Commit 99361944 authored by Michal Kazior's avatar Michal Kazior Committed by Kalle Valo

ath10k: sanitize tx ring index access properly

The tx ring index was immediately trimmed with a
bitmask. This discarded the 0xFFFFFFFF error case
(which theoretically can happen when a device is
abruptly disconnected) and led to using an invalid
tx ring index. This could lead to memory
corruption.
Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
parent 2374b186
...@@ -603,16 +603,19 @@ static int ath10k_ce_completed_send_next_nolock(struct ath10k_ce_pipe *ce_state, ...@@ -603,16 +603,19 @@ static int ath10k_ce_completed_send_next_nolock(struct ath10k_ce_pipe *ce_state,
if (ret) if (ret)
return ret; return ret;
src_ring->hw_index = read_index = ath10k_ce_src_ring_read_index_get(ar, ctrl_addr);
ath10k_ce_src_ring_read_index_get(ar, ctrl_addr); if (read_index == 0xffffffff)
src_ring->hw_index &= nentries_mask; return -ENODEV;
read_index &= nentries_mask;
src_ring->hw_index = read_index;
ath10k_pci_sleep(ar); ath10k_pci_sleep(ar);
} }
read_index = src_ring->hw_index; read_index = src_ring->hw_index;
if ((read_index == sw_index) || (read_index == 0xffffffff)) if (read_index == sw_index)
return -EIO; return -EIO;
sbase = src_ring->shadow_base; sbase = src_ring->shadow_base;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment