From: John Garry <john.garry@huawei.com>
To: <bhelgaas@google.com>, <rafael@kernel.org>, <arnd@arndb.de>,
<lorenzo.pieralisi@arm.com>
Cc: <linux@roeck-us.net>, <linux-kernel@vger.kernel.org>,
<linux-pci@vger.kernel.org>, <bp@suse.de>,
<wangkefeng.wang@huawei.com>, <linuxarm@huawei.com>,
<andy.shevchenko@gmail.com>,
<linux-arm-kernel@lists.infradead.org>, <catalin.marinas@arm.com>,
<will.deacon@arm.com>, John Garry <john.garry@huawei.com>
Subject: [RFC PATCH v3 1/4] resource: Request IO port regions from children of ioport_resource
Date: Thu, 4 Apr 2019 23:59:59 +0800 [thread overview]
Message-ID: <1554393602-152448-2-git-send-email-john.garry@huawei.com> (raw)
In-Reply-To: <1554393602-152448-1-git-send-email-john.garry@huawei.com>
Currently request_region() requests an IO port region directly from the
top resource, ioport_resource.
There is an issue here, in that drivers may successfully request an IO
port region even if the IO port region has not even been mapped in
(in pci_remap_iospace()).
This may lead to crashes when the system has no PCI host, or, has a host
but it has failed enumeration, while drivers still attempt to access PCI
IO ports, as below:
root@(none)$root@(none)$ insmod f71882fg.ko
Unable to handle kernel paging request at virtual address ffff7dfffee0002e
Mem abort info:
ESR = 0x96000046
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000046
CM = 0, WnR = 1
swapper pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____)
[ffff7dfffee0002e] pgd=000000000141c003, pud=000000000141d003, pmd=0000000000000000
Internal error: Oops: 96000046 [#1] PREEMPT SMP
Modules linked in: f71882fg(+)
CPU: 8 PID: 2732 Comm: insmod Not tainted 5.1.0-rc1-00002-gab1a0e9200b8-dirty #102
Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018
pstate: 80000005 (Nzcv daif -PAN -UAO)
pc : logic_outb+0x54/0xb8
lr : f71882fg_find+0x64/0x390 [f71882fg]
sp : ffff000013393aa0
x29: ffff000013393aa0 x28: ffff000008b98b10
x27: ffff000013393df0 x26: 0000000000000100
x25: ffff801f8c872d30 x24: ffff000011420000
x23: ffff801fb49d2940 x22: ffff000011291000
x21: 000000000000002e x20: 0000000000000087
x19: ffff000013393b44 x18: ffffffffffffffff
x17: 0000000000000000 x16: 0000000000000000
x15: ffff00001127d6c8 x14: ffff801f8cfd691c
x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000003 x10: 0000801feace2000
x9 : 0000000000000000 x8 : ffff841fa654f280
x7 : 0000000000000000 x6 : 0000000000ffc0e3
x5 : ffff000011291360 x4 : ffff801fb4949f00
x3 : 0000000000ffbffe x2 : 76e767a63713d500
x1 : ffff7dfffee0002e x0 : ffff7dfffee00000
Process insmod (pid: 2732, stack limit = 0x(____ptrval____))
Call trace:
logic_outb+0x54/0xb8
f71882fg_find+0x64/0x390 [f71882fg]
f71882fg_init+0x38/0xc70 [f71882fg]
do_one_initcall+0x5c/0x198
do_init_module+0x54/0x1b0
load_module+0x1dc4/0x2158
__se_sys_init_module+0x14c/0x1e8
__arm64_sys_init_module+0x18/0x20
el0_svc_common+0x5c/0x100
el0_svc_handler+0x2c/0x80
el0_svc+0x8/0xc
Code: d2bfdc00 f2cfbfe0 f2ffffe0 8b000021 (39000034)
---[ end trace fd4f35b610829a48 ]---
Segmentation fault
root@(none)$
Note that the f71882fg driver correctly calls request_muxed_region().
This issue was originally reported in [1].
This patch changes the functionality of request{muxed_}_region() to
request a region from a direct child descendent of the top
ioport_resource.
In this, if the IO port region has not been mapped for a particular IO
region, the PCI IO resource would also not have been inserted, and so a
suitable child region will not exist. As such,
request_{muxed_}region() calls will fail.
A side note: there are many drivers in the kernel which fail to even call
request_{muxed_}region() prior to IO port accesses, and they also need to
be fixed (to call request_{muxed_}region(), as appropriate) separately.
