On Wed, Sep 24, 2008 at 2:12 PM, David Miller <davem@xxxxxxxxxxxxx> wrote: > From: Jiri Kosina <jkosina@xxxxxxx> > Date: Wed, 24 Sep 2008 00:19:00 +0200 (CEST) > >> On Tue, 23 Sep 2008, Jeff Kirsher wrote: >> >> > >> I don't think OpenSUSE was shipping any of the GEM bits. >> > > Good data point, can someone confirm this? Also, what X server version >> > > is the effected OpenSUSE shipping? >> > OpenSuSE 11 ships x server version 7.3. >> >> Opensuse 11 is fine. >> >> The problem can be reproduced [not only] on opensuse 11.1 beta1, which has >> >> xorg-x11-7.4-1.6.x86_64.rpm > > I did some snooping around, and while doing so I noticed that the PCI > mmap code for x86 doesn't do one bit of range checking on the size, or > any other aspect of the request, wrt. the MMIO regions actually mapped > in the BARs of the PCI device. > > Yikes! > > It just does a reserve_memtype() on the address range, and says "ok". > > So if, for example, the X server tries to mmap() more than an MMIO bar > actually maps, the kernel lets the user do this. > > It would be very interesting to add the appropriate checks to > pci_mmap_page_range() in arch/x86/pci/i386.c, anyone who wants to do > this can use the code in arch/sparc64/kernel/pci.c: > __pci_mmap_make_offset() as a guide, and see what happens. > > If the MMIO space regions of the video cards sit right before the > E1000E ones on the effected systems, that would pretty much > convince me that this is the kind of problem we are having here. > > This also reminds me that there was that whole set of issues that > had to get worked out wrt. write-caching of mappings on x86. > I'm still dubious about this, wouldn't we see other wierdass side effects if X was trashing the BARs on other devices? I think tglx is on the right path, same problem as e1000, code is stupid, it can reenter the nvram read/write code from irq context, and pwn itself. Dave. -- To unsubscribe from this list: send the line "unsubscribe kernel-testers" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
