[PATCH v3 1/2] x86/ioremap: fix the pfn calculation mistake in __ioremap_check_ram()

From: Yaohui Wang
Date: Mon Jun 21 2021 - 08:35:29 EST

Next message: Yaohui Wang: "[PATCH v3 2/2] kernel/resource: fix boundary judgment issues in find_next_iomem_res() and __walk_iomem_res_desc()"
Previous message: Mark Brown: "Re: [PATCH v1] regulator: core: Add stubs for driver API"
In reply to: Yaohui Wang: "[PATCH v3 0/2] x86/ioremap: fix boundary calculation and boundary judgment issues for ioremap()"
Next in thread: Yaohui Wang: "[PATCH v3 2/2] kernel/resource: fix boundary judgment issues in find_next_iomem_res() and __walk_iomem_res_desc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In __ioremap_check_ram(), the pfn wrapping calculation supposes res->start
to be page-aligned and res->end to be PAGE_SIZE - 1 aligned. But
res->start and res->end may not follow such alignment, which may make the
RAM checking be omitted for the very start page or the very end page of
the memory range. This can cause ioremap_xxx() to succeed on normal RAM by
mistake.

For example, suppose memory range [phys_addr ~ phys_addr + PAGE_SIZE - 1]
is a normal RAM page. ioremap(phys_addr, PAGE_SIZE - 1) will succeed
(but it should not) because the pfn wrapping prevents this page to be
checked whether it touches non-ioremappable resources.

The new pfn wrapping calculation makes sure the resulting pfn range covers
[res->start, res->end] completely.

Fixes: 0e4c12b45aa8 (x86/mm, resource: Use PAGE_KERNEL protection for ioremap of memory pages)
Signed-off-by: Yahui Wang <yaohuiwang@xxxxxxxxxxxxxxxxx>
Signed-off-by: Ben Luo <luoben@xxxxxxxxxxxxxxxxx>
---
arch/x86/mm/ioremap.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
index 60ade7dd71bd..609a8bd6f680 100644
--- a/arch/x86/mm/ioremap.c
+++ b/arch/x86/mm/ioremap.c
@@ -68,19 +68,19 @@ int ioremap_change_attr(unsigned long vaddr, unsigned long size,
/* Does the range (or a subset of) contain normal RAM? */
static unsigned int __ioremap_check_ram(struct resource *res)
{
- unsigned long start_pfn, stop_pfn;
+ unsigned long start_pfn, stop_pfn, npages;
unsigned long i;

if ((res->flags & IORESOURCE_SYSTEM_RAM) != IORESOURCE_SYSTEM_RAM)
return 0;

- start_pfn = (res->start + PAGE_SIZE - 1) >> PAGE_SHIFT;
- stop_pfn = (res->end + 1) >> PAGE_SHIFT;
- if (stop_pfn > start_pfn) {
- for (i = 0; i < (stop_pfn - start_pfn); ++i)
- if (pfn_valid(start_pfn + i) &&
- !PageReserved(pfn_to_page(start_pfn + i)))
- return IORES_MAP_SYSTEM_RAM;
+ start_pfn = PFN_DOWN(res->start);
+ stop_pfn = PFN_DOWN(res->end);
+ npages = stop_pfn - start_pfn + 1;
+ for (i = 0; i < npages; ++i) {
+ if (pfn_valid(start_pfn + i) &&
+ !PageReserved(pfn_to_page(start_pfn + i)))
+ return IORES_MAP_SYSTEM_RAM;
}

return 0;
--
2.25.1

Next message: Yaohui Wang: "[PATCH v3 2/2] kernel/resource: fix boundary judgment issues in find_next_iomem_res() and __walk_iomem_res_desc()"
Previous message: Mark Brown: "Re: [PATCH v1] regulator: core: Add stubs for driver API"
In reply to: Yaohui Wang: "[PATCH v3 0/2] x86/ioremap: fix boundary calculation and boundary judgment issues for ioremap()"
Next in thread: Yaohui Wang: "[PATCH v3 2/2] kernel/resource: fix boundary judgment issues in find_next_iomem_res() and __walk_iomem_res_desc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]