[1] https://lore.kernel.org/linux-pci/56F209A9.4040304@huawei.com
Signed-off-by: John Garry <john.garry@huawei.com>
---
include/linux/ioport.h | 11 ++++++++---
kernel/resource.c | 28 ++++++++++++++++++++++++++++
2 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/include/linux/ioport.h b/include/linux/ioport.h
index da0ebaec25f0..76288b8783ff 100644
--- a/include/linux/ioport.h
+++ b/include/linux/ioport.h
@@ -217,15 +217,20 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2)
/* Convenience shorthand with allocation */
-#define request_region(start,n,name) __request_region(&ioport_resource, (start), (n), (name), 0)
-#define request_muxed_region(start,n,name) __request_region(&ioport_resource, (start), (n), (name), IORESOURCE_MUXED)
+#define request_region(start, n, name) __request_region_from_children(&ioport_resource, (start), (n), (name), 0)
+#define request_muxed_region(start, n, name) __request_region_from_children(&ioport_resource, (start), (n), (name), IORESOURCE_MUXED)
#define __request_mem_region(start,n,name, excl) __request_region(&iomem_resource, (start), (n), (name), excl)
#define request_mem_region(start,n,name) __request_region(&iomem_resource, (start), (n), (name), 0)
#define request_mem_region_exclusive(start,n,name) \
__request_region(&iomem_resource, (start), (n), (name), IORESOURCE_EXCLUSIVE)
#define rename_region(region, newname) do { (region)->name = (newname); } while (0)
-extern struct resource * __request_region(struct resource *,
+extern struct resource *__request_region(struct resource *,
+ resource_size_t start,
+ resource_size_t n,
+ const char *name, int flags);
+
+extern struct resource *__request_region_from_children(struct resource *,
resource_size_t start,
resource_size_t n,
const char *name, int flags);
diff --git a/kernel/resource.c b/kernel/resource.c
index 92190f62ebc5..87ed200eda8b 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -1097,6 +1097,34 @@ resource_size_t resource_alignment(struct resource *res)
static DECLARE_WAIT_QUEUE_HEAD(muxed_resource_wait);
+/**
+ * __request_region_from_children - create a new busy region from a child
+ * @parent: parent resource descriptor
+ * @start: resource start address
+ * @n: resource region size
+ * @name: reserving caller's ID string
+ * @flags: IO resource flags
+ */
+struct resource *__request_region_from_children(struct resource *parent,
+ resource_size_t start,
+ resource_size_t n,
+ const char *name, int flags)
+{
+ struct resource *res = __request_region(parent, start, n, name, flags);
+
+ if (res && res->parent == parent) {
+ /*
+ * This is a direct descendent of the parent, which is
+ * what we didn't want.
+ */
+ __release_region(parent, start, n);
+ res = NULL;
+ }
+
+ return res;
+}
+EXPORT_SYMBOL(__request_region_from_children);
+
/**
* __request_region - create a new busy resource region
* @parent: parent resource descriptor
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: John Garry <john.garry@huawei.com>
To: <bhelgaas@google.com>, <rafael@kernel.org>, <arnd@arndb.de>,
<lorenzo.pieralisi@arm.com>
Cc: wangkefeng.wang@huawei.com, linux-pci@vger.kernel.org,
John Garry <john.garry@huawei.com>,
will.deacon@arm.com, linux-kernel@vger.kernel.org,
linuxarm@huawei.com, andy.shevchenko@gmail.com,
linux-arm-kernel@lists.infradead.org, catalin.marinas@arm.com,
bp@suse.de, linux@roeck-us.net
Subject: [RFC PATCH v3 1/4] resource: Request IO port regions from children of ioport_resource
Date: Thu, 4 Apr 2019 23:59:59 +0800 [thread overview]
Message-ID: <1554393602-152448-2-git-send-email-john.garry@huawei.com> (raw)
In-Reply-To: <1554393602-152448-1-git-send-email-john.garry@huawei.com>
Currently request_region() requests an IO port region directly from the
top resource, ioport_resource.
There is an issue here, in that drivers may successfully request an IO
port region even if the IO port region has not even been mapped in
(in pci_remap_iospace()).
