Return-path: Received: from mail-we0-f174.google.com ([74.125.82.174]:60399 "EHLO mail-we0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754861Ab2BKTiw convert rfc822-to-8bit (ORCPT ); Sat, 11 Feb 2012 14:38:52 -0500 Received: by werb13 with SMTP id b13so2717148wer.19 for ; Sat, 11 Feb 2012 11:38:50 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20120211150152.4823.8570.stgit@ae> References: <20120211150152.4823.8570.stgit@ae> Date: Sat, 11 Feb 2012 11:38:50 -0800 Message-ID: (sfid-20120211_203855_808960_55EDAC7C) Subject: Re: [PATCH] ath9k: stop on rates with idx -1 in ath9k rate control's .tx_status From: Adrian Chadd To: Pavel Roskin Cc: linux-wireless@vger.kernel.org, ath9k-devel@lists.ath9k.org, John W Linville Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-wireless-owner@vger.kernel.org List-ID: Hi! On 11 February 2012 07:01, Pavel Roskin wrote: > Rate control algorithms are supposed to stop processing when they > encounter a rate with the index -1. ?Checking for rate->count not being > zero is not enough. > > Allowing a rate with negative index leads to memory corruption in > ath_debug_stat_rc(). > > One consequence of the bug is discussed at > https://bugzilla.redhat.com/show_bug.cgi?id=768639 > > Signed-off-by: Pavel Roskin > Cc: stable@vger.kernel.org Great catch! Adrian