From: Luca Coelho <luca@coelho.fi>
To: kvalo@codeaurora.org
Cc: linux-wireless@vger.kernel.org
Subject: [PATCH 5/8] iwlwifi: pcie: fix indexing in command dump for new HW
Date: Fri, 4 Oct 2019 16:14:11 +0300 [thread overview]
Message-ID: <20191004131414.27372-6-luca@coelho.fi> (raw)
In-Reply-To: <20191004131414.27372-1-luca@coelho.fi>
From: Johannes Berg <johannes.berg@intel.com>
We got a crash in iwl_trans_pcie_get_cmdlen(), while the TFD was
being accessed to sum up the lengths.
We want to access the TFD here, which is the information for the
hardware. We always only allocate 32 buffers for the cmd queue,
but on newer hardware (using TFH) we can also allocate only a
shorter hardware array, also only 32 TFDs. Prior to the TFH, we
had to allocate a bigger TFD array but would make those point to
a smaller set of buffers.
Additionally, now max_tfd_queue_size is up to 65536, so we can
access *way* out of bounds of a really only 32-entry array, so
it crashes.
Fix this by making the TFD index depend on which hardware we are
using right now.
While changing the calculation, also fix it to not use void ptr
arithmetic, but cast to u8 * before.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
index f8a1f985a1d8..ab7480a85015 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
@@ -3272,11 +3272,17 @@ static struct iwl_trans_dump_data
ptr = cmdq->write_ptr;
for (i = 0; i < cmdq->n_window; i++) {
u8 idx = iwl_pcie_get_cmd_index(cmdq, ptr);
+ u8 tfdidx;
u32 caplen, cmdlen;
+ if (trans->trans_cfg->use_tfh)
+ tfdidx = idx;
+ else
+ tfdidx = ptr;
+
cmdlen = iwl_trans_pcie_get_cmdlen(trans,
- cmdq->tfds +
- tfd_size * ptr);
+ (u8 *)cmdq->tfds +
+ tfd_size * tfdidx);
caplen = min_t(u32, TFD_MAX_PAYLOAD_SIZE, cmdlen);
if (cmdlen) {
--
2.23.0
next prev parent reply other threads:[~2019-10-04 13:14 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-04 13:14 [PATCH 0/8] iwlwifi: fixes intended for 5.4 2019-10-04 Luca Coelho
2019-10-04 13:14 ` [PATCH 1/8] iwlwifi: don't access trans_cfg via cfg Luca Coelho
2019-10-04 13:14 ` [PATCH 2/8] iwlwifi: fix ACPI table revision checks Luca Coelho
2019-10-04 13:14 ` [PATCH 3/8] iwlwifi: mvm: force single phy init Luca Coelho
2019-10-04 13:14 ` [PATCH 4/8] iwlwifi: mvm: fix race in sync rx queue notification Luca Coelho
2019-10-04 13:41 ` Kalle Valo
2019-10-04 18:06 ` Luca Coelho
2019-10-04 13:14 ` Luca Coelho [this message]
2019-10-04 13:14 ` [PATCH 6/8] iwlwifi: pcie: fix rb_allocator workqueue allocation Luca Coelho
2019-10-04 13:14 ` [PATCH 7/8] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable Luca Coelho
2019-10-04 13:14 ` [PATCH 8/8] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init Luca Coelho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191004131414.27372-6-luca@coelho.fi \
--to=luca@coelho.fi \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).