[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] intel/pinctrl: check capability offset is between MMIO region
- To: <linux-kernel@xxxxxxxxxxxxxxx>
- From: Roger Pau Monne <roger.pau@xxxxxxxxxx>
- Date: Wed, 24 Mar 2021 13:17:44 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zw3d2v6aNIIWAAyD1yYCNSl+vqRyx1tcom5wbgbKMwU=; b=cTJNNLYdTLbwRI6yvis0g7rhXczkylh0rY9T98v1ScCqTFdvKyXE1+FHFbeMAZUIze+JcN0Rxv4mTHDn6SKT6QHykq9i0VCKiln9vuucHZ4C6vgJZl1FnTmMWz7b7Led1l69MPA3UPWD4J5QmEeermAxSiBaRuqFw2PBDupUVFaVKxdRltOwRo1hk4psqHzxRVAoQsN7OcxaweMRqiDgHFxWYhbNa+GlzILgp0mHIZJJLjubS9TLV6uxxhLOR4dUjtlJtzyR5h1kc91qdZnQxu9ftHlIXwR9hVjfQWjUkojd3VC7tyKIQfRVlLBGZkkOkTYmuv10rY6HHbo8Biph5A==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T9K/LODDjejv+NyiBUiUx8CY9XhtZOFswgMUlOo1OrQhbp76R8IstBH3RuO6daSSvWfEnOsp6deYaLWC/JlPHhlgyDPSxF9RPx53ejFtFuLEF84rMVnlgi/7ra6oZU7sVsTV7zFTw5ZpbeFrBq3q0k0DykLyVAJaLrKtRTcEfFRmc1UFkaE6tqRO1QgbPtHmiAP94T+NTE/huusRgB57zyUFG+eHfEUzxXOCnU+hwND/uSaOwQDBMcjUHjwW0GvkDftD3iexrM97+Q2y7cpEjsZu4mfg8EAnAeXdNevAd/YTWbZSRp2zE2mWoqBZYR9+knb50I2hC4OTocG3ZzPnKg==
- Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>
- Delivery-date: Wed, 24 Mar 2021 12:18:22 +0000
- Ironport-hdrordr: A9a23:gaYUYqwtQO9N8akB6MPZKrPx/uskLtp033Aq2lEZdDV8btGYm8 eynP4SyB/zj3IrVGs9nM2bUZPsfVr3//dOgbU5F7GkQQXgpS+UPJhvhLGSpwHINg/f0qpm1a lme7VjE9GYNzJHpOvz/QXQKbkd6fad9qTAv4nj5lNMaS0vVK169Qd+DW+gYyhLbS1LH4AwGp bZxucvnUvCRV0tYs62BmYIUoH4zrWmqLvcbQMbHBli0QGSjFqTg4LSKQSS3RsVTlp0sNUf2F XC+jaZ2oyT98uV5zWZ/G/V4pRQlrLau6Z+Lf3JsOc5AHHBjg6pYa5oRrGNuiskydvflGoCoZ 33jDoLe+h19nPNbkG5yCGdpDXI4XIVxFLJjX+enHf5rsTySFsBerR8rLMcSDT1wQ4EnrhHoc V29lPcjbV7J1f8uR64wN7yWxRjhiOP0AEfuN9WtVNze88jcrNLxLZvmn99IdM7Mw/RzpsoK+ VqBNG03octTXqqK0rUuWRi27WXLw0ONybDRkADv/qc2CRNkEZ4yFMFxNcekm1ozuNEd6V5
- Ironport-sdr: ufolKvIAkNeHf3TxRyosTpXzSPo4bFhEM8sTJ9y//1ZaVABUOc3DioOwYPthh0CHVX3MnUWsGi EFPw1zTdGiffij860eGuQwfbr3+Hm/wse+qa4mZjMnE0hnzisrYAvn9fSm8lKW+l0lbCLiEUN3 rw72APvFqxRt47KFIoTnNJy9R6Sv/DYWKXligFMls0fTWL7mS05nlOPgXL5RJc1be5JTaugLxr cFON36qovmplZvrscFakmvxSonx9lNQL77hP68JOVR+rukIVF+HU7Vt3utJ1PCsYA4dsOM+x1G cYM=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
When parsing the capability list make sure the offset is between the
MMIO region mapped in 'regs', or else the kernel hits a page fault.
This fault has been seen when running as a Xen PVH dom0, which doesn't
have the MMIO regions mapped into the domain physical memory map,
despite having the device reported in the ACPI DSDT table. This
results in reporting a capability offset of 0xffff (because the kernel
is accessing unpopulated memory), and such offset is outside of the
mapped region.
Adding the check is harmless, and prevents buggy or broken systems
from crashing the kernel if the MMIO region is not properly reported.
Fixes: 91d898e51e60 ('pinctrl: intel: Convert capability list to features')
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
drivers/pinctrl/intel/pinctrl-intel.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/intel/pinctrl-intel.c
b/drivers/pinctrl/intel/pinctrl-intel.c
index 8085782cd8f9..bc8b990d8021 100644
--- a/drivers/pinctrl/intel/pinctrl-intel.c
+++ b/drivers/pinctrl/intel/pinctrl-intel.c
@@ -1481,16 +1481,22 @@ static int intel_pinctrl_probe(struct platform_device
*pdev,
for (i = 0; i < pctrl->ncommunities; i++) {
struct intel_community *community = &pctrl->communities[i];
+ struct resource *res;
void __iomem *regs;
+ size_t size;
u32 offset;
u32 value;
*community = pctrl->soc->communities[i];
- regs = devm_platform_ioremap_resource(pdev, community->barno);
+ regs = devm_platform_get_and_ioremap_resource(pdev,
+ community->barno,
+ &res);
if (IS_ERR(regs))
return PTR_ERR(regs);
+ size = res->end - res->start;
+
/* Determine community features based on the revision */
value = readl(regs + REVID);
if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) {
@@ -1519,6 +1525,12 @@ static int intel_pinctrl_probe(struct platform_device
*pdev,
break;
}
offset = (value & CAPLIST_NEXT_MASK) >>
CAPLIST_NEXT_SHIFT;
+ if (offset >= size) {
+ dev_err(&pdev->dev,
+ "wrong capability offset: %#x\n",
+ offset);
+ return -ENOENT;
+ }
} while (offset);
dev_dbg(&pdev->dev, "Community%d features: %#08x\n", i,
community->features);
--
2.30.1
|