On 15.01.2015 12:53, Federico wrote:
> How about this? It seems at least related.
>
> https://github.com/alterapraxisptyltd/openatom/issues/1
>
> Quote:
> [linux] Infinite loop in pci_get_rom_size()
>
> This is one of those issues that you find when putting supposedly stable
> code through unusual situations. I did expect any function in linux that
> is not part of radeon.ko to not be rock solid. Turns out that's not
> really the case.
>
> If we have a PCIR structure with a zero size length, the loop iterating
> through those structure does not advance. It simply does "image +=
> readw(pds + 16) * 512;", but if that field is zero we're back analyzing
> the same structure on the next loop. The way to get out of this loop is
> to set bit 7 of the type field. That's what 'last_image' does. If that
> bit is not set, with the above, that's an infinite loop.
>
> Luckily, it doesn't crash the kernel, but it hangs any driver that calls
> the function under said circumstances. No more modprobe -r or unbinding.
> Reboot is needed. No idea why a firmware blob here is treated as trusted
> input.
That could indeed explain it, does the attached patch help?
--
Earthling Michel Dänzer | http://www.amd.com
Libre software enthusiast | Mesa and X developer
diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
index f955edb..2fb5013 100644
--- a/drivers/pci/rom.c
+++ b/drivers/pci/rom.c
@@ -75,6 +75,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
image = rom;
do {
void __iomem *pds;
+ u16 length;
/* Standard PCI ROMs start out with these bytes 55 AA */
if (readb(image) != 0x55) {
dev_err(&pdev->dev, "Invalid ROM contents\n");
@@ -93,8 +94,10 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
if (readb(pds + 3) != 'R')
break;
last_image = readb(pds + 21) & 0x80;
- /* this length is reliable */
- image += readw(pds + 16) * 512;
+ length = readw(pds + 16);
+ if (!length)
+ break;
+ image += length * 512;
} while (!last_image);
/* never return a size larger than the PCI resource window */
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
