iwlwifi: incorrect method used for finding valid OTP blocks

The address stored in the next link address is a word address but when
reading the OTP blocks, a byte address is used. Also if the blocks are
full and the last link pointer is not zero, then none of the blocks are
valid so return an error.

The algorithm is simply valid blocks have a next address and that
address's contents is zero.

Using the wrong address for the next link address gets arbitrary data,
obviously. In cases seen, the first block is considered valid when it is not.

If the block has in fact been invalidated there may be old data or
there may be no data, bad data, or partial data, there is no way of
telling. Without this patch it is possible that a device with valid OTP data
is unable to work.

Signed-off-by: Jay Sternberg <jay.e.sternberg@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
CC: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 11 insertions, 12 deletions

diff --git a/drivers/net/wireless/iwlwifi/iwl-eeprom.c b/drivers/net/wireless/iwlwifi/iwl-eeprom.c
index 3d2b93a61e62..e14c9952a935 100644
--- a/drivers/net/wireless/iwlwifi/iwl-eeprom.c
+++ b/drivers/net/wireless/iwlwifi/iwl-eeprom.c
@@ -410,7 +410,6 @@ static int iwl_find_otp_image(struct iwl_priv *priv,
                                         u16 *validblockaddr)
 {
         u16 next_link_addr = 0, link_value = 0, valid_addr;
-        int ret = 0;
         int usedblocks = 0;
 
         /* set addressing mode to absolute to traverse the link list */
@@ -430,29 +429,29 @@ static int iwl_find_otp_image(struct iwl_priv *priv,
                  * check for more block on the link list
                  */
                 valid_addr = next_link_addr;
-                next_link_addr = link_value;
+                next_link_addr = link_value * sizeof(u16);
                 IWL_DEBUG_INFO(priv, "OTP blocks %d addr 0x%x\n",
                                usedblocks, next_link_addr);
                 if (iwl_read_otp_word(priv, next_link_addr, &link_value))
                         return -EINVAL;
                 if (!link_value) {
                         /*
-                         * reach the end of link list,
+                         * reach the end of link list, return success and
                          * set address point to the starting address
                          * of the image
                          */
-                        goto done;
+                        *validblockaddr = valid_addr;
+                        /* skip first 2 bytes (link list pointer) */
+                        *validblockaddr += 2;
+                        return 0;
                 }
                 /* more in the link list, continue */
                 usedblocks++;
-        } while (usedblocks < priv->cfg->max_ll_items);
-        /* OTP full, use last block */
-        IWL_DEBUG_INFO(priv, "OTP is full, use last block\n");
-done:
-        *validblockaddr = valid_addr;
-        /* skip first 2 bytes (link list pointer) */
-        *validblockaddr += 2;
-        return ret;
+        } while (usedblocks <= priv->cfg->max_ll_items);
+
+        /* OTP has no valid blocks */
+        IWL_DEBUG_INFO(priv, "OTP has no valid blocks\n");
+        return -EINVAL;
 }
 
 /**