The pci-host-generic driver parses the linux,pci-probe-only property,
and assumes that it will have a boolean parameter.
Turns out that the Seattle DTS file has a naked "linux,pci-probe-only"
property, which leads to the driver dereferencing some unsuspecting
memory location. Nothing really bad happens (we end up reading some
other bit of DT, fortunately), but that not a reason to keep it this
way.
The first patch fixes the driver not to do silly things, and simply
give a warning when this happens. The powerpc code from where this
code was lifted is also fixed in a second patch.
Finally, the bad property is removed from the Seatle DTS, because it
is simply not necessary (it actually prevents me from using SR-IOV,
which otherwise runs fine without the probe-only thing).
Marc Zyngier (3):
PCI: pci-host-generic: Fix lookup of linux,pci-probe-only property
powerpc: PCI: Fix lookup of linux,pci-probe-only property
arm64: dts: Drop linux,pci-probe-only from the Seattle DTS
arch/arm64/boot/dts/amd/amd-overdrive.dts | 1 -
arch/powerpc/platforms/pseries/setup.c | 15 ++++++++++-----
drivers/pci/host/pci-host-generic.c | 15 ++++++++++-----
3 files changed, 20 insertions(+), 11 deletions(-)
--
2.1.4
When pci-host-generic looks for the probe-only property, it seems
to trust the DT to be correctly written, and assumes that there
is a parameter to the property.
Unfortunately, this is not always the case, and some firmware expose
this property naked. The driver ends up making a decision based on
whatever the property pointer points to, which is likely to be junk.
Instead, let's check for the validity of the property, and ignore
it if the firmware couldn't make up its mind.
Signed-off-by: Marc Zyngier <[email protected]>
---
drivers/pci/host/pci-host-generic.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/pci/host/pci-host-generic.c b/drivers/pci/host/pci-host-generic.c
index 265dd25..2b2e2ff 100644
--- a/drivers/pci/host/pci-host-generic.c
+++ b/drivers/pci/host/pci-host-generic.c
@@ -211,6 +211,7 @@ static int gen_pci_probe(struct platform_device *pdev)
const char *type;
const struct of_device_id *of_id;
const int *prop;
+ int len;
struct device *dev = &pdev->dev;
struct device_node *np = dev->of_node;
struct gen_pci *pci = devm_kzalloc(dev, sizeof(*pci), GFP_KERNEL);
@@ -225,12 +226,16 @@ static int gen_pci_probe(struct platform_device *pdev)
return -EINVAL;
}
- prop = of_get_property(of_chosen, "linux,pci-probe-only", NULL);
+ prop = of_get_property(of_chosen, "linux,pci-probe-only", &len);
if (prop) {
- if (*prop)
- pci_add_flags(PCI_PROBE_ONLY);
- else
- pci_clear_flags(PCI_PROBE_ONLY);
+ if (len) {
+ if (be32_to_cpup(prop))
+ pci_add_flags(PCI_PROBE_ONLY);
+ else
+ pci_clear_flags(PCI_PROBE_ONLY);
+ } else {
+ dev_warn(&pdev->dev, "linux,pci-probe-only set without value, ignoring\n");
+ }
}
of_id = of_match_node(gen_pci_of_match, np);
--
2.1.4
When find_and_init_phbs() looks for the probe-only property, it seems
to trust the firmware to be correctly written, and assumes that there
is a parameter to the property.
It is conceivable that the firmware could not be that perfect, and it
could expose this property naked (at least one arm64 platform seems to
exhibit this exact behaviour). The setup code the ends up making
a decision based on whatever the property pointer points to, which
is likely to be junk.
Instead, let's check for the validity of the property, and ignore
it if the firmware couldn't make up its mind.
Signed-off-by: Marc Zyngier <[email protected]>
---
arch/powerpc/platforms/pseries/setup.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
index df6a704..6bdc1f9 100644
--- a/arch/powerpc/platforms/pseries/setup.c
+++ b/arch/powerpc/platforms/pseries/setup.c
@@ -490,14 +490,19 @@ static void __init find_and_init_phbs(void)
*/
if (of_chosen) {
const int *prop;
+ int len;
prop = of_get_property(of_chosen,
- "linux,pci-probe-only", NULL);
+ "linux,pci-probe-only", &len);
if (prop) {
- if (*prop)
- pci_add_flags(PCI_PROBE_ONLY);
- else
- pci_clear_flags(PCI_PROBE_ONLY);
+ if (len) {
+ if (be32_to_cpup(prop))
+ pci_add_flags(PCI_PROBE_ONLY);
+ else
+ pci_clear_flags(PCI_PROBE_ONLY);
+ } else {
+ pr_warn("linux,pci-probe-only set without value, ignoring\n");
+ }
}
}
}
--
2.1.4
The linux,pci-probe-only property mandates an argument to indicate
whether or not to engage the "probe-only" mode, but the Seattle
DTS just provides a naked property, which is illegal.
