From: John Garry <john.garry@huawei.com> To: <bhelgaas@google.com>, <lorenzo.pieralisi@arm.com>, <arnd@arndb.de> Cc: <linux-pci@vger.kernel.org>, <rjw@rjwysocki.net>, <linux-arm-kernel@lists.infradead.org>, <will.deacon@arm.com>, <wangkefeng.wang@huawei.com>, <linuxarm@huawei.com>, <andriy.shevchenko@linux.intel.com>, <linux-kernel@vger.kernel.org>, <catalin.marinas@arm.com>, John Garry <john.garry@huawei.com> Subject: [PATCH v4 2/3] lib: logic_pio: Reject accesses to unregistered CPU MMIO regions Date: Tue, 11 Jun 2019 22:12:53 +0800 [thread overview] Message-ID: <1560262374-67875-3-git-send-email-john.garry@huawei.com> (raw) In-Reply-To: <1560262374-67875-1-git-send-email-john.garry@huawei.com> Currently when accessing logical indirect PIO addresses in logic_{in, out}{,s}, we first ensure that the region is registered. However, no such check exists for CPU MMIO regions. The CPU MMIO regions would be registered by the PCI host (when PCI_IOBASE is defined) in pci_register_io_range(). We have seen scenarios when systems which don't have a PCI host, or they do but the PCI host probe fails, certain drivers attempts to still attempt to access PCI IO ports; examples are in [1] and [2]. Such is a case on an ARM64 system without a PCI host: root@(none)$ insmod hwmon/f71805f.ko Unable to handle kernel paging request at virtual address ffff7dfffee0002e Mem abort info: ESR = 0x96000046 Exception class = DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000046 CM = 0, WnR = 1 swapper pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____) [ffff7dfffee0002e] pgd=000000000141c003, pud=000000000141d003, pmd=0000000000000000 Internal error: Oops: 96000046 [#1] PREEMPT SMP Modules linked in: f71805f(+) CPU: 20 PID: 2736 Comm: insmod Not tainted 5.1.0-rc1-00003-g6f1bfec2a620-dirty #99 Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018 pstate: 80000005 (Nzcv daif -PAN -UAO) pc : logic_outb+0x54/0xb8 lr : f71805f_find+0x2c/0x1b8 [f71805f] sp : ffff000025fbba90 x29: ffff000025fbba90 x28: ffff000008b944d0 x27: ffff000025fbbdf0 x26: 0000000000000100 x25: ffff801f8c270580 x24: ffff000011420000 x23: ffff000025fbbb3e x22: ffff000025fbbb40 x21: ffff000008b991b8 x20: 0000000000000087 x19: 000000000000002e x18: ffffffffffffffff x17: 0000000000000000 x16: 0000000000000000 x15: ffff00001127d6c8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000010820 x10: 0000841fdac40000 x9 : 0000000000000001 x8 : 0000000040000000 x7 : 0000000000210d00 x6 : 0000000000000000 x5 : ffff801fb6a46040 x4 : ffff841febeaeda0 x3 : 0000000000ffbffe x2 : ffff000025fbbb40 x1 : ffff7dfffee0002e x0 : ffff7dfffee00000 Process insmod (pid: 2736, stack limit = 0x(____ptrval____)) Call trace: logic_outb+0x54/0xb8 f71805f_find+0x2c/0x1b8 [f71805f] f71805f_init+0x38/0xe48 [f71805f] do_one_initcall+0x5c/0x198 do_init_module+0x54/0x1b0 load_module+0x1dc4/0x2158 __se_sys_init_module+0x14c/0x1e8 __arm64_sys_init_module+0x18/0x20 el0_svc_common+0x5c/0x100 el0_svc_handler+0x2c/0x80 el0_svc+0x8/0xc Code: d2bfdc00 f2cfbfe0 f2ffffe0 8b000021 (39000034) ---[ end trace 10ea80bde051bbfc ]--- root@(none)$ Well-behaved drivers call request_{muxed_}region() to grab the IO port region, but success here still doesn't actually mean that there is some IO port mapped in this region. This patch adds a check to ensure that the CPU MMIO region is registered prior to accessing the PCI IO ports. Any failed checks silently