This may lead to crashes when the system has no PCI host, or, has a host
but it has failed enumeration, while drivers still attempt to access PCI
IO ports, as below:
root@(none)$root@(none)$ insmod f71882fg.ko
Unable to handle kernel paging request at virtual address ffff7dfffee0002e
Mem abort info:
ESR = 0x96000046
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000046
CM = 0, WnR = 1
swapper pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____)
[ffff7dfffee0002e] pgd=000000000141c003, pud=000000000141d003, pmd=0000000000000000
Internal error: Oops: 96000046 [#1] PREEMPT SMP
Modules linked in: f71882fg(+)
CPU: 8 PID: 2732 Comm: insmod Not tainted 5.1.0-rc1-00002-gab1a0e9200b8-dirty #102
Hardware name: Huawei Taishan 2280 /D05, BIOS Hisilicon D05 IT21 Nemo 2.0 RC0 04/18/2018
pstate: 80000005 (Nzcv daif -PAN -UAO)
pc : logic_outb+0x54/0xb8
lr : f71882fg_find+0x64/0x390 [f71882fg]
sp : ffff000013393aa0
x29: ffff000013393aa0 x28: ffff000008b98b10
x27: ffff000013393df0 x26: 0000000000000100
x25: ffff801f8c872d30 x24: ffff000011420000
x23: ffff801fb49d2940 x22: ffff000011291000
x21: 000000000000002e x20: 0000000000000087
x19: ffff000013393b44 x18: ffffffffffffffff
x17: 0000000000000000 x16: 0000000000000000
x15: ffff00001127d6c8 x14: ffff801f8cfd691c
x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000003 x10: 0000801feace2000
x9 : 0000000000000000 x8 : ffff841fa654f280
x7 : 0000000000000000 x6 : 0000000000ffc0e3
x5 : ffff000011291360 x4 : ffff801fb4949f00
x3 : 0000000000ffbffe x2 : 76e767a63713d500
x1 : ffff7dfffee0002e x0 : ffff7dfffee00000
Process insmod (pid: 2732, stack limit = 0x(____ptrval____))
Call trace:
logic_outb+0x54/0xb8
f71882fg_find+0x64/0x390 [f71882fg]
f71882fg_init+0x38/0xc70 [f71882fg]
do_one_initcall+0x5c/0x198
do_init_module+0x54/0x1b0
load_module+0x1dc4/0x2158
__se_sys_init_module+0x14c/0x1e8
__arm64_sys_init_module+0x18/0x20
el0_svc_common+0x5c/0x100
el0_svc_handler+0x2c/0x80
el0_svc+0x8/0xc
Code: d2bfdc00 f2cfbfe0 f2ffffe0 8b000021 (39000034)
---[ end trace fd4f35b610829a48 ]---
Segmentation fault
root@(none)$
Note that the f71882fg driver correctly calls request_muxed_region().
This issue was originally reported in [1].
This patch changes the functionality of request{muxed_}_region() to
request a region from a direct child descendent of the top
ioport_resource.
In this, if the IO port region has not been mapped for a particular IO
region, the PCI IO resource would also not have been inserted, and so a
suitable child region will not exist. As such,
request_{muxed_}region() calls will fail.
A side note: there are many drivers in the kernel which fail to even call
request_{muxed_}region() prior to IO port accesses, and they also need to
be fixed (to call request_{muxed_}region(), as appropriate) separately.
