[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH RESEND] intel/pinctrl: check capability offset is between MMIO region

  • To: <linux-kernel@xxxxxxxxxxxxxxx>
  • From: Roger Pau Monne <roger.pau@xxxxxxxxxx>
  • Date: Wed, 24 Mar 2021 13:31:18 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=POqR+yGlRcp/InBe4dSo99f2+VyBz/rcTmCM4AxG96w=; b=GIiI9WOcFt6E9RLyXnT1fglJ3B9WzlQZUDnrxcu5XITGaMjn1fDEMUjD5ykidavFk7tpb/R9bMIJscUQ4nDpjrYWmHAbOTJ/4Rdjuri47ROG3Hb2JLB7+WhvO0R6NgyAYSh+sHkusdW97V6m3p0FBRjZGJc6tYHGK7MeMJ7YdUS35gVQ71cm/vzcLrQZQztzFRFOufQv4TMTWQabPXXMCPiYyajMkuBjVwEy8VObl55annQlGQEIruqxe1Ok2r/17M2csSxoRHrX6RpKnhyHDrTAgTP7NWXI7fGbDrJBVm9uT9YgoXFxoahYXfsYiTZqybWkEGblzBKeibtSUXq74Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UgDQOaSsfd3W3qD9htEZcTaPiyPjAN+aVMqunwhtdUzIXAEc1c/F6YeLFjFWYKeFmIMr4erpDIdP/+Z4TDsvaCl1xErXkNshG9re4q6XaJdXwNWMMcI4d4oLGx9QDQRyhnEHyUqOjsTZ/1OERgr6SGEMmgmJMY++ZegwH6z3TLKFMs6G1aPCReLlnxclIKX8RcWK/wts9GSC+HHwD+F0IxpKCxgdTwZ9gurO40Kg+qbjsCW8nPgmQgQZyjI8dYyj8nB51DSLPc7RRZu+6u+3LT8yhsvfrwL7B4mp7W2Ke/vxVHWb9ABCcRbR9uY5hMlL3nWmgr5fu4B6dpjFqhaPog==
  • Authentication-results: esa6.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx>, Andy Shevchenko <andy@xxxxxxxxxx>, Linus Walleij <linus.walleij@xxxxxxxxxx>, <linux-gpio@xxxxxxxxxxxxxxx>
  • Delivery-date: Wed, 24 Mar 2021 12:32:15 +0000
  • Ironport-hdrordr: A9a23:Zt6Y4qHcc/kVw6ZYpLqFDJTXdLJzesId70hD6mlYcjYQWtCEls yogfQQ3QL1jjFUY307hdWcIsC7Lk/03aVepa0cJ62rUgWjgmunK4l+8ZDvqgeNJwTXzcQY76 tpdsFFZeHYJURmjMr8/QmzG8shxt7Cy6yzmeLC1R5WLD1CQYsI1XYcNi+wFEpqSA5aQacjHJ 2H6cZd4xamc3IbbsO0b0N1JdTrjdvNiZ7gfFo6FwcqgTP+9g+AxZzbN1yj3hkYWy5S2rtKyw b4uiHw+6nLiYDc9jbyzGnWhq4m+ufJ7vtmKIiyhtMOKjPq4zzYGrhJf7GZpjg6rKWOxT8R4a DxiiwtNchy9H/dF1vdyXCGu3iCoUYTwkTv1EOChj/bqdH5LQhKdPZpv55TcRfS9iMbzbZB+Z 9Mtljp0qZ/PFfrmSTw4MXwTBd6lka4impKq59us1VvFaQZc7NftooZ4Qd8F4oBBjvz7MQdHP BpF9y03ocdTXqqK1Ti+kV/yt2lWXo+Wj+AX0g5o8SQlxxbhmpwwUc0zNEW901wua4Vet1h3a DpI65onLZBQos9dqRmHtoMRsOxFyjkXQ/MGHj6GyWoKIg3f1b277Ln6rQ84++nPLYSyoEppZ jHWFRE8UYvZkPVD9GU1pEjyGGDfEyNGRDWju1O7ZlwvbPxAJDxNzeYdVwom8y859oFBMn2XO uyJYJ2D/fvIXCGI/cI4yTOH71pbVUOWswcvdg2H3iUpNjQF4HsvuvHNNbfTYCdUgoMayfaOD 8uTTLzLMJP4gSAQXnjmiXcXHvrZwja9ZJ0G67KwvgLxOE2R89xmzlQrW78ytCAKDVEvKBzVl B5OqnbnqSyonTz2mrU8WNzOF54AlxO6LvtF1NGzDV6f3/cQPImgZGyaGpS1HyIKltUVMXNCj NSoFxx5OaQNJyfxScrDvq9KWKEh34vpHaHJq1s25Gr1IPAQNcVH5wmUKt+GUHgDBpugztnr2 9FdUs5XEPFLyjvjq+klZQQI+nae7BH8UKWCP8RjUiamVSXpMkpSHdeezK1S8aYjTwjQCduik Rr/7USh6eBnjiTOXIy6d5IQWFkWSCyOvZrHQ6FbIJblvTQdAZ8QXyjqBaahxswE1Cavnk6ty jEF2m5aPvLCl1StjRkya7s6kpzbXjYVVl3cGpGvYp0Ennmtn5/3fSQXLe613KcZzI5s6UgGQ CARQFXDhJlxtix2hLQpS2LEm8+wI4yesPaF7YuftjoqweQAbzNsZtDOfBa/Jxobo+z9sAKVP +SYA+TInfTDfgz1wmcu3YiP21VpRAf4IHV8SygyFL9+ng1Rcf2ChBBYZowJtmH9WjqR/qSyv xC/KQIlNr1Fl+0U8KMzKHcUiVKJRzSq1OnVu1Ak+EmgYsC8J9IW6TBWTTG1Ht7zAwzAcf9mk QZWrl66tn6S/pSVv1XXypY+1Yz/e7/VHcDg0jTAuUke0sqgGKeF9SV46DQob5HODzImCLAfX 2e+TZa5fHLQm+q0qMbEbs5JSBzZFIn4HpvuMOEeIu4MnTgS8hzuH67OGS6arlTVeysHqgRtA 9z55WwpNCsHhCIrzz4jH9cOaJB82GuXMO0DkatIIdzgqGHEGXJpLCr7s61hCrwUh2hZS0j9M p4SXA=
  • Ironport-sdr: YvE/SYBQjZkmiLZVR/s9RWc1wp0hPbnz1mMDbt7SupI7cYiHIMeRb1MFVLD7rBDO/rz1jL7fzR JFdw6HovvlLqbNLqkQQZ/oi9hvbLDEwk/BzFTN/0fJR/etdBtb3TUwfpM0j0k3OVTDOOiGFyjQ WTos7uIbE03rXG9TnoOeoep+aj90Wc69s0JBlPs24eUUYMzIOwfC1J8Pi2FFGiIG0v4MtItG2u di1ABYmmkntoPY3bCjKcXQvr1yh/Ov60NxoYkJ5ZTkE/C2FUKuhe6Yrb5JEFzc1DFO6YDIRhcH 55g=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
When parsing the capability list make sure the offset is between the
MMIO region mapped in 'regs', or else the kernel hits a page fault.