return. [1] https://lore.kernel.org/linux-pci/56F209A9.4040304@huawei.com [2] https://lore.kernel.org/linux-arm-kernel/e6995b4a-184a-d8d4-f4d4-9ce75d8f47c0@huawei.com/ Signed-off-by: John Garry <john.garry@huawei.com> --- lib/logic_pio.c | 60 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 41 insertions(+), 19 deletions(-) diff --git a/lib/logic_pio.c b/lib/logic_pio.c index 40d9428010e1..47d24f428908 100644 --- a/lib/logic_pio.c +++ b/lib/logic_pio.c @@ -126,7 +126,7 @@ static struct logic_pio_hwaddr *find_io_range(unsigned long pio) if (in_range(pio, range->io_start, range->size)) return range; } - pr_err("PIO entry token %lx invalid\n", pio); + return NULL; } @@ -197,11 +197,12 @@ unsigned long logic_pio_trans_cpuaddr(resource_size_t addr) type logic_in##bw(unsigned long addr) \ { \ type ret = (type)~0; \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ \ if (addr < MMIO_UPPER_LIMIT) { \ - ret = read##bw(PCI_IOBASE + addr); \ + if (range) \ + ret = read##bw(PCI_IOBASE + addr); \ } else if (addr >= MMIO_UPPER_LIMIT && addr < IO_SPACE_LIMIT) { \ - struct logic_pio_hwaddr *range = find_io_range(addr); \ size_t sz = sizeof(type); \ \ if (range && range->ops) \ @@ -214,10 +215,12 @@ type logic_in##bw(unsigned long addr) \ \ void logic_out##bw(type value, unsigned long addr) \ { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ if (addr < MMIO_UPPER_LIMIT) { \ - write##bw(value, PCI_IOBASE + addr); \ + if (range) \ + write##bw(value, PCI_IOBASE + addr); \ } else if (addr >= MMIO_UPPER_LIMIT && addr < IO_SPACE_LIMIT) { \ - struct logic_pio_hwaddr *range = find_io_range(addr); \ size_t sz = sizeof(type); \ \ if (range && range->ops) \ @@ -230,10 +233,12 @@ void logic_out##bw(type value, unsigned long addr) \ \ void logic_ins##bw(unsigned long addr, void *buf, unsigned int cnt) \ { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ if (addr < MMIO_UPPER_LIMIT) { \ - reads##bw(PCI_IOBASE + addr, buf, cnt); \ + if (range) \ + reads##bw(PCI_IOBASE + addr, buf, cnt); \ } else if (addr >= MMIO_UPPER_LIMIT && addr < IO_SPACE_LIMIT) { \ - struct logic_pio_hwaddr *range = find_io_range(addr); \ size_t sz = sizeof(type); \ \ if (range && range->ops) \ @@ -242,16 +247,17 @@ void logic_ins##bw(unsigned long addr, void *buf, unsigned int cnt) \ else \ WARN_ON_ONCE(1); \ } \ - \ } \ \ void logic_outs##bw(unsigned long addr, const void *buf, \ unsigned int cnt) \ { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ if (addr < MMIO_UPPER_LIMIT) { \ - writes##bw(PCI_IOBASE + addr, buf, cnt); \ + if (range) \ + writes##bw(PCI_IOBASE + addr, buf, cnt); \ } else if (addr >= MMIO_UPPER_LIMIT && addr < IO_SPACE_LIMIT) { \ - struct logic_pio_hwaddr *range = find_io_range(addr); \ size_t sz = sizeof(type); \ \ if (range && range->ops) \ @@ -269,28 +275,44 @@ type logic_in##bw(unsigned long addr) \ { \ type ret = (type)~0; \ \ - if (addr < MMIO_UPPER_LIMIT) \ - ret = read##bw(PCI_IOBASE + addr); \ + if (addr < MMIO_UPPER_LIMIT) { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ + if (range) \ + ret = read##bw(PCI_IOBASE + addr); \ + } \ return ret; \ } \ \ -void logic_out##bw(type value, unsigned long addr) \ +void logic_out##bw(type val, unsigned long addr) \ { \ - if (addr < MMIO_UPPER_LIMIT) \ - write##bw(value, PCI_IOBASE + addr); \ + if (addr < MMIO_UPPER_LIMIT) { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ + if (range) \ + write##bw(val, PCI_IOBASE + addr); \ + } \ } \ \ void logic_ins##bw(unsigned long addr, void *buf, unsigned int cnt) \ { \ - if (addr < MMIO_UPPER_LIMIT) \ - reads##bw(PCI_IOBASE + addr, buf, cnt); \ + if (addr < MMIO_UPPER_LIMIT) { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ + if (range) \ + reads##bw(PCI_IOBASE + addr, buf, cnt); \ + } \ } \ \ void logic_outs##bw(unsigned long addr, const void *buf, \ unsigned int cnt) \ { \ - if (addr < MMIO_UPPER_LIMIT) \ - writes##bw(PCI_IOBASE + addr, buf, cnt); \ + if (addr < MMIO_UPPER_LIMIT) { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ + if (range) \ + writes##bw(PCI_IOBASE + addr, buf, cnt); \ + } \ } #endif /* CONFIG_INDIRECT_PIO */ -- 2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: John Garry <john.garry@huawei.com> To: <bhelgaas@google.com>, <lorenzo.pieralisi@arm.com>, <arnd@arndb.de> Cc: rjw@rjwysocki.net, wangkefeng.wang@huawei.com, linux-pci@vger.kernel.org, John Garry <john.garry@huawei.com>, will.deacon@arm.com, linuxarm@huawei.com, linux-kernel@vger.kernel.org, catalin.marinas@arm.com, andriy.shevchenko@linux.intel.com, linux-arm-kernel@lists.infradead.org Subject: [PATCH v4 2/3] lib: logic_pio: Reject accesses to unregistered CPU MMIO regions Date: Tue, 11 Jun 2019 22:12:53 +0800 [thread overview] Message-ID: <1560262374-67875-3-git-send-email-john.garry@huawei.com> (raw) In-Reply-To: <1560262374-67875-1-git-send-email-john.garry@huawei.com> Currently when accessing logical indirect PIO addresses in logic_{in, out}{,s}, we first ensure that the region is registered. However, no such check exists for CPU MMIO regions. The CPU MMIO regions would be registered by the PCI host (when PCI_IOBASE is defined) in pci_register_io_range(). We have seen scenarios when systems which don't have a PCI host, or they do but the PCI host probe fails, certain drivers attempts to still attempt to access PCI IO ports; examples are in [1] and [2]. Such is a case on an ARM64 system without a PCI host: root@(none)$ insmod hwmon/f71805f.ko Unable to handle kernel paging request at virtual address ffff7dfffee0002e Mem abort info: ESR = 0x96000046 Exception class = DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000046 CM = 0, WnR = 1 swapper pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____) [ffff7dfffee0002e] pgd=000000000141c003, pud=000000000141d003, pmd=0000000000000000 Internal error: Oops: 96000046 [#1] PREEMPT SMP Modules linked in: f71805f(+) CPU: 20 PID: 2736 Comm: insmod Not tainted 5.1.0-rc1-00003-g6f1bfec2a620-dirty #99 Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018 pstate: 80000005 (Nzcv daif -PAN -UAO) pc : logic_outb+0x54/0xb8 lr : f71805f_find+0x2c/0x1b8 [f71805f] sp : ffff000025fbba90 x29: ffff000025fbba90 x28: ffff000008b944d0 x27: ffff000025fbbdf0 x26: 0000000000000100 x25: ffff801f8c270580 x24: ffff000011420000 x23: ffff000025fbbb3e x22: ffff000025fbbb40 x21: ffff000008b991b8 x20: 0000000000000087 x19: 000000000000002e x18: ffffffffffffffff x17: 0000000000000000 x16: 0000000000000000 x15: ffff00001127d6c8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000010820 x10: 0000841fdac40000 x9 : 0000000000000001 x8 : 0000000040000000 x7 : 0000000000210d00 x6 : 0000000000000000 x5 : ffff801fb6a46040 x4 : ffff841febeaeda0 x3 : 0000000000ffbffe x2 : ffff000025fbbb40 x1 : ffff7dfffee0002e x0 : ffff7dfffee00000 Process insmod (pid: 2736, stack limit = 0x(____ptrval____)) Call trace: logic_outb+0x54/0xb8 