Received: by 10.192.165.156 with SMTP id m28csp345536imm;
        Tue, 10 Apr 2018 23:20:47 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48x4FypwQpCpkWyhkwJVjuEhx3S4BajsYkvkdB84L88qYZa/SsRloVce1WCcTpo6L3TTMNB
X-Received: by 10.98.99.4 with SMTP id x4mr2899668pfb.179.1523427647101;
        Tue, 10 Apr 2018 23:20:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523427647; cv=none;
        d=google.com; s=arc-20160816;
        b=0t6z4nmHFBv2jetqr2l9llTrN0Ie33F6hLEmfSmfHttFkcj+q9s9CSU9vuEji9Ba96
         3PlI/ntmkNDmCrlPENNpRcemYoAlw2aaynBdU3XD7KU0jtBsIqE7MxCIhiZtG3k89/Gl
         KEYEvFd7abCBW7UMn8I5tnu4H4iZ5rieMblYP+FQ2zQ6CsvIRslH6nNjgEIukWPGF9ei
         SYgfSvR8fpu9X3KyyBW8NydA1CnV80dLowFGQJaz2ScMuLuajEjJYXhqVeN7S8r28EIf
         XL6aHnWz70ebkTNGodKKY7woKTXVQbv4hww57C6isY8VRpuiAIhGYEVJWxEC59O94mzJ
         t1sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:subject:cc:to:from:message-id:date
         :arc-authentication-results;
        bh=LKMH5Gf4XgC3eL9B6SpJ5m74J1G436hrYXkx7ol4kFA=;
        b=nkIhAxnmD/mDOeE/5hVKdaH3zlGjt8MpxHlNgtD/hjScjwwYfqpTq7NbTy2BlodhVp
         NyTBVbsw9T45UtEt+Uedn4rtESdSem31eCPCNFbdgwYHyz6uV/EH+fAO86pDFICe15I6
         FsqZiOXiR+LEj7E2SStVSt2c+2Ris2oDmrnYTYDQlLCC9394zYx3AqaMdlCHQFuRIWi9
         /20cSzbaVvzL5lw6g1RnEgzMDGjJA4JP2jZn/bdamy4efsyMq9H134Jm3w9OAbmWlnt1
         7K320BlIhJ4IJirpnCfN0qUQNOIEwwc14EEJP8lFmuiuwgIELx+mojHxfheQlq/VlBub
         K/ig==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i12si280669pgq.322.2018.04.10.23.20.09;
        Tue, 10 Apr 2018 23:20:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752474AbeDKGQg (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Wed, 11 Apr 2018 02:16:36 -0400
Received: from mx2.suse.de ([195.135.220.15]:43142 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751815AbeDKGQf (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Apr 2018 02:16:35 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254])
        by mx2.suse.de (Postfix) with ESMTP id 46700AE05;
        Wed, 11 Apr 2018 06:16:34 +0000 (UTC)
Date:   Wed, 11 Apr 2018 08:16:33 +0200
Message-ID: <s5hefjmb73y.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Ram Pai <linuxram@us.ibm.com>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Bjorn Helgaas <bhelgaas@google.com>,
        Michael Henders <hendersm@shaw.ca>,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] resource: Fix integer overflow at reallocation
In-Reply-To: <20180411003744.GC15890@ram.oc3035372033.ibm.com>
References: <20180408072026.27365-1-tiwai@suse.de>
        <20180409172326.944143fd13db2601e4dee9b0@linux-foundation.org>
        <s5hpo37d5l8.wl-tiwai@suse.de>
        <20180410134239.483fe34525db647f2f3d1ece@linux-foundation.org>
        <20180411003744.GC15890@ram.oc3035372033.ibm.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 11 Apr 2018 02:37:44 +0200,
Ram Pai wrote:
> 
> On Tue, Apr 10, 2018 at 01:42:39PM -0700, Andrew Morton wrote:
> > On Tue, 10 Apr 2018 06:54:11 +0200 Takashi Iwai <tiwai@suse.de> wrote:
> > 
> > > On Tue, 10 Apr 2018 02:23:26 +0200,
> > > Andrew Morton wrote:
> > > > 
> > > > On Sun,  8 Apr 2018 09:20:26 +0200 Takashi Iwai <tiwai@suse.de> wrote:
> > > > 
> > > > > We've got a bug report indicating a kernel panic at booting on an
> > > > > x86-32 system, and it turned out to be the invalid resource assigned
> > > > > after PCI resource reallocation.  __find_resource() first aligns the
> > > > > resource start address and resets the end address with start+size-1
> > > > > accordingly, then checks whether it's contained.  Here the end address
> > > > > may overflow the integer, although resource_contains() still returns
> > > > > true because the function validates only start and end address.  So
> > > > > this ends up with returning an invalid resource (start > end).
> > > > > 
> > > > > There was already an attempt to cover such a problem in the commit
> > > > > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but
> > > > > this case is an overseen one.
> > > > > 
> > > > > This patch adds the validity check in resource_contains() to see
> > > > > whether the given resource has a valid range for avoiding the integer
> > > > > overflow problem.
> > > > > 
> > > > > ...
> > > > >
> > > > > --- a/include/linux/ioport.h
> > > > > +++ b/include/linux/ioport.h
> > > > > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, struct resource *r2)
> > > > >  		return false;
> > > > >  	if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET)
> > > > >  		return false;
> > > > > +	/* sanity check whether it's a valid resource range */
> > > > > +	if (r2->end < r2->start)
> > > > > +		return false;
> > > > >  	return r1->start <= r2->start && r1->end >= r2->end;
> > > > >  }
> > > > 
> > > > This doesn't look like the correct place to handle this?  Clearly .end
> > > > < .start is an invalid state for a resource and we should never have
> > > > constructed such a thing in the first place?  So adding a check at the
> > > > place where this resource was initially created seems to be the correct
> > > > fix?
> > > 
> > > Yes, that was also my first thought and actually the v1 patch was like
> > > that.
> > 
> > Yes, I do prefer.
> > 
> > >  The v2 one was by Ram's suggestion so that we can cover
> > > potential bugs by all other callers as well.
> > 
> > That could be done as a separate thing?
> 
> the first approach will fix overflows in just that particular case. The
> second approach will catch and error-out overflows anywhere. There is a
> short-term down side to the second approach; it might cause a slew of
> error reports but will eventually help clean up all bad behavior.

For that purpose, maybe we should do in two folds: at first fix this
specific issue in __find_resource(), then put the sanity check in
resource_contains() in addition but with WARN_ON() so that we can
catch more obviously.


thanks,

Takashi