| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 26 Jul 2019 18:32:38 +0200
From: Lucas Stach <l.stach@...gutronix.de>
To: Stefan Agner <stefan@...er.ch>, hongxing.zhu@....com
Cc: lorenzo.pieralisi@....com, jingoohan1@...il.com,
gustavo.pimentel@...opsys.com, tpiepho@...inj.com,
leonard.crestez@....com, bhelgaas@...gle.com,
linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH RESEND v8] PCI: imx6: limit DBI register length
Am Freitag, den 26.07.2019, 16:40 +0200 schrieb Stefan Agner:
> Define the length of the DBI registers and limit config space to its
> length. This makes sure that the kernel does not access registers
> beyond that point, avoiding the following abort on a i.MX 6Quad:
> # cat /sys/devices/soc0/soc/1ffc000.pcie/pci0000\:00/0000\:00\:00.0/config
> [ 100.021433] Unhandled fault: imprecise external abort (0x1406) at 0xb6ea7000
> ...
> [ 100.056423] PC is at dw_pcie_read+0x50/0x84
> [ 100.060790] LR is at dw_pcie_rd_own_conf+0x44/0x48
> ...
>
> Signed-off-by: Stefan Agner <stefan@...er.ch>
Reviewed-by: Lucas Stach <l.stach@...gutronix.de>
> ---
> Changes in v3:
> - Rebase on pci/dwc
> Changes in v4:
> - Rebase on pci/dwc
> Changes in v5:
> - Rebased ontop of pci/dwc
> - Use DBI length of 0x200
> Changes in v6:
> - Use pci_dev.cfg_size mechanism to limit config space (this made patch 1
> of previous versions of this patchset obsolete).
> Changes in v7:
> - Restrict fixup to Synopsys/0xabcd
> - Apply cfg_size limitation only if dbi_length is specified
> Changes in v8:
> - Restrict fixup for Synopsys/0xabcd and class PCI bridge
> - Check device driver to be pci-imx6
>
> drivers/pci/controller/dwc/pci-imx6.c | 33 +++++++++++++++++++++++++++
> 1 file changed, 33 insertions(+)
>
> diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c
> index 9b5cb5b70389..8b8efa3063f5 100644
> --- a/drivers/pci/controller/dwc/pci-imx6.c
> +++ b/drivers/pci/controller/dwc/pci-imx6.c
> @@ -57,6 +57,7 @@ enum imx6_pcie_variants {
> struct imx6_pcie_drvdata {
> > enum imx6_pcie_variants variant;
> > u32 flags;
> > + int dbi_length;
> };
>
> struct imx6_pcie {
> @@ -1212,6 +1213,7 @@ static const struct imx6_pcie_drvdata drvdata[] = {
> > .variant = IMX6Q,
> > .flags = IMX6_PCIE_FLAG_IMX6_PHY |
> > IMX6_PCIE_FLAG_IMX6_SPEED_CHANGE,
> > + .dbi_length = 0x200,
> > },
> > [IMX6SX] = {
> > .variant = IMX6SX,
> @@ -1254,6 +1256,37 @@ static struct platform_driver imx6_pcie_driver = {
> > .shutdown = imx6_pcie_shutdown,
> };
>
> +static void imx6_pcie_quirk(struct pci_dev *dev)
> +{
> > + struct pci_bus *bus = dev->bus;
> > + struct pcie_port *pp = bus->sysdata;
> +
> > + /* Bus parent is the PCI bridge, its parent is this platform driver */
> > + if (!bus->dev.parent || !bus->dev.parent->parent)
> > + return;
> +
> > + /* Make sure we only quirk devices associated with this driver */
> > + if (bus->dev.parent->parent->driver != &imx6_pcie_driver.driver)
> > + return;
> +
> > + if (bus->number == pp->root_bus_nr) {
> > + struct dw_pcie *pci = to_dw_pcie_from_pp(pp);
> > + struct imx6_pcie *imx6_pcie = to_imx6_pcie(pci);
> +
> > + /*
> > + * Limit config length to avoid the kernel reading beyond
> > + * the register set and causing an abort on i.MX 6Quad
> > + */
> > + if (imx6_pcie->drvdata->dbi_length) {
> > + dev->cfg_size = imx6_pcie->drvdata->dbi_length;
> > + dev_info(&dev->dev, "Limiting cfg_size to %d\n",
> > + dev->cfg_size);
> > + }
> > + }
> +}
> +DECLARE_PCI_FIXUP_CLASS_HEADER(PCI_VENDOR_ID_SYNOPSYS, 0xabcd,
> > + PCI_CLASS_BRIDGE_PCI, 8, imx6_pcie_quirk);
> +
> static int __init imx6_pcie_init(void)
> {
> #ifdef CONFIG_ARM
Powered by blists - more mailing lists