On Thu, May 11, 2023, at 15:22, Artur Rojek wrote: > On 2023-05-11 14:35, Geert Uytterhoeven wrote: >> >> CC Artur, who's working on HP Jornada 680. > Thanks for CC'ing me - I faced this exact issue while working on my > (still not upstreamed) hd6446x PCMCIA controller driver. The PCMCIA > subsystem uses `inb/outb`, which expect the `sh_io_port_base` to be set > to something else than the default `-1`. At first I tried to set it to > `0xa0000000`, so that all I/O goes through the fixed, non-cacheable P2 > area. That however broke some other driver code (I had no time to debug > which one). Eventually I ended up taking a suggestion from a MIPS PCMCIA > driver [1] and simply substract the broken `sh_io_port_base` address > from `HD64461_IOBASE`, as the base for `socket.io_offset`. This way all > the PCMCIA `inb/outb` accesses are absolute, no matter what the > `sh_io_port_base` is set to. This of course is a very ugly solution and > we should instead fix the root cause of this mess. I will have a better > look at this patch set and the problem at hand at a later date. > > Cheers, > Artur > > [1] > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/pcmcia/db1xxx_ss.c?h=v6.4-rc1#n527 I think the best fix would be to change all those drivers away from using inb/outb to readb/writeb, except when they access the actual PCMCIA I/O space behind the bridge. On most of the modern architectures, inb(addr) now turns into approximately readb(PCI_IOBASE + addr), with a bit of extra logic to deal with endianess and barrier semantics. PCI_IOBASE in turn tends to be a hardcoded virtual address to which the physical I/O space window gets mapped during early boot, though you can also #define it to sh_io_port_base if you want to allocate the virtual address dynamically and leave the existing logic unchanged. Setting sh_io_port_base to zero however is a problem for any driver that passes a small port number into it -- this then turns into a user space pointer dereference, which is trivially exploitable. Arnd
