It was possible to force an out of bounds MMIO
read/write via debugfs. E.g. on QCA988X this could
be triggered with:
echo 0x2080e0 | tee /sys/kernel/debug/ieee80211/*/ath10k/reg_addr
cat /sys/kernel/debug/ieee80211/*/ath10k/reg_value
BUG: unable to handle kernel paging request at c90001e080e0
IP: [] ioread32+0x40/0x50
...
Call Trace:
[] ? ath10k_pci_read32+0x4f/0x70 [ath10k_pci]
[] ath10k_reg_value_read+0x90/0xf0 [ath10k_core]
[] ? handle_mm_fault+0xa91/0x1050
[] __vfs_read+0x28/0xe0
[] ? security_file_permission+0x84/0xa0
[] ? rw_verify_area+0x53/0x100
[] vfs_read+0x8a/0x140
[] SyS_read+0x49/0xb0
[] ? trace_do_page_fault+0x3c/0xc0
[] system_call_fastpath+0x12/0x71
Reported-by: Ben Greear
Signed-off-by: Michal Kazior
---
drivers/net/wireless/ath/ath10k/pci.c | 13 +
drivers/net/wireless/ath/ath10k/pci.h | 1 +
2 files changed, 14 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/pci.c
b/drivers/net/wireless/ath/ath10k/pci.c
index 9da36c764d3b..1843d31fbda7 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -479,6 +479,12 @@ void ath10k_pci_write32(struct ath10k *ar, u32 offset, u32
value)
struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
int ret;
+ if (unlikely(offset + sizeof(value) > ar_pci->mem_len)) {
+ ath10k_warn(ar, "refusing to write mmio out of bounds at 0x%08x
- 0x%08zx (max 0x%08zx)\n",
+ offset, offset + sizeof(value), ar_pci->mem_len);
+ return;
+ }
+
ret = ath10k_pci_wake(ar);
if (ret) {
ath10k_warn(ar, "failed to wake target for write32 of 0x%08x at
0x%08x: %d\n",
@@ -496,6 +502,12 @@ u32 ath10k_pci_read32(struct ath10k *ar, u32 offset)
u32 val;
int ret;
+ if (unlikely(offset + sizeof(val) > ar_pci->mem_len)) {
+ ath10k_warn(ar, "refusing to read mmio out of bounds at 0x%08x
- 0x%08zx (max 0x%08zx)\n",
+ offset, offset + sizeof(val), ar_pci->mem_len);
+ return 0;
+ }
+
ret = ath10k_pci_wake(ar);
if (ret) {
ath10k_warn(ar, "failed to wake target for read32 at 0x%08x:
%d\n",
@@ -2682,6 +2694,7 @@ static int ath10k_pci_claim(struct ath10k *ar)
pci_set_master(pdev);
/* Arrange for access to Target SoC registers. */
+ ar_pci->mem_len = pci_resource_len(pdev, BAR_NUM);
ar_pci->mem = pci_iomap(pdev, BAR_NUM, 0);
if (!ar_pci->mem) {
ath10k_err(ar, "failed to iomap BAR%d\n", BAR_NUM);
diff --git a/drivers/net/wireless/ath/ath10k/pci.h
b/drivers/net/wireless/ath/ath10k/pci.h
index d7696ddc03c4..eea0a0170b00 100644
--- a/drivers/net/wireless/ath/ath10k/pci.h
+++ b/drivers/net/wireless/ath/ath10k/pci.h
@@ -162,6 +162,7 @@ struct ath10k_pci {
struct device *dev;
struct ath10k *ar;
void __iomem *mem;
+ size_t mem_len;
/*
* Number of MSI interrupts granted, 0 --> using legacy PCI line
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html