| From 3e8ed995543000e72a2d82a3d1e1d5e3729392db Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 29 May 2018 10:04:16 +0300 |
| Subject: iwlwifi: dbg: don't crash if the firmware crashes in the middle of a |
| debug dump |
| |
| From: Emmanuel Grumbach <emmanuel.grumbach@intel.com> |
| |
| [ Upstream commit 79f25b10c9da3dbc953e47033d0494e51580ac3b ] |
| |
| We can dump data from the firmware either when it crashes, |
| or when the firmware is alive. |
| Not all the data is available if the firmware is running |
| (like the Tx / Rx FIFOs which are available only when the |
| firmware is halted), so we first check that the firmware |
| is alive to compute the required size for the dump and then |
| fill the buffer with the data. |
| |
| When we allocate the buffer, we test the STATUS_FW_ERROR |
| bit to check if the firmware is alive or not. This bit |
| can be changed during the course of the dump since it is |
| modified in the interrupt handler. |
| |
| We hit a case where we allocate the buffer while the |
| firmware is sill working, and while we start to fill the |
| buffer, the firmware crashes. Then we test STATUS_FW_ERROR |
| again and decide to fill the buffer with data like the |
| FIFOs even if no room was allocated for this data in the |
| buffer. This means that we overflow the buffer that was |
| allocated leading to memory corruption. |
| |
| To fix this, test the STATUS_FW_ERROR bit only once and |
| rely on local variables to check if we should dump fifos |
| or other firmware components. |
| |
| Fixes: 04fd2c28226f ("iwlwifi: mvm: add rxf and txf to dump data") |
| Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> |
| Signed-off-by: Luca Coelho <luciano.coelho@intel.com> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c |
| index 8070b2d4c46fe..3443cbdbab4ae 100644 |
| --- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c |
| +++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c |
| @@ -824,7 +824,7 @@ void iwl_fw_error_dump(struct iwl_fw_runtime *fwrt) |
| } |
| |
| /* We only dump the FIFOs if the FW is in error state */ |
| - if (test_bit(STATUS_FW_ERROR, &fwrt->trans->status)) { |
| + if (fifo_data_len) { |
| iwl_fw_dump_fifos(fwrt, &dump_data); |
| if (radio_len) |
| iwl_read_radio_regs(fwrt, &dump_data); |
| -- |
| 2.20.1 |
| |