From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751204AbbFWEKc (ORCPT ); Tue, 23 Jun 2015 00:10:32 -0400 Received: from mga02.intel.com ([134.134.136.20]:18589 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750711AbbFWEKV (ORCPT ); Tue, 23 Jun 2015 00:10:21 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.13,664,1427785200"; d="scan'208";a="732694715" From: Jiang Liu To: "Rafael J . Wysocki" , Bjorn Helgaas , Boszormenyi Zoltan , Len Brown Cc: Jiang Liu , LKML , linux-pci@vger.kernel.org, linux-acpi@vger.kernel.org, "x86 @ kernel . org" Subject: [Patch v1] PCI, ACPI: Fix regressions caused by resource_size_t overflow with 32bit kernel Date: Tue, 23 Jun 2015 12:12:12 +0800 Message-Id: <1435032732-26160-1-git-send-email-jiang.liu@linux.intel.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <55871787.5080504@pr.hu> References: <55871787.5080504@pr.hu> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The data type resource_size_t may be 32 bits or 64 bits depending on CONFIG_PHYS_ADDR_T_64BIT. So reject ACPI resource descriptors which will cause resource_size_t overflow with 32bit kernel This issue was triggered on a platform running 32bit kernel with an ACPI resource descriptor with address range [0x400000000-0xfffffffff]. Please refer to https://lkml.org/lkml/2015/6/19/277 for more information. Reported-by: Boszormenyi Zoltan Fixes: 593669c2ac0f ("x86/PCI/ACPI: Use common ACPI resource interfaces to simplify implementation") Signed-off-by: Jiang Liu Cc: stable@vger.kernel.org # 4.0 --- drivers/acpi/resource.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c index 8244f013f210..f1c966e05078 100644 --- a/drivers/acpi/resource.c +++ b/drivers/acpi/resource.c @@ -193,6 +193,7 @@ static bool acpi_decode_space(struct resource_win *win, u8 iodec = attr->granularity == 0xfff ? ACPI_DECODE_10 : ACPI_DECODE_16; bool wp = addr->info.mem.write_protect; u64 len = attr->address_length; + u64 start, end, offset = 0; struct resource *res = &win->res; /* @@ -204,9 +205,6 @@ static bool acpi_decode_space(struct resource_win *win, pr_debug("ACPI: Invalid address space min_addr_fix %d, max_addr_fix %d, len %llx\n", addr->min_address_fixed, addr->max_address_fixed, len); - res->start = attr->minimum; - res->end = attr->maximum; - /* * For bridges that translate addresses across the bridge, * translation_offset is the offset that must be added to the @@ -214,12 +212,22 @@ static bool acpi_decode_space(struct resource_win *win, * primary side. Non-bridge devices must list 0 for all Address * Translation offset bits. */ - if (addr->producer_consumer == ACPI_PRODUCER) { - res->start += attr->translation_offset; - res->end += attr->translation_offset; - } else if (attr->translation_offset) { + if (addr->producer_consumer == ACPI_PRODUCER) + offset = attr->translation_offset; + else if (attr->translation_offset) pr_debug("ACPI: translation_offset(%lld) is invalid for non-bridge device.\n", attr->translation_offset); + start = attr->minimum + offset; + end = attr->maximum + offset; + + win->offset = offset; + res->start = start; + res->end = end; + if (sizeof(resource_size_t) < sizeof(u64) && + (offset != win->offset || start != res->start || end != res->end)) { + pr_warn("acpi resource window ([%#llx-%#llx] ignored, not CPU addressable)\n", + attr->minimum, attr->maximum); + return false; } switch (addr->resource_type) { @@ -236,8 +244,6 @@ static bool acpi_decode_space(struct resource_win *win, return false; } - win->offset = attr->translation_offset; - if (addr->producer_consumer == ACPI_PRODUCER) res->flags |= IORESOURCE_WINDOW; -- 1.7.10.