* Re: About pci_ioremap_bar null dereference [not found] <nycvar.YSQ.7.76.2001101712310.129933@xnncv> @ 2020-01-10 12:10 ` Andy Shevchenko 2020-01-10 20:12 ` Bjorn Helgaas 0 siblings, 1 reply; 3+ messages in thread From: Andy Shevchenko @ 2020-01-10 12:10 UTC (permalink / raw) To: P J P, linux-pci; +Cc: Navid Emamdoost Cc'ed to Linux PCI ML in case somebody has better knowledge about. On Fri, Jan 10, 2020 at 1:54 PM P J P <ppandit@redhat.com> wrote: > > Hello Andy, Navid > > -> https://git.kernel.org/linus/ea5ab2e422de0ef0fc476fe40f0829abe72684cd > > I was trying to understand this NULL dereference. IIUC, pci_ioremap_bar() > returning NULL indicates insufficient memory OR if the pci device is > configured to use I/O port address, instead of memory mapped region. > > I was wondering if(or how) it is reproducible for unprivileged user? Do you > happen to have a reproducer for it? It's very unlikely to see IRL such problem. Theoretically it may happen if the system in question has a LOT of devices connected to PCI and suddenly there is no window for a resource left (usually 4k) under PCI Root Bridge. Other than that I can't imagine what can go wrong. Ah, of course the virtual space starvation is another possibility. -- With Best Regards, Andy Shevchenko ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: About pci_ioremap_bar null dereference 2020-01-10 12:10 ` About pci_ioremap_bar null dereference Andy Shevchenko @ 2020-01-10 20:12 ` Bjorn Helgaas 2020-01-11 8:29 ` P J P 0 siblings, 1 reply; 3+ messages in thread From: Bjorn Helgaas @ 2020-01-10 20:12 UTC (permalink / raw) To: Andy Shevchenko; +Cc: P J P, linux-pci, Navid Emamdoost On Fri, Jan 10, 2020 at 02:10:22PM +0200, Andy Shevchenko wrote: > On Fri, Jan 10, 2020 at 1:54 PM P J P <ppandit@redhat.com> wrote: > > > > Hello Andy, Navid > > > > -> https://git.kernel.org/linus/ea5ab2e422de0ef0fc476fe40f0829abe72684cd > > > > I was trying to understand this NULL dereference. IIUC, pci_ioremap_bar() > > returning NULL indicates insufficient memory OR if the pci device is > > configured to use I/O port address, instead of memory mapped region. > > > > I was wondering if(or how) it is reproducible for unprivileged user? Do you > > happen to have a reproducer for it? > > It's very unlikely to see IRL such problem. Theoretically it may > happen if the system in question has a LOT of devices connected to PCI > and suddenly there is no window for a resource left (usually 4k) under > PCI Root Bridge. Other than that I can't imagine what can go wrong. > Ah, of course the virtual space starvation is another possibility. pci_ioremap_bar() can return NULL if the BAR is an I/O port BAR or if it's a memory BAR but we haven't assigned space for it. It's a good idea to check the return value of pci_ioremap_bar(). ea5ab2e422de ("8250_lpss: check null return when calling pci_ioremap_bar") looks like a valid patch to add that check. My guess is that the patch was prompted by a static checker like Coverity, not by an observed problem. In any event, this code is in a quirk only used for Intel Quark SoC X1000 HS-UART devices. drivers/dma/dw/core.c (for the Synopsys DesignWare DMA Controller) *does* use that pointer via dma_readl(), but the references in the commit log (drivers/dma/dw/core.c:1154 and drivers/dma/dw/core.c:1168) are obsolete and not very useful. Bjorn ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: About pci_ioremap_bar null dereference 2020-01-10 20:12 ` Bjorn Helgaas @ 2020-01-11 8:29 ` P J P 0 siblings, 0 replies; 3+ messages in thread From: P J P @ 2020-01-11 8:29 UTC (permalink / raw) To: Bjorn Helgaas; +Cc: Andy Shevchenko, linux-pci, Navid Emamdoost Hello Andy, Bjorn, +-- On Fri, 10 Jan 2020, Bjorn Helgaas wrote --+ | On Fri, Jan 10, 2020 at 02:10:22PM +0200, Andy Shevchenko wrote: | > On Fri, Jan 10, 2020 at 1:54 PM P J P <ppandit@redhat.com> wrote: | > > -> https://git.kernel.org/linus/ea5ab2e422de0ef0fc476fe40f0829abe72684cd | > > | > > I was wondering if(or how) it is reproducible for unprivileged user? Do you | > > happen to have a reproducer for it? | > | > It's very unlikely to see IRL such problem. Theoretically it may | > happen if the system in question has a LOT of devices connected to PCI | > and suddenly there is no window for a resource left (usually 4k) under | > PCI Root Bridge. Other than that I can't imagine what can go wrong. | > Ah, of course the virtual space starvation is another possibility. | | pci_ioremap_bar() can return NULL if the BAR is an I/O port BAR or if it's a | memory BAR but we haven't assigned space for it. It's a good idea to check | the return value of pci_ioremap_bar(). It is good to check the return value. | ea5ab2e422de ("8250_lpss: check null return when calling pci_ioremap_bar") | looks like a valid patch to add that check. My guess is that the patch was | prompted by a static checker like Coverity, not by an observed problem. Right, likely. | drivers/dma/dw/core.c (for the Synopsys DesignWare DMA Controller) *does* | use that pointer via dma_readl(), but the references in the commit log | (drivers/dma/dw/core.c:1154 and drivers/dma/dw/core.c:1168) are obsolete and | not very useful. I see, okay. Thank you for the information. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-01-11 8:29 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <nycvar.YSQ.7.76.2001101712310.129933@xnncv> 2020-01-10 12:10 ` About pci_ioremap_bar null dereference Andy Shevchenko 2020-01-10 20:12 ` Bjorn Helgaas 2020-01-11 8:29 ` P J P
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).