From nobody Fri Jun 19 01:10:43 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1B66C433F5 for ; Sun, 10 Apr 2022 10:54:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229507AbiDJK5E (ORCPT ); Sun, 10 Apr 2022 06:57:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238028AbiDJK4p (ORCPT ); Sun, 10 Apr 2022 06:56:45 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 003491BE9F; Sun, 10 Apr 2022 03:54:31 -0700 (PDT) Date: Sun, 10 Apr 2022 10:54:29 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1649588070; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jbSm1MHt39I7ELXl4PzbMeWOWrLGSVaBwZFiPCX5kO4=; b=BaCxajrw8f2BiofPEJ3mdMWGs/i78dZ71SL2R11aH3amcYqitK36vZL0uSC6Aqcwbkit0f UfbGRsBvTdo+HN5BwJVlfL3DfhviiIYvga2X79+8GKr7uhZDooGMpclwkO+2CWCihVqsNz 2ATMEyj6G9XFWTAh8YGe5uIBuZkwopGaLJWUhWJFDy5B0NyVbb6owJTByxUujlJICKxBfk wMsg1OWheffEP/yMeV9pORe2ZD0skgAhfhvT38EMX9WOqqjL0EHE0NVFRk3v1IrtKRGgsD GBwuCXKbGOJpaoYkHI2f8e/LDbfjKIlaQOOYoYkAgB8dOhghs1PPGTYBqinwcw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1649588070; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jbSm1MHt39I7ELXl4PzbMeWOWrLGSVaBwZFiPCX5kO4=; b=osdppoDdbDvW01RGyeM4n5I2ydJujFNqJZoB9hBK9Via9nHPaLCSC7rHjNrmH7ziCjC8mm ybP2CgjnFD9DpIBQ== From: "tip-bot2 for Maciej W. Rozycki" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/irq] x86/PCI: Add PIRQ routing table range checks Cc: "Maciej W. Rozycki" , Thomas Gleixner , x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: References: MIME-Version: 1.0 Message-ID: <164958806957.4207.7929063021391145772.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the x86/irq branch of tip: Commit-ID: 5d64089aa4a5bd3d7e00e3d6ddf4943dd34627b3 Gitweb: https://git.kernel.org/tip/5d64089aa4a5bd3d7e00e3d6ddf4943dd= 34627b3 Author: Maciej W. Rozycki AuthorDate: Thu, 31 Mar 2022 08:10:55 +01:00 Committer: Thomas Gleixner CommitterDate: Sun, 10 Apr 2022 12:48:14 +02:00 x86/PCI: Add PIRQ routing table range checks Verify that the PCI IRQ Routing Table header as well as individual slot=20 entries are all wholly contained within the BIOS memory area. Do not=20 even call the checksum calculator if the header would overrun the area=20 and then bail out early if any slot would. Signed-off-by: Maciej W. Rozycki Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/alpine.DEB.2.21.2203301735510.22465@angie.o= rcam.me.uk --- arch/x86/pci/irq.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c index 4b0e008..ef97b26 100644 --- a/arch/x86/pci/irq.c +++ b/arch/x86/pci/irq.c @@ -68,7 +68,8 @@ void (*pcibios_disable_irq)(struct pci_dev *dev) =3D pirq= _disable_irq; * and perform checksum verification. */ =20 -static inline struct irq_routing_table *pirq_check_routing_table(u8 *addr) +static inline struct irq_routing_table *pirq_check_routing_table(u8 *addr, + u8 *limit) { struct irq_routing_table *rt; int i; @@ -78,7 +79,8 @@ static inline struct irq_routing_table *pirq_check_routin= g_table(u8 *addr) if (rt->signature !=3D PIRQ_SIGNATURE || rt->version !=3D PIRQ_VERSION || rt->size % 16 || - rt->size < sizeof(struct irq_routing_table)) + rt->size < sizeof(struct irq_routing_table) || + (limit && rt->size > limit - addr)) return NULL; sum =3D 0; for (i =3D 0; i < rt->size; i++) @@ -99,17 +101,22 @@ static inline struct irq_routing_table *pirq_check_rou= ting_table(u8 *addr) =20 static struct irq_routing_table * __init pirq_find_routing_table(void) { + u8 * const bios_start =3D (u8 *)__va(0xf0000); + u8 * const bios_end =3D (u8 *)__va(0x100000); u8 *addr; struct irq_routing_table *rt; =20 if (pirq_table_addr) { - rt =3D pirq_check_routing_table((u8 *) __va(pirq_table_addr)); + rt =3D pirq_check_routing_table((u8 *)__va(pirq_table_addr), + NULL); if (rt) return rt; printk(KERN_WARNING "PCI: PIRQ table NOT found at pirqaddr\n"); } - for (addr =3D (u8 *) __va(0xf0000); addr < (u8 *) __va(0x100000); addr += =3D 16) { - rt =3D pirq_check_routing_table(addr); + for (addr =3D bios_start; + addr < bios_end - sizeof(struct irq_routing_table); + addr +=3D 16) { + rt =3D pirq_check_routing_table(addr, bios_end); if (rt) return rt; }