Re: [PATCH v6 5/6] fbdev: Move framebuffer I/O helpers into <asm/fb.h>

From: "Arnd Bergmann" <arnd@arndb.de>
To: "Artur Rojek" <contact@artur-rojek.eu>,
	"Geert Uytterhoeven" <geert@linux-m68k.org>
Cc: "Thomas Zimmermann" <tzimmermann@suse.de>,
	"kernel test robot" <lkp@intel.com>,
	"Helge Deller" <deller@gmx.de>,
	"Javier Martinez Canillas" <javierm@redhat.com>,
	"Daniel Vetter" <daniel@ffwll.ch>,
	"Vineet Gupta" <vgupta@kernel.org>,
	"Huacai Chen" <chenhuacai@kernel.org>,
	"WANG Xuerui" <kernel@xen0n.name>,
	"David S . Miller" <davem@davemloft.net>,
	"James E . J . Bottomley" <James.Bottomley@hansenpartnership.com>,
	"Sam Ravnborg" <sam@ravnborg.org>,
	suijingfeng@loongson.cn, oe-kbuild-all@lists.linux.dev,
	Linux-Arch <linux-arch@vger.kernel.org>,
	linux-fbdev@vger.kernel.org, linux-ia64@vger.kernel.org,
	linux-parisc@vger.kernel.org, linux-kernel@vger.kernel.org,
	dri-devel@lists.freedesktop.org, linux-m68k@lists.linux-m68k.org,
	loongarch@lists.linux.dev, sparclinux@vger.kernel.org,
	linux-snps-arc@lists.infradead.org,
	linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v6 5/6] fbdev: Move framebuffer I/O helpers into <asm/fb.h>
Date: Thu, 11 May 2023 15:40:28 +0200	[thread overview]
Message-ID: <d27e359c-1ea3-4d08-b124-e794fd372b28@app.fastmail.com> (raw)
In-Reply-To: <9c4be198444e9987c826c87b592e9dc6@artur-rojek.eu>

On Thu, May 11, 2023, at 15:22, Artur Rojek wrote:
> On 2023-05-11 14:35, Geert Uytterhoeven wrote:
>> 
>> CC Artur, who's working on HP Jornada 680.
> Thanks for CC'ing me - I faced this exact issue while working on my
> (still not upstreamed) hd6446x PCMCIA controller driver. The PCMCIA
> subsystem uses `inb/outb`, which expect the `sh_io_port_base` to be set
> to something else than the default `-1`. At first I tried to set it to
> `0xa0000000`, so that all I/O goes through the fixed, non-cacheable P2
> area. That however broke some other driver code (I had no time to debug
> which one). Eventually I ended up taking a suggestion from a MIPS PCMCIA
> driver [1] and simply substract the broken `sh_io_port_base` address
> from `HD64461_IOBASE`, as the base for `socket.io_offset`. This way all
> the PCMCIA `inb/outb` accesses are absolute, no matter what the
> `sh_io_port_base` is set to. This of course is a very ugly solution and
> we should instead fix the root cause of this mess. I will have a better
> look at this patch set and the problem at hand at a later date.
>
> Cheers,
> Artur
>
> [1] 
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/pcmcia/db1xxx_ss.c?h=v6.4-rc1#n527

I think the best fix would be to change all those drivers away
from using inb/outb to readb/writeb, except when they access the
actual PCMCIA I/O space behind the bridge.

On most of the modern architectures, inb(addr) now turns into
approximately readb(PCI_IOBASE + addr), with a bit of extra
logic to deal with endianess and barrier semantics.

PCI_IOBASE in turn tends to be a hardcoded virtual address
to which the physical I/O space window gets mapped during
early boot, though you can also #define it to sh_io_port_base
if you want to allocate the virtual address dynamically and
leave the existing logic unchanged.

Setting sh_io_port_base to zero however is a problem for any
driver that passes a small port number into it -- this then
turns into a user space pointer dereference, which is trivially
exploitable.

     Arnd

_______________________________________________
linux-snps-arc mailing list
linux-snps-arc@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-snps-arc