f71805f_find+0x2c/0x1b8 [f71805f] f71805f_init+0x38/0xe48 [f71805f] do_one_initcall+0x5c/0x198 do_init_module+0x54/0x1b0 load_module+0x1dc4/0x2158 __se_sys_init_module+0x14c/0x1e8 __arm64_sys_init_module+0x18/0x20 el0_svc_common+0x5c/0x100 el0_svc_handler+0x2c/0x80 el0_svc+0x8/0xc Code: d2bfdc00 f2cfbfe0 f2ffffe0 8b000021 (39000034) ---[ end trace 10ea80bde051bbfc ]--- root@(none)$ Well-behaved drivers call request_{muxed_}region() to grab the IO port region, but success here still doesn't actually mean that there is some IO port mapped in this region. This patch adds a check to ensure that the CPU MMIO region is registered prior to accessing the PCI IO ports. Any failed checks silently return. [1] https://lore.kernel.org/linux-pci/56F209A9.4040304@huawei.com [2] https://lore.kernel.org/linux-arm-kernel/e6995b4a-184a-d8d4-f4d4-9ce75d8f47c0@huawei.com/ Signed-off-by: John Garry <john.garry@huawei.com> --- lib/logic_pio.c | 60 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 41 insertions(+), 19 deletions(-) diff --git a/lib/logic_pio.c b/lib/logic_pio.c index 40d9428010e1..47d24f428908 100644 --- a/lib/logic_pio.c +++ b/lib/logic_pio.c @@ -126,7 +126,7 @@ static struct logic_pio_hwaddr *find_io_range(unsigned long pio) if (in_range(pio, range->io_start, range->size)) return range; } - pr_err("PIO entry token %lx invalid\n", pio); + return NULL; } @@ -197,11 +197,12 @@ unsigned long logic_pio_trans_cpuaddr(resource_size_t addr) type logic_in##bw(unsigned long addr) \ { \ type ret = (type)~0; \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ \ if (addr < MMIO_UPPER_LIMIT) { \ - ret = read##bw(PCI_IOBASE + addr); \ + if (range) \ + ret = read##bw(PCI_IOBASE + addr); \ } else if (addr >= MMIO_UPPER_LIMIT && addr < IO_SPACE_LIMIT) { \ - struct logic_pio_hwaddr *range = find_io_range(addr); \ size_t sz = sizeof(type); \ \ if (range && range->ops) \ @@ -214,10 +215,12 @@ type logic_in##bw(unsigned long addr) \ \ void logic_out##bw(type value, unsigned long addr) \ { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ if (addr < MMIO_UPPER_LIMIT) { \ - write##bw(value, PCI_IOBASE + addr); \ + if (range) \ + write##bw(value, PCI_IOBASE + addr); \ } else if (addr >= MMIO_UPPER_LIMIT && addr < IO_SPACE_LIMIT) { \ - struct logic_pio_hwaddr *range = find_io_range(addr); \ size_t sz = sizeof(type); \ \ if (range && range->ops) \ @@ -230,10 +233,12 @@ void logic_out##bw(type value, unsigned long addr) \ \ void logic_ins##bw(unsigned long addr, void *buf, unsigned int cnt) \ { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ if (addr < MMIO_UPPER_LIMIT) { \ - reads##bw(PCI_IOBASE + addr, buf, cnt); \ + if (range) \ + reads##bw(PCI_IOBASE + addr, buf, cnt); \ } else if (addr >= MMIO_UPPER_LIMIT && addr < IO_SPACE_LIMIT) { \ - struct logic_pio_hwaddr *range = find_io_range(addr); \ size_t sz = sizeof(type); \ \ if (range && range->ops) \ @@ -242,16 +247,17 @@ void logic_ins##bw(unsigned long addr, void *buf, unsigned int cnt) \ else \ WARN_ON_ONCE(1); \ } \ - \ } \ \ void logic_outs##bw(unsigned long addr, const void *buf, \ unsigned int cnt) \ { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ if (addr < MMIO_UPPER_LIMIT) { \ - writes##bw(PCI_IOBASE + addr, buf, cnt); \ + if (range) \ + writes##bw(PCI_IOBASE + addr, buf, cnt); \ } else if (addr >= MMIO_UPPER_LIMIT && addr < IO_SPACE_LIMIT) { \ - struct logic_pio_hwaddr *range = find_io_range(addr); \ size_t