Re: [PATCH 3/3] VFIO V4: VFIO driver: Non-privileged user levelPCI drivers
From: Andy Walls
Date: Thu Sep 23 2010 - 08:57:57 EST
> +ssize_t vfio_io_readwrite(
> + int write,
> + struct vfio_dev *vdev,
> + char __user *buf,
> + size_t count,
> + loff_t *ppos)
> +{
> + struct pci_dev *pdev = vdev->pdev;
> + size_t done = 0;
> + resource_size_t end;
> + void __iomem *io;
> + loff_t pos;
> + int pci_space;
> + int unit;
> +
> + pci_space = vfio_offset_to_pci_space(*ppos);
> + pos = vfio_offset_to_pci_offset(*ppos);
> +
> + if (!pci_resource_start(pdev, pci_space))
> + return -EINVAL;
> + end = pci_resource_len(pdev, pci_space);
> + if (pos + count > end)
> + return -EINVAL;
> + if (vdev->barmap[pci_space] == NULL)
> + vdev->barmap[pci_space] = pci_iomap(pdev, pci_space, 0);
Hi Tom,
pci_iomap() can possibly return NULL here and also in
vfio_mem_readwrite(). Even if there are no security implications
(unintended access to low I/O ports?), I think you still have potential
for an Oops in the code below.
... unless there's a reason why pci_iomap() can't possibly return NULL
in these instances. Maybe I'm missing something.
Regards,
Andy
> + io = vdev->barmap[pci_space];
> +
> + while (count > 0) {
> + if ((pos % 4) == 0 && count >= 4) {
> + u32 val;
> +
> + if (write) {
> + if (copy_from_user(&val, buf, 4))
> + return -EFAULT;
> + iowrite32(val, io + pos);
> + } else {
> + val = ioread32(io + pos);
> + if (copy_to_user(buf, &val, 4))
> + return -EFAULT;
> + }
> + unit = 4;
> + } else if ((pos % 2) == 0 && count >= 2) {
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/