[PATCH kernel v4 01/11] vfio_pci: Test for extended capabilities if config space > 256 bytes

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

From: Alexey Kardashevskiy <aik@ozlabs.ru>
To: linuxppc-dev@lists.ozlabs.org
Cc: Alexey Kardashevskiy <aik@ozlabs.ru>,
	Alex Williamson <alex.williamson@redhat.com>,
	Alistair Popple <alistair@popple.id.au>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>,
	Dan Carpenter <dan.carpenter@oracle.com>,
	Daniel Axtens <dja@axtens.net>,
	David Gibson <david@gibson.dropbear.id.au>,
	Gavin Shan <gwshan@linux.vnet.ibm.com>,
	Russell Currey <ruscur@russell.cc>,
	kvm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH kernel v4 01/11] vfio_pci: Test for extended capabilities if config space > 256 bytes
Date: Fri, 29 Apr 2016 18:55:14 +1000	[thread overview]
Message-ID: <1461920124-21719-2-git-send-email-aik@ozlabs.ru> (raw)
In-Reply-To: <1461920124-21719-1-git-send-email-aik@ozlabs.ru>

PCI-Express spec says that reading 4 bytes at offset 100h should return
zero if there is no extended capability so VFIO reads this dword to
know if there are extended capabilities.

However it is not always possible to access the extended space so
generic PCI code in pci_cfg_space_size_ext() checks if
pci_read_config_dword() can read beyond 100h and if the check fails,
it sets the config space size to 100h.

VFIO does its own extended capabilities check by reading at offset 100h
which may produce 0xffffffff which VFIO treats as the extended config
space presense and calls vfio_ecap_init() which fails to parse
capabilities (which is expected) but right before the exit, it writes
zero at offset 100h which is beyond the buffer allocated for
vdev->vconfig (which is 256 bytes) which leads to random memory
corruption.

This makes VFIO only check for the extended capabilities if
the discovered config size is more than 256 bytes.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
---
Changes:
v2:
* instead of checking for 0xffffffff, this only does the check if
device's config size is big enough
---
 drivers/vfio/pci/vfio_pci_config.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index 142c533..d0c4358 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1124,9 +1124,12 @@ static int vfio_cap_len(struct vfio_pci_device *vdev, u8 cap, u8 pos)
 			return pcibios_err_to_errno(ret);
 
 		if (PCI_X_CMD_VERSION(word)) {
-			/* Test for extended capabilities */
-			pci_read_config_dword(pdev, PCI_CFG_SPACE_SIZE, &dword);
-			vdev->extended_caps = (dword != 0);
+			if (pdev->cfg_size > PCI_CFG_SPACE_SIZE) {
+				/* Test for extended capabilities */
+				pci_read_config_dword(pdev, PCI_CFG_SPACE_SIZE,
+						&dword);
+				vdev->extended_caps = (dword != 0);
+			}
 			return PCI_CAP_PCIX_SIZEOF_V2;
 		} else
 			return PCI_CAP_PCIX_SIZEOF_V0;
@@ -1138,9 +1141,11 @@ static int vfio_cap_len(struct vfio_pci_device *vdev, u8 cap, u8 pos)
 
 		return byte;
 	case PCI_CAP_ID_EXP:
-		/* Test for extended capabilities */
-		pci_read_config_dword(pdev, PCI_CFG_SPACE_SIZE, &dword);
-		vdev->extended_caps = (dword != 0);
+		if (pdev->cfg_size > PCI_CFG_SPACE_SIZE) {
+			/* Test for extended capabilities */
+			pci_read_config_dword(pdev, PCI_CFG_SPACE_SIZE, &dword);
+			vdev->extended_caps = dword != 0;
+		}
 
 		/* length based on version */
 		if ((pcie_caps_reg(pdev) & PCI_EXP_FLAGS_VERS) == 1)
-- 
2.5.0.rc3

next prev parent reply	other threads:[~2016-04-29  9:01 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-29  8:55 [PATCH kernel v4 00/11] powerpc/powernv/npu: Enable PCI pass through for NVLink Alexey Kardashevskiy
2016-04-29  8:55 ` Alexey Kardashevskiy [this message]
2016-04-29 15:42   ` [PATCH kernel v4 01/11] vfio_pci: Test for extended capabilities if config space > 256 bytes Alex Williamson
2016-04-29  8:55 ` [PATCH kernel v4 02/11] vfio/spapr: Relax the IOMMU compatibility check Alexey Kardashevskiy
2016-04-29 15:41   ` Alex Williamson
2016-05-10 21:48   ` [kernel, v4, " Michael Ellerman
2016-04-29  8:55 ` [PATCH kernel v4 03/11] powerpc/powernv: Rename pnv_pci_ioda2_tce_invalidate_entire Alexey Kardashevskiy
2016-04-29  8:55 ` [PATCH kernel v4 04/11] powerpc/powernv: Define TCE Kill flags Alexey Kardashevskiy
2016-04-29  8:55 ` [PATCH kernel v4 05/11] powerpc/powernv/npu: TCE Kill helpers cleanup Alexey Kardashevskiy
2016-04-29  8:55 ` [PATCH kernel v4 06/11] powerpc/powernv/npu: Use the correct IOMMU page size Alexey Kardashevskiy
2016-04-29  8:55 ` [PATCH kernel v4 07/11] powerpc/powernv/npu: Simplify DMA setup Alexey Kardashevskiy
2016-04-29  8:55 ` [PATCH kernel v4 08/11] powerpc/powernv/ioda2: Export debug helper pe_level_printk() Alexey Kardashevskiy
2016-05-03  5:46   ` Alistair Popple
2016-05-03  5:58     ` Alistair Popple
2016-04-29  8:55 ` [PATCH kernel v4 09/11] powerpc/powernv/npu: Add set/unset window helpers Alexey Kardashevskiy
2016-05-03  6:25   ` Alistair Popple
2016-04-29  8:55 ` [PATCH kernel v4 10/11] powerpc/powernv/npu: Rework TCE Kill handling Alexey Kardashevskiy
2016-05-03  7:37   ` Alistair Popple
2016-05-05  4:23     ` Alexey Kardashevskiy
2016-05-06  1:11       ` Alistair Popple
2016-04-29  8:55 ` [PATCH kernel v4 11/11] powerpc/powernv/npu: Enable NVLink pass through Alexey Kardashevskiy
2016-05-03 14:08   ` Alistair Popple
2016-05-05  5:49     ` Alexey Kardashevskiy
2016-05-06  1:02       ` Alistair Popple

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:142c533 dfblob:d0c4358 )
 OR (
bs:"[PATCH kernel v4 01/11] vfio_pci: Test for extended capabilities if config space > 256 bytes" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1461920124-21719-2-git-send-email-aik@ozlabs.ru \
    --to=aik@ozlabs.ru \
    --cc=alex.williamson@redhat.com \
    --cc=alistair@popple.id.au \
    --cc=benh@kernel.crashing.org \
    --cc=dan.carpenter@oracle.com \
    --cc=david@gibson.dropbear.id.au \
    --cc=dja@axtens.net \
    --cc=gwshan@linux.vnet.ibm.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=ruscur@russell.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).