sz = sizeof(type); \ \ if (range && range->ops) \ @@ -269,28 +275,44 @@ type logic_in##bw(unsigned long addr) \ { \ type ret = (type)~0; \ \ - if (addr < MMIO_UPPER_LIMIT) \ - ret = read##bw(PCI_IOBASE + addr); \ + if (addr < MMIO_UPPER_LIMIT) { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ + if (range) \ + ret = read##bw(PCI_IOBASE + addr); \ + } \ return ret; \ } \ \ -void logic_out##bw(type value, unsigned long addr) \ +void logic_out##bw(type val, unsigned long addr) \ { \ - if (addr < MMIO_UPPER_LIMIT) \ - write##bw(value, PCI_IOBASE + addr); \ + if (addr < MMIO_UPPER_LIMIT) { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ + if (range) \ + write##bw(val, PCI_IOBASE + addr); \ + } \ } \ \ void logic_ins##bw(unsigned long addr, void *buf, unsigned int cnt) \ { \ - if (addr < MMIO_UPPER_LIMIT) \ - reads##bw(PCI_IOBASE + addr, buf, cnt); \ + if (addr < MMIO_UPPER_LIMIT) { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ + if (range) \ + reads##bw(PCI_IOBASE + addr, buf, cnt); \ + } \ } \ \ void logic_outs##bw(unsigned long addr, const void *buf, \ unsigned int cnt) \ { \ - if (addr < MMIO_UPPER_LIMIT) \ - writes##bw(PCI_IOBASE + addr, buf, cnt); \ + if (addr < MMIO_UPPER_LIMIT) { \ + struct logic_pio_hwaddr *range = find_io_range(addr); \ + \ + if (range) \ + writes##bw(PCI_IOBASE + addr, buf, cnt); \ + } \ } #endif /* CONFIG_INDIRECT_PIO */ -- 2.17.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-06-11 14:14 UTC|newest] Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-06-11 14:12 [PATCH v4 0/3] Fix ARM64 crash for accessing unmapped IO port regions John Garry 2019-06-11 14:12 ` John Garry 2019-06-11 14:12 ` [PATCH v4 1/3] lib: logic_pio: Use logical PIO low-level accessors for !CONFIG_INDIRECT_PIO John Garry 2019-06-11 14:12 ` John Garry 2019-06-13 2:39 ` Bjorn Helgaas 2019-06-13 2:39 ` Bjorn Helgaas 2019-06-13 9:39 ` John Garry 2019-06-13 9:39 ` John Garry 2019-06-13 20:09 ` Bjorn Helgaas 2019-06-13 20:09 ` Bjorn Helgaas 2019-06-14 9:02 ` John Garry 2019-06-14 9:02 ` John Garry 2019-06-14 11:50 ` Bjorn Helgaas 2019-06-14 11:50 ` Bjorn Helgaas 2019-06-14 12:22 ` John Garry 2019-06-14 12:22 ` John Garry 2019-06-13 13:58 ` Bjorn Helgaas 2019-06-13 13:58 ` Bjorn Helgaas 2019-06-13 15:21 ` John Garry 2019-06-13 15:21 ` John Garry 2019-06-11 14:12 ` John Garry [this message] 2019-06-11 14:12 ` [PATCH v4 2/3] lib: logic_pio: Reject accesses to unregistered CPU MMIO regions John Garry 2019-06-13 3:20 ` Bjorn Helgaas 2019-06-13 3:20 ` Bjorn Helgaas 2019-06-13 7:47 ` Arnd Bergmann 2019-06-13 7:47 ` Arnd Bergmann 2019-06-13 10:17 ` John Garry 2019-06-13 10:17 ` John Garry 2019-06-13 13:46 ` Bjorn Helgaas 2019-06-13 13:46 ` Bjorn Helgaas 2019-06-13 14:09 ` John Garry 2019-06-13 14:09 ` John Garry 2019-06-11 14:12 ` [PATCH v4 3/3] lib: logic_pio: Fix up a print John Garry 2019-06-11 14:12 ` John Garry
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1560262374-67875-3-git-send-email-john.garry@huawei.com \ --to=john.garry@huawei.com \ --cc=andriy.shevchenko@linux.intel.com \ --cc=arnd@arndb.de \ --cc=bhelgaas@google.com \ --cc=catalin.marinas@arm.com \ --cc=linux-arm-kernel@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-pci@vger.kernel.org \ --cc=linuxarm@huawei.com \ --cc=lorenzo.pieralisi@arm.com \ --cc=rjw@rjwysocki.net \ --cc=wangkefeng.wang@huawei.com \ --cc=will.deacon@arm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.