This fault has been seen when running as a Xen PVH dom0, which doesn't
have the MMIO regions mapped into the domain physical memory map,
despite having the device reported in the ACPI DSDT table. This
results in reporting a capability offset of 0xffff (because the kernel
is accessing unpopulated memory), and such offset is outside of the
mapped region.

Adding the check is harmless, and prevents buggy or broken systems
from crashing the kernel if the MMIO region is not properly reported.

Fixes: 91d898e51e60 ('pinctrl: intel: Convert capability list to features')
Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
Cc: Mika Westerberg <mika.westerberg@xxxxxxxxxxxxxxx>
Cc: Andy Shevchenko <andy@xxxxxxxxxx>
Cc: Linus Walleij <linus.walleij@xxxxxxxxxx>
Cc: linux-gpio@xxxxxxxxxxxxxxx
---
Resend because I've missed adding the maintainers, sorry for the spam.
---
 drivers/pinctrl/intel/pinctrl-intel.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/pinctrl/intel/pinctrl-intel.c 
b/drivers/pinctrl/intel/pinctrl-intel.c
index 8085782cd8f9..bc8b990d8021 100644
--- a/drivers/pinctrl/intel/pinctrl-intel.c
+++ b/drivers/pinctrl/intel/pinctrl-intel.c
@@ -1481,16 +1481,22 @@ static int intel_pinctrl_probe(struct platform_device 
*pdev,
 
        for (i = 0; i < pctrl->ncommunities; i++) {
                struct intel_community *community = &pctrl->communities[i];
+               struct resource *res;
                void __iomem *regs;
+               size_t size;
                u32 offset;
                u32 value;
 
                *community = pctrl->soc->communities[i];
 
-               regs = devm_platform_ioremap_resource(pdev, community->barno);
+               regs = devm_platform_get_and_ioremap_resource(pdev,
+                                                             community->barno,
+                                                             &res);
                if (IS_ERR(regs))
                        return PTR_ERR(regs);
 
+               size = res->end - res->start;
+
                /* Determine community features based on the revision */
                value = readl(regs + REVID);
                if (((value & REVID_MASK) >> REVID_SHIFT) >= 0x94) {
@@ -1519,6 +1525,12 @@ static int intel_pinctrl_probe(struct platform_device 
*pdev,
                                break;
                        }
                        offset = (value & CAPLIST_NEXT_MASK) >> 
CAPLIST_NEXT_SHIFT;
+                       if (offset >= size) {
+                               dev_err(&pdev->dev,
+                                       "wrong capability offset: %#x\n",
+                                       offset);
+                               return -ENOENT;
+                       }
                } while (offset);
 
                dev_dbg(&pdev->dev, "Community%d features: %#08x\n", i, 
community->features);
-- 
2.30.1

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.