From: Jesse Barnes <jbarnes@virtuousgeek.org>
To: Jesse Brandeburg <jesse.brandeburg@intel.com>
Cc: linux-kernel@vger.kernel.org, linux-netdev@vger.kernel.org,
kkeil@suse.de, agospoda@redhat.com, arjan@linux.intel.com,
david.graham@intel.com, bruce.w.allan@intel.com, jkosina@suse.cz,
john.ronciak@intel.com, tglx@linutronix.de,
chris.jones@canonical.com, tim.gardner@intel.com,
airlied@gmail.com
Subject: Re: [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote:
Date: Thu, 2 Oct 2008 15:23:43 -0700 [thread overview]
Message-ID: <200810021523.45884.jbarnes@virtuousgeek.org> (raw)
In-Reply-To: <20080930031927.22950.4692.stgit@jbrandeb-bw.jf.intel.com>
Ping DaveM. Does this look ok? What else would we need for you to remove
your range checking from sparc?
Thanks,
Jesse
On Monday, September 29, 2008 8:19 pm Jesse Brandeburg wrote:
> From: Jesse Barnes <jbarnes@virtuousgeek.org>
>
> > I did some snooping around, and while doing so I noticed that the PCI
> > mmap code for x86 doesn't do one bit of range checking on the size, or
> > any other aspect of the request, wrt. the MMIO regions actually mapped
> > in the BARs of the PCI device.
>
> Here's a patch that adds range checking to the sysfs mappings at
> least. This patch should catch the case where X (or some other
> process) tries to map beyond the specific BAR it's (supposedly)
> trying to access, making things safer in general. FWIW both my
> F9 and development versions of X start up fine with this patch
> applied.
>
> DaveM, will this work for you on sparc? It looked like your code
> was allowing bridge window mappings, but that behavior should be
> preserved as long as your bridge devices reflect their window
> sizes correctly in their pdev->resources?
>
> If we add similar code to the procfs stuff we wouldn't need to do
> any checking in the arches.
>
> Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
> Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
> ---
>
> drivers/pci/pci-sysfs.c | 14 ++++++++++++++
> 1 files changed, 14 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
> index 9c71858..4d1aa6e 100644
> --- a/drivers/pci/pci-sysfs.c
> +++ b/drivers/pci/pci-sysfs.c
> @@ -16,6 +16,7 @@
>
>
> #include <linux/kernel.h>
> +#include <linux/sched.h>
> #include <linux/pci.h>
> #include <linux/stat.h>
> #include <linux/topology.h>
> @@ -502,6 +503,8 @@ pci_mmap_resource(struct kobject *kobj, struct
> bin_attribute *attr, struct resource *res = (struct resource
> *)attr->private;
> enum pci_mmap_state mmap_type;
> resource_size_t start, end;
> + unsigned long map_len = vma->vm_end - vma->vm_start;
> + unsigned long map_offset = vma->vm_pgoff << PAGE_SHIFT;
> int i;
>
> for (i = 0; i < PCI_ROM_RESOURCE; i++)
> @@ -510,6 +513,17 @@ pci_mmap_resource(struct kobject *kobj, struct
> bin_attribute *attr, if (i >= PCI_ROM_RESOURCE)
> return -ENODEV;
>
> + /*
> + * Make sure the range the user is trying to map falls within
> + * the resource
> + */
> + if (map_offset + map_len > pci_resource_len(pdev, i)) {
> + WARN(1, "process \"%s\" tried to map 0x%08lx-0x%08lx on BAR %d (size
> 0x%08lx)\n", + current->comm, map_offset, map_offset + map_len, i,
> + (unsigned long)pci_resource_len(pdev, i));
> + return -EINVAL;
> + }
> +
> /* pci_mmap_page_range() expects the same kind of entry as coming
> * from /proc/bus/pci/ which is a "user visible" value. If this is
> * different from the resource itself, arch will do necessary fixup.