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in Please read the FAQ at http://www.tux.org/lkml/ From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiang Liu Subject: [Patch v1] PCI, ACPI: Fix regressions caused by resource_size_t overflow with 32bit kernel Date: Tue, 23 Jun 2015 12:12:12 +0800 Message-ID: <1435032732-26160-1-git-send-email-jiang.liu@linux.intel.com> References: <55871787.5080504@pr.hu> Return-path: Received: from mga02.intel.com ([134.134.136.20]:18589 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750711AbbFWEKV (ORCPT ); Tue, 23 Jun 2015 00:10:21 -0400 In-Reply-To: <55871787.5080504@pr.hu> Sender: linux-acpi-owner@vger.kernel.org List-Id: linux-acpi@vger.kernel.org To: "Rafael J . Wysocki" , Bjorn Helgaas , Boszormenyi Zoltan , Len Brown Cc: Jiang Liu , LKML , linux-pci@vger.kernel.org, linux-acpi@vger.kernel.org, "x86 @ kernel . org" The data type resource_size_t may be 32 bits or 64 bits depending on CONFIG_PHYS_ADDR_T_64BIT. So reject ACPI resource descriptors which will cause resource_size_t overflow with 32bit kernel This issue was triggered on a platform running 32bit kernel with an ACPI resource descriptor with address range [0x400000000-0xfffffffff]. Please refer to https://lkml.org/lkml/2015/6/19/277 for more information. Reported-by: Boszormenyi Zoltan Fixes: 593669c2ac0f ("x86/PCI/ACPI: Use common ACPI resource interfaces to simplify implementation") Signed-off-by: Jiang Liu Cc: stable@vger.kernel.org # 4.0 --- drivers/acpi/resource.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c index 8244f013f210..f1c966e05078 100644 --- a/drivers/acpi/resource.c +++ b/drivers/acpi/resource.c @@ -193,6 +193,7 @@ static bool acpi_decode_space(struct resource_win *win, u8 iodec = attr->granularity == 0xfff ? ACPI_DECODE_10 : ACPI_DECODE_16; bool wp = addr->info.mem.write_protect; u64 len = attr->address_length; + u64 start, end, offset = 0; struct resource *res = &win->res; /* @@ -204,9 +205,6 @@ static bool acpi_decode_space(struct resource_win *win, pr_debug("ACPI: Invalid address space min_addr_fix %d, max_addr_fix %d, len %llx\n", addr->min_address_fixed, addr->max_address_fixed, len); - res->start = attr->minimum; - res->end = attr->maximum; - /* * For bridges that translate addresses across the bridge, * translation_offset is the offset that must be added to the @@ -214,12 +212,22 @@ static bool acpi_decode_space(struct resource_win *win, * primary side. Non-bridge devices must list 0 for all Address * Translation offset bits. */ - if (addr->producer_consumer == ACPI_PRODUCER) { - res->start += attr->translation_offset; - res->end += attr->translation_offset; - } else if (attr->translation_offset) { + if (addr->producer_consumer == ACPI_PRODUCER) + offset = attr->translation_offset; + else if (attr->translation_offset) pr_debug("ACPI: translation_offset(%lld) is invalid for non-bridge device.\n", attr->translation_offset); + start = attr->minimum + offset; + end = attr->maximum + offset; + + win->offset = offset; + res->start = start; + res->end = end; + if (sizeof(resource_size_t) < sizeof(u64) && + (offset != win->offset || start != res->start || end != res->end)) { + pr_warn("acpi resource window ([%#llx-%#llx] ignored, not CPU addressable)\n", + attr->minimum, attr->maximum); + return false; } switch (addr->resource_type) { @@ -236,8 +244,6 @@ static bool acpi_decode_space(struct resource_win *win, return false; } - win->offset = attr->translation_offset; - if (addr->producer_consumer == ACPI_PRODUCER) res->flags |= IORESOURCE_WINDOW; -- 1.7.10.4 -- To unsubscribe from this list: send the line "unsubscribe linux-acpi" in