Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM

From: Jiri Kosina <jkosina@xxxxxxx>
Date: Thu, 25 Sep 2008 01:15:53 +0200 (CEST)

On Tue, 23 Sep 2008, David Miller wrote:

I did some snooping around, and while doing so I noticed that the PCI
mmap code for x86 doesn't do one bit of range checking on the size, or
any other aspect of the request, wrt. the MMIO regions actually mapped
in the BARs of the PCI device.

Ugh, indeed. Added Ingo and Jesse to CC.

Yikes!

It just does a reserve_memtype() on the address range, and says "ok".

So if, for example, the X server tries to mmap() more than an MMIO bar
actually maps, the kernel lets the user do this.

It would be very interesting to add the appropriate checks to
pci_mmap_page_range() in arch/x86/pci/i386.c, anyone who wants to do
this can use the code in arch/sparc64/kernel/pci.c:
__pci_mmap_make_offset() as a guide, and see what happens.

Absolutely. Or we can even do some dirty hackery in userspace, like
LD_PRELOADing X server and checking mmaps() that are close to MMIO regions
of affected devices.

If the MMIO space regions of the video cards sit right before the
E1000E ones on the effected systems, that would pretty much
convince me that this is the kind of problem we are having here.

Unfortunately, looking at the lspci outputs that are in
https://bugzilla.novell.com/show_bug.cgi?id=425480 it seems to me that the
MMIO regions are quite far away from each other.

--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Follow-Ups:
- Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
  - From: Jesse Barnes
- Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
  - From: Dave Airlie

References:
- Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
  - From: David Miller
- Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
  - From: Jeff Kirsher
- Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
  - From: Jiri Kosina
- Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
  - From: David Miller

Prev by Date: Re: Warning/Oops report of the week of September 16th, 2008
Next by Date: pull request: wireless-2.6 2008-09-24
Previous by thread: Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
Next by thread: Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
Index(es):
- Date
- Thread

Relevant Pages

Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
... mmap code for x86 doesn't do one bit of range checking on the size, ... So if, for example, the X server tries to mmap() more than an MMIO bar ... LD_PRELOADing X server and checking mmapsthat are close to MMIO regions ... adding a check to the x86 code would be a good thing to do; ...
(Linux-Kernel)
Re: [Bug #11382] e1000e: 2.6.27-rc1 corrupts EEPROM/NVM
... So if, for example, the X server tries to mmap() more than an MMIO bar ... LD_PRELOADing X server and checking mmapsthat are close to MMIO regions ... Yup on my laptop these were far away and I wondered what could mangle ... eeprom from an equivalent laptop ...
(Linux-Kernel)
[PATCH UPDATED] FUSE: implement direct mmap
... This patch implements direct mmap. ... It allows FUSE server to honor ... each mmap request with anonymous mapping. ...
(Linux-Kernel)
[PATCH 4/4] FUSE: implement direct mmap
... This patch implements direct mmap. ... It allows FUSE server to honor ... each mmap request with anonymous mapping. ...
(Linux-Kernel)
[PATCH 6/6] FUSE: implement direct mmap
... This patch implements direct mmap. ... It allows FUSE server to honor ... each mmap request with anonymous mapping. ...
(Linux-Kernel)