On Sun, 8 Apr 2018 09:20:26 +0200 Takashi Iwai <ti...@suse.de> wrote:
> We've got a bug report indicating a kernel panic at booting on an > x86-32 system, and it turned out to be the invalid resource assigned > after PCI resource reallocation. __find_resource() first aligns the > resource start address and resets the end address with start+size-1 > accordingly, then checks whether it's contained. Here the end address > may overflow the integer, although resource_contains() still returns > true because the function validates only start and end address. So > this ends up with returning an invalid resource (start > end). > > There was already an attempt to cover such a problem in the commit > 47ea91b4052d ("Resource: fix wrong resource window calculation"), but > this case is an overseen one. > > This patch adds the validity check in resource_contains() to see > whether the given resource has a valid range for avoiding the integer > overflow problem. > > ... > > --- a/include/linux/ioport.h > +++ b/include/linux/ioport.h > @@ -212,6 +212,9 @@ static inline bool resource_contains(struct resource *r1, > struct resource *r2) > return false; > if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) > return false; > + /* sanity check whether it's a valid resource range */ > + if (r2->end < r2->start) > + return false; > return r1->start <= r2->start && r1->end >= r2->end; > } This doesn't look like the correct place to handle this? Clearly .end < .start is an invalid state for a resource and we should never have constructed such a thing in the first place? So adding a check at the place where this resource was initially created seems to be the correct fix?