iwlwifi: Limit size of Event Log dump

If device provides bad values for Event Log parameters (due to being asleep or SRAM corruption, etc.), the size can be very, very large (e.g. 0xa5a5a5a5), which can flood system log. Sanity-check capacity and next_entry values and limit to reasonable size dump. Signed-off-by: N Ben Cahill <ben.m.cahill@intel.com> Signed-off-by: N Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: N John W. Linville <linville@tuxdriver.com>

iwlwifi: Limit size of Event Log dump
If device provides bad values for Event Log parameters (due to being asleep or SRAM corruption, etc.), the size can be very, very large (e.g. 0xa5a5a5a5), which can flood system log. Sanity-check capacity and next_entry values and limit to reasonable size dump. Signed-off-by: N Ben Cahill <ben.m.cahill@intel.com> Signed-off-by: N Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: N John W. Linville <linville@tuxdriver.com>
84c40692 · Ben Cahill · John W. Linville · 6762f07f · 84c40692 · 84c40692
隐藏空白更改
内联并排

Showing with 30 addition and 0 deletion

drivers/net/wireless/iwlwifi/iwl-agn.c drivers/net/wireless/iwlwifi/iwl-agn.c +15 -0

drivers/net/wireless/iwlwifi/iwl3945-base.c drivers/net/wireless/iwlwifi/iwl3945-base.c +15 -0

未找到文件。
--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
@@ -1702,6 +1702,9 @@ static void iwl_print_event_log(struct iwl_priv *priv, u32 start_idx,
 	}
 }

+/* For sanity check only.  Actual size is determined by uCode, typ. 512 */
+#define MAX_EVENT_LOG_SIZE (512)
+
 void iwl_dump_nic_event_log(struct iwl_priv *priv)
 {
 	u32 base;       /* SRAM byte address of event log header */
@@ -1727,6 +1730,18 @@ void iwl_dump_nic_event_log(struct iwl_priv *priv)
 	num_wraps = iwl_read_targ_mem(priv, base + (2 * sizeof(u32)));
 	next_entry = iwl_read_targ_mem(priv, base + (3 * sizeof(u32)));

+	if (capacity > MAX_EVENT_LOG_SIZE) {
+		IWL_ERR(priv, "Log capacity %d is bogus, limit to %d entries\n",
+			capacity, MAX_EVENT_LOG_SIZE);
+		capacity = MAX_EVENT_LOG_SIZE;
+	}
+
+	if (next_entry > MAX_EVENT_LOG_SIZE) {
+		IWL_ERR(priv, "Log write index %d is bogus, limit to %d\n",
+			next_entry, MAX_EVENT_LOG_SIZE);
+		next_entry = MAX_EVENT_LOG_SIZE;
+	}
+
 	size = num_wraps ? capacity : next_entry;

 	/* bail out if nothing in log */

--- a/drivers/net/wireless/iwlwifi/iwl3945-base.c
+++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c
@@ -1603,6 +1603,9 @@ static void iwl3945_print_event_log(struct iwl_priv *priv, u32 start_idx,
 	}
 }

+/* For sanity check only.  Actual size is determined by uCode, typ. 512 */
+#define IWL3945_MAX_EVENT_LOG_SIZE (512)
+
 void iwl3945_dump_nic_event_log(struct iwl_priv *priv)
 {
 	u32 base;       /* SRAM byte address of event log header */
@@ -1624,6 +1627,18 @@ void iwl3945_dump_nic_event_log(struct iwl_priv *priv)
 	num_wraps = iwl_read_targ_mem(priv, base + (2 * sizeof(u32)));
 	next_entry = iwl_read_targ_mem(priv, base + (3 * sizeof(u32)));

+	if (capacity > IWL3945_MAX_EVENT_LOG_SIZE) {
+		IWL_ERR(priv, "Log capacity %d is bogus, limit to %d entries\n",
+			capacity, IWL3945_MAX_EVENT_LOG_SIZE);
+		capacity = IWL3945_MAX_EVENT_LOG_SIZE;
+	}
+
+	if (next_entry > IWL3945_MAX_EVENT_LOG_SIZE) {
+		IWL_ERR(priv, "Log write index %d is bogus, limit to %d\n",
+			next_entry, IWL3945_MAX_EVENT_LOG_SIZE);
+		next_entry = IWL3945_MAX_EVENT_LOG_SIZE;
+	}
+
 	size = num_wraps ? capacity : next_entry;

 	/* bail out if nothing in log */