[PATCH] pci/rom: Don't scan past the end of the ROM BAR

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Benjamin Herrenschmidt <benh@kernel.crashing.org>
To: Bjorn Helgaas <bhelgaas@google.com>
Cc: linux-pci@vger.kernel.org
Subject: [PATCH] pci/rom: Don't scan past the end of the ROM BAR
Date: Mon, 26 Mar 2012 10:53:01 +1100	[thread overview]
Message-ID: <1332719581.2882.26.camel@pasglop> (raw)

We can't trust the ROM headers to be 100% correct, and accessing
past the end of the BAR can cause really bad things, such as
machine checks on some platforms.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
---

Found that in an old pile of patches while cleaning up my disk :-)

I was dealing with a buggy radeon that the time iirc.

Cheers,
Ben.
 
diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
index 36864a9..d07dcfc 100644
--- a/drivers/pci/rom.c
+++ b/drivers/pci/rom.c
@@ -67,10 +67,10 @@ void pci_disable_rom(struct pci_dev *pdev)
 size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
 {
 	void __iomem *image;
-	int last_image;
+	int last_image = 0;
 
 	image = rom;
-	do {
+	while (!last_image && (image - rom) < (size - 24)) {
 		void __iomem *pds;
 		/* Standard PCI ROMs start out with these bytes 55 AA */
 		if (readb(image) != 0x55) {
@@ -92,7 +92,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
 		last_image = readb(pds + 21) & 0x80;
 		/* this length is reliable */
 		image += readw(pds + 16) * 512;
-	} while (!last_image);
+	};
 
 	/* never return a size larger than the PCI resource window */
 	/* there are known ROMs that get the size wrong */
-- 
1.7.9.1

                 reply	other threads:[~2012-03-25 23:53 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:36864a9 dfblob:d07dcfc )
 OR (
bs:"[PATCH] pci/rom: Don't scan past the end of the ROM BAR" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1332719581.2882.26.camel@pasglop \
    --to=benh@kernel.crashing.org \
    --cc=bhelgaas@google.com \
    --cc=linux-pci@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.