Also, it turns out that the board is perfectly happy without
probe-only, so let's drop this altogether.
Signed-off-by: Marc Zyngier <[email protected]>
---
arch/arm64/boot/dts/amd/amd-overdrive.dts | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm64/boot/dts/amd/amd-overdrive.dts b/arch/arm64/boot/dts/amd/amd-overdrive.dts
index 564a3f7..128fa94 100644
--- a/arch/arm64/boot/dts/amd/amd-overdrive.dts
+++ b/arch/arm64/boot/dts/amd/amd-overdrive.dts
@@ -14,7 +14,6 @@
chosen {
stdout-path = &serial0;
- linux,pci-probe-only;
};
};
--
2.1.4
Hi Marc,
On Fri, Aug 14, 2015 at 03:41:07PM +0100, Marc Zyngier wrote:
> When find_and_init_phbs() looks for the probe-only property, it seems
> to trust the firmware to be correctly written, and assumes that there
> is a parameter to the property.
>
> It is conceivable that the firmware could not be that perfect, and it
> could expose this property naked (at least one arm64 platform seems to
> exhibit this exact behaviour). The setup code the ends up making
> a decision based on whatever the property pointer points to, which
> is likely to be junk.
>
> Instead, let's check for the validity of the property, and ignore
> it if the firmware couldn't make up its mind.
>
> Signed-off-by: Marc Zyngier <[email protected]>
> ---
> arch/powerpc/platforms/pseries/setup.c | 15 ++++++++++-----
> 1 file changed, 10 insertions(+), 5 deletions(-)
>
> diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
> index df6a704..6bdc1f9 100644
> --- a/arch/powerpc/platforms/pseries/setup.c
> +++ b/arch/powerpc/platforms/pseries/setup.c
> @@ -490,14 +490,19 @@ static void __init find_and_init_phbs(void)
> */
> if (of_chosen) {
> const int *prop;
> + int len;
>
> prop = of_get_property(of_chosen,
> - "linux,pci-probe-only", NULL);
> + "linux,pci-probe-only", &len);
> if (prop) {
> - if (*prop)
> - pci_add_flags(PCI_PROBE_ONLY);
> - else
> - pci_clear_flags(PCI_PROBE_ONLY);
> + if (len) {
> + if (be32_to_cpup(prop))
> + pci_add_flags(PCI_PROBE_ONLY);
> + else
> + pci_clear_flags(PCI_PROBE_ONLY);
> + } else {
> + pr_warn("linux,pci-probe-only set without value, ignoring\n");
> + }
This seems essentially identical to the pci-host-generic version.
Is there a way we can factor it out so there's only one copy?
> }
> }
> }
> --
> 2.1.4
>
Hi Bjorn,
On 14/08/15 15:57, Bjorn Helgaas wrote:
> Hi Marc,
>
> On Fri, Aug 14, 2015 at 03:41:07PM +0100, Marc Zyngier wrote:
>> When find_and_init_phbs() looks for the probe-only property, it seems
>> to trust the firmware to be correctly written, and assumes that there
>> is a parameter to the property.
>>
>> It is conceivable that the firmware could not be that perfect, and it
>> could expose this property naked (at least one arm64 platform seems to
>> exhibit this exact behaviour). The setup code the ends up making
>> a decision based on whatever the property pointer points to, which
>> is likely to be junk.
>>
>> Instead, let's check for the validity of the property, and ignore
>> it if the firmware couldn't make up its mind.
>>
>> Signed-off-by: Marc Zyngier <[email protected]>
>> ---
>> arch/powerpc/platforms/pseries/setup.c | 15 ++++++++++-----
>> 1 file changed, 10 insertions(+), 5 deletions(-)
>>
>> diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c
>> index df6a704..6bdc1f9 100644
>> --- a/arch/powerpc/platforms/pseries/setup.c
>> +++ b/arch/powerpc/platforms/pseries/setup.c
>> @@ -490,14 +490,19 @@ static void __init find_and_init_phbs(void)
>> */
>> if (of_chosen) {
>> const int *prop;
>> + int len;
>>
>> prop = of_get_property(of_chosen,
>> - "linux,pci-probe-only", NULL);
>> + "linux,pci-probe-only", &len);
>> if (prop) {
>> - if (*prop)
>> - pci_add_flags(PCI_PROBE_ONLY);
>> - else
>> - pci_clear_flags(PCI_PROBE_ONLY);
>> + if (len) {
>> + if (be32_to_cpup(prop))
>> + pci_add_flags(PCI_PROBE_ONLY);
>> + else
>> + pci_clear_flags(PCI_PROBE_ONLY);
>> + } else {
>> + pr_warn("linux,pci-probe-only set without value, ignoring\n");
>> + }
>
> This seems essentially identical to the pci-host-generic version.
> Is there a way we can factor it out so there's only one copy?
Probably. drivers/of/of_pci.c seems like a good landing place for it.
I'll hack something and repost it.
Thanks,
M.
--
Jazz is not dead. It just smells funny...