[1] https://lore.kernel.org/linux-pci/56F209A9.4040304@huawei.com
Signed-off-by: John Garry <john.garry@huawei.com>
---
include/linux/ioport.h | 11 ++++++++---
kernel/resource.c | 28 ++++++++++++++++++++++++++++
2 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/include/linux/ioport.h b/include/linux/ioport.h
index da0ebaec25f0..76288b8783ff 100644
--- a/include/linux/ioport.h
+++ b/include/linux/ioport.h
@@ -217,15 +217,20 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2)
/* Convenience shorthand with allocation */
-#define request_region(start,n,name) __request_region(&ioport_resource, (start), (n), (name), 0)
-#define request_muxed_region(start,n,name) __request_region(&ioport_resource, (start), (n), (name), IORESOURCE_MUXED)
+#define request_region(start, n, name) __request_region_from_children(&ioport_resource, (start), (n), (name), 0)
+#define request_muxed_region(start, n, name) __request_region_from_children(&ioport_resource, (start), (n), (name), IORESOURCE_MUXED)
#define __request_mem_region(start,n,name, excl) __request_region(&iomem_resource, (start), (n), (name), excl)
#define request_mem_region(start,n,name) __request_region(&iomem_resource, (start), (n), (name), 0)
#define request_mem_region_exclusive(start,n,name) \
__request_region(&iomem_resource, (start), (n), (name), IORESOURCE_EXCLUSIVE)
#define rename_region(region, newname) do { (region)->name = (newname); } while (0)
-extern struct resource * __request_region(struct resource *,
+extern struct resource *__request_region(struct resource *,
+ resource_size_t start,
+ resource_size_t n,
+ const char *name, int flags);
+
+extern struct resource *__request_region_from_children(struct resource *,
resource_size_t start,
resource_size_t n,
const char *name, int flags);
diff --git a/kernel/resource.c b/kernel/resource.c
index 92190f62ebc5..87ed200eda8b 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -1097,6 +1097,34 @@ resource_size_t resource_alignment(struct resource *res)
static DECLARE_WAIT_QUEUE_HEAD(muxed_resource_wait);
+/**
+ * __request_region_from_children - create a new busy region from a child
+ * @parent: parent resource descriptor
+ * @start: resource start address
+ * @n: resource region size
+ * @name: reserving caller's ID string
+ * @flags: IO resource flags
+ */
+struct resource *__request_region_from_children(struct resource *parent,
+ resource_size_t start,
+ resource_size_t n,
+ const char *name, int flags)
+{
+ struct resource *res = __request_region(parent, start, n, name, flags);
+
+ if (res && res->parent == parent) {
+ /*
+ * This is a direct descendent of the parent, which is
+ * what we didn't want.
+ */
+ __release_region(parent, start, n);
+ res = NULL;
+ }
+
+ return res;
+}
+EXPORT_SYMBOL(__request_region_from_children);
+
/**
* __request_region - create a new busy resource region
* @parent: parent resource descriptor
--
2.17.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-04-04 16:00 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-04 15:59 [PATCH v3 0/4] Fix system crash for accessing unmapped IO port regions John Garry
2019-04-04 15:59 ` John Garry
2019-04-04 15:59 ` John Garry [this message]
2019-04-04 15:59 ` [RFC PATCH v3 1/4] resource: Request IO port regions from children of ioport_resource John Garry
2019-04-04 16:00 ` [PATCH v3 2/4] lib: logic_pio: Use logical PIO low-level accessors for !CONFIG_INDIRECT_PIO John Garry
2019-04-04 16:00 ` John Garry
2019-04-04 16:00 ` [PATCH v3 3/4] lib: logic_pio: Reject accesses to unregistered CPU MMIO regions John Garry
2019-04-04 16:00 ` John Garry
2019-04-04 16:41 ` Guenter Roeck
2019-04-04 16:41 ` Guenter Roeck
2019-04-04 16:52 ` John Garry
2019-04-04 16:52 ` John Garry
2019-04-04 17:43 ` Guenter Roeck
2019-04-04 17:43 ` Guenter Roeck
2019-04-04 18:58 ` Bjorn Helgaas
2019-04-04 18:58 ` Bjorn Helgaas
2019-04-05 8:10 ` John Garry
2019-04-05 8:10 ` John Garry
2019-04-05 18:06 ` Bjorn Helgaas
2019-04-05 18:06 ` Bjorn Helgaas
2019-04-05 18:29 ` Guenter Roeck
2019-04-05 18:29 ` Guenter Roeck
2019-04-08 8:19 ` John Garry
2019-04-08 8:19 ` John Garry
2019-04-08 13:47 ` Guenter Roeck
2019-04-08 13:47 ` Guenter Roeck
2019-04-08 16:35 ` John Garry
2019-04-08 16:35 ` John Garry
2019-04-08 16:50 ` Will Deacon
2019-04-08 16:50 ` Will Deacon
2019-04-09 10:38 ` John Garry
2019-04-09 10:38 ` John Garry
2019-04-08 8:01 ` John Garry
2019-04-08 8:01 ` John Garry
2019-04-04 16:00 ` [PATCH v3 4/4] lib: logic_pio: Fix up some prints John Garry
2019-04-04 16:00 ` John Garry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1554393602-152448-2-git-send-email-john.garry@huawei.com \
--to=john.garry@huawei.com \
--cc=andy.shevchenko@gmail.com \
--cc=arnd@arndb.de \
--cc=bhelgaas@google.com \
--cc=bp@suse.de \
--cc=catalin.marinas@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=linuxarm@huawei.com \
--cc=lorenzo.pieralisi@arm.com \
--cc=rafael@kernel.org \
--cc=wangkefeng.wang@huawei.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.