 2009 17:48:19 -0400 (EDT)
Subject: [PATCH] rt2x00: fix memory corruption in rf cache, add a sanity
	check
From: Pavel Roskin <proski@gnu.org>
To: linux-wireless@vger.kernel.org, users@host1.serialmonkey.com,
	"John W. Linville" <linville@tuxdriver.com>
Cc: Michael Buesch <mb@bu3sch.de>
Date: Tue, 04 Aug 2009 17:48:16 -0400
Message-Id: <1249422496.3489.2.camel@mj>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.3 (2.26.3-1.fc11) 
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
register number.  This is needed because the rf registers are enumerated
starting with one.  The size of the rf register cache is just enough to
hold all registers, so writing to the highest register was corrupting
memory.  Add a check to make sure that the rf register number is valid.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
---

That's the issue reported by Michael Buesch:
http://marc.info/?l=linux-wireless&m=124886312314098&w=2

With this patch and the patch to stop works on unload, rt73usb seems
rock solid now. 

 drivers/net/wireless/rt2x00/rt2x00.h |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
index cbec91e..ee9afab 100644
--- a/drivers/net/wireless/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/rt2x00/rt2x00.h
@@ -836,13 +836,15 @@ struct rt2x00_dev {
 static inline void rt2x00_rf_read(struct rt2x00_dev *rt2x00dev,
 				  const unsigned int word, u32 *data)
 {
-	*data = rt2x00dev->rf[word];
+	BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+	*data = rt2x00dev->rf[word - 1];
 }
 
 static inline void rt2x00_rf_write(struct rt2x00_dev *rt2x00dev,
 				   const unsigned int word, u32 data)
 {
-	rt2x00dev->rf[word] = data;
+	BUG_ON(word < 1 || word > rt2x00dev->ops->rf_size / sizeof(u32));
+	rt2x00dev->rf[word - 1] = data;
 }
 
 /*