iwlwifi: Limit size of Event Log dump

If device provides bad values for Event Log parameters (due to being asleep
or SRAM corruption, etc.), the size can be very, very large (e.g. 0xa5a5a5a5),
which can flood system log.

Sanity-check capacity and next_entry values and limit to reasonable size dump.

Signed-off-by: Ben Cahill <ben.m.cahill@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c
index ad8a348b1c810b2721af7f3a655bdebc2ad1a496..9c40742727a2066b3c3a5f309b93b9c324230bc1 100644 (file)
--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
@@ -1702,6 +1702,9 @@ static void iwl_print_event_log(struct iwl_priv *priv, u32 start_idx,
        }
 }
 
+/* For sanity check only.  Actual size is determined by uCode, typ. 512 */
+#define MAX_EVENT_LOG_SIZE (512)
+
 void iwl_dump_nic_event_log(struct iwl_priv *priv)
 {
        u32 base;       /* SRAM byte address of event log header */
@@ -1727,6 +1730,18 @@ void iwl_dump_nic_event_log(struct iwl_priv *priv)
        num_wraps = iwl_read_targ_mem(priv, base + (2 * sizeof(u32)));
        next_entry = iwl_read_targ_mem(priv, base + (3 * sizeof(u32)));
 
+       if (capacity > MAX_EVENT_LOG_SIZE) {
+               IWL_ERR(priv, "Log capacity %d is bogus, limit to %d entries\n",
+                       capacity, MAX_EVENT_LOG_SIZE);
+               capacity = MAX_EVENT_LOG_SIZE;
+       }
+
+       if (next_entry > MAX_EVENT_LOG_SIZE) {
+               IWL_ERR(priv, "Log write index %d is bogus, limit to %d\n",
+                       next_entry, MAX_EVENT_LOG_SIZE);
+               next_entry = MAX_EVENT_LOG_SIZE;
+       }
+
        size = num_wraps ? capacity : next_entry;
 
        /* bail out if nothing in log */

diff --git a/drivers/net/wireless/iwlwifi/iwl3945-base.c b/drivers/net/wireless/iwlwifi/iwl3945-base.c
index 23b31e6dcacd03cf3c5034bb2f1bbe7ad81f9aa9..a17afe01c0c056c1a9c99fe5fadee597eeb74de0 100644 (file)
--- a/drivers/net/wireless/iwlwifi/iwl3945-base.c
+++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c
@@ -1603,6 +1603,9 @@ static void iwl3945_print_event_log(struct iwl_priv *priv, u32 start_idx,
        }
 }
 
+/* For sanity check only.  Actual size is determined by uCode, typ. 512 */
+#define IWL3945_MAX_EVENT_LOG_SIZE (512)
+
 void iwl3945_dump_nic_event_log(struct iwl_priv *priv)
 {
        u32 base;       /* SRAM byte address of event log header */
@@ -1624,6 +1627,18 @@ void iwl3945_dump_nic_event_log(struct iwl_priv *priv)
        num_wraps = iwl_read_targ_mem(priv, base + (2 * sizeof(u32)));
        next_entry = iwl_read_targ_mem(priv, base + (3 * sizeof(u32)));
 
+       if (capacity > IWL3945_MAX_EVENT_LOG_SIZE) {
+               IWL_ERR(priv, "Log capacity %d is bogus, limit to %d entries\n",
+                       capacity, IWL3945_MAX_EVENT_LOG_SIZE);
+               capacity = IWL3945_MAX_EVENT_LOG_SIZE;
+       }
+
+       if (next_entry > IWL3945_MAX_EVENT_LOG_SIZE) {
+               IWL_ERR(priv, "Log write index %d is bogus, limit to %d\n",
+                       next_entry, IWL3945_MAX_EVENT_LOG_SIZE);
+               next_entry = IWL3945_MAX_EVENT_LOG_SIZE;
+       }
+
        size = num_wraps ? capacity : next_entry;
 
        /* bail out if nothing in log */