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
Jesse Barnes, Intel Open Source Technology Center
next prev parent reply other threads:[~2008-10-02 22:24 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-30 3:19 [RFC PATCH 00/12] e1000e debug and protection patches Jesse Brandeburg
2008-09-30 3:19 ` [RFC PATCH 01/12] x86: export set_memory_ro and set_memory_rw Jesse Brandeburg
2008-09-30 7:07 ` Ingo Molnar
2008-09-30 3:19 ` [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote: Jesse Brandeburg
2008-10-02 22:23 ` Jesse Barnes [this message]
2008-10-03 20:46 ` David Miller
2008-10-03 21:29 ` Jesse Barnes
2008-10-03 21:45 ` Jiri Kosina
2008-10-03 23:28 ` Jesse Brandeburg
2008-10-03 23:30 ` Jesse Brandeburg
2008-10-04 10:21 ` Jiri Kosina
2008-10-04 11:02 ` Thomas Gleixner
2008-10-05 1:24 ` Jesse Brandeburg
2008-10-05 8:51 ` Thomas Gleixner
2008-10-05 15:05 ` Arjan van de Ven
2008-10-05 15:55 ` Thomas Gleixner
2008-10-05 16:02 ` Arjan van de Ven
2008-10-05 16:16 ` Thomas Gleixner
2008-10-05 17:01 ` Arjan van de Ven
2008-10-07 23:19 ` David Miller
2008-09-30 3:19 ` [RFC PATCH 03/12] e1000e: reset swflag after resetting hardware Jesse Brandeburg
2008-09-30 3:19 ` [RFC PATCH 04/12] e1000e: do not ever sleep in interrupt context Jesse Brandeburg
2008-09-30 3:19 ` [RFC PATCH 05/12] e1000e: fix lockdep issues Jesse Brandeburg
2008-09-30 3:19 ` [RFC PATCH 06/12] e1000e: drop stats lock Jesse Brandeburg
2008-09-30 3:19 ` [RFC PATCH 07/12] e1000e: debug contention on NVM SWFLAG Jesse Brandeburg
2008-10-02 14:28 ` Jiri Kosina
2008-10-02 15:03 ` Olaf Kirch
2008-10-02 16:27 ` Brandeburg, Jesse
2008-10-02 17:33 ` Olaf Kirch
2008-10-02 18:58 ` Thomas Gleixner
2008-10-02 19:07 ` Olaf Kirch
2008-10-02 19:08 ` Olaf Kirch
2008-10-02 18:02 ` Thomas Gleixner
2008-10-02 23:42 ` [PATCH] e1000e: prevent concurrent access to NVRAM Thomas Gleixner
2008-10-03 0:19 ` Jesse Brandeburg
2008-10-03 0:28 ` Thomas Gleixner
2008-09-30 3:19 ` [RFC PATCH 08/12] e1000e: allow bad checksum Jesse Brandeburg
2008-09-30 8:38 ` Jiri Kosina
2008-09-30 3:20 ` [RFC PATCH 09/12] e1000e: dump eeprom to dmesg for ich8/9 Jesse Brandeburg
2008-09-30 3:20 ` [RFC PATCH 10/12] e1000e: Use set_memory_ro()/set_memory_rw() to protect flash memory Jesse Brandeburg
2008-09-30 3:20 ` [RFC PATCH 11/12] e1000e: write protect ICHx NVM to prevent malicious write/erase Jesse Brandeburg
2008-09-30 12:40 ` Jiri Kosina
2008-09-30 15:47 ` Allan, Bruce W
2008-10-01 13:29 ` Jiri Kosina
2008-10-01 19:13 ` Allan, Bruce W
2008-09-30 3:20 ` [RFC PATCH 12/12] update version Jesse Brandeburg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200810021523.45884.jbarnes@virtuousgeek.org \
--to=jbarnes@virtuousgeek.org \
--cc=agospoda@redhat.com \
--cc=airlied@gmail.com \
--cc=arjan@linux.intel.com \
--cc=bruce.w.allan@intel.com \
--cc=chris.jones@canonical.com \
--cc=david.graham@intel.com \
--cc=jesse.brandeburg@intel.com \
--cc=jkosina@suse.cz \
--cc=john.ronciak@intel.com \
--cc=kkeil@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-netdev@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tim.gardner@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.