summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAmit Beka <amit.beka@intel.com>2012-01-25 08:19:24 +0100
committerWey-Yi Guy <wey-yi.w.guy@intel.com>2012-02-02 23:38:42 +0100
commit6fe7dd0db0af18a8792d8551fd19a184f39a732c (patch)
tree21148f5a99ef428ee439dbf0a626186d7d2f3d18
parentiwlwifi: release IRQ in error path (diff)
downloadlinux-6fe7dd0db0af18a8792d8551fd19a184f39a732c.tar.xz
linux-6fe7dd0db0af18a8792d8551fd19a184f39a732c.zip
iwlwifi: range check to testmode direct reg access
Added a check on the direct register access. Checks that the address is in the lower ragnge (0x0-0x2000), which belongs to CSR, HBUS and FH registers. Signed-off-by: Amit Beka <amit.beka@intel.com> Signed-off-by: Wey-Yi W Guy <wey-yi.w.guy@intel.com>
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-testmode.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-testmode.c b/drivers/net/wireless/iwlwifi/iwl-testmode.c
index 7c17b9d52179..df7ab332c833 100644
--- a/drivers/net/wireless/iwlwifi/iwl-testmode.c
+++ b/drivers/net/wireless/iwlwifi/iwl-testmode.c
@@ -79,6 +79,7 @@
#include "iwl-testmode.h"
#include "iwl-trans.h"
#include "iwl-bus.h"
+#include "iwl-fh.h"
/* The TLVs used in the gnl message policy between the kernel module and
* user space application. iwl_testmode_gnl_msg_policy is to be carried
@@ -288,7 +289,7 @@ static int iwl_testmode_ucode(struct ieee80211_hw *hw, struct nlattr **tb)
static int iwl_testmode_reg(struct ieee80211_hw *hw, struct nlattr **tb)
{
struct iwl_priv *priv = hw->priv;
- u32 ofs, val32;
+ u32 ofs, val32, cmd;
u8 val8;
struct sk_buff *skb;
int status = 0;
@@ -300,7 +301,20 @@ static int iwl_testmode_reg(struct ieee80211_hw *hw, struct nlattr **tb)
ofs = nla_get_u32(tb[IWL_TM_ATTR_REG_OFFSET]);
IWL_INFO(priv, "testmode register access command offset 0x%x\n", ofs);
- switch (nla_get_u32(tb[IWL_TM_ATTR_COMMAND])) {
+ /* Allow access only to FH/CSR/HBUS in direct mode.
+ Since we don't have the upper bounds for the CSR and HBUS segments,
+ we will use only the upper bound of FH for sanity check. */
+ cmd = nla_get_u32(tb[IWL_TM_ATTR_COMMAND]);
+ if ((cmd == IWL_TM_CMD_APP2DEV_DIRECT_REG_READ32 ||
+ cmd == IWL_TM_CMD_APP2DEV_DIRECT_REG_WRITE32 ||
+ cmd == IWL_TM_CMD_APP2DEV_DIRECT_REG_WRITE8) &&
+ (ofs >= FH_MEM_UPPER_BOUND)) {
+ IWL_DEBUG_INFO(priv, "offset out of segment (0x0 - 0x%x)\n",
+ FH_MEM_UPPER_BOUND);
+ return -EINVAL;
+ }
+
+ switch (cmd) {
case IWL_TM_CMD_APP2DEV_DIRECT_REG_READ32:
val32 = iwl_read_direct32(trans(priv), ofs);
IWL_INFO(priv, "32bit value to read 0x%x\n", val32);