We can't trust the ROM headers to be 100% correct, and accessing
past the end of the BAR can cause really bad things, such as
machine checks on some platforms.
Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
---
Found that in an old pile of patches while cleaning up my disk :-)
I was dealing with a buggy radeon that the time iirc.
Cheers,
Ben.
diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
index 36864a9..d07dcfc 100644
--- a/drivers/pci/rom.c
+++ b/drivers/pci/rom.c
@@ -67,10 +67,10 @@ void pci_disable_rom(struct pci_dev *pdev)
size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
{
void __iomem *image;
- int last_image;
+ int last_image = 0;
image = rom;
- do {
+ while (!last_image && (image - rom) < (size - 24)) {
void __iomem *pds;
/* Standard PCI ROMs start out with these bytes 55 AA */
if (readb(image) != 0x55) {
@@ -92,7 +92,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
last_image = readb(pds + 21) & 0x80;
/* this length is reliable */
image += readw(pds + 16) * 512;
- } while (!last_image);
+ };
/* never return a size larger than the PCI resource window */
/* there are known ROMs that get the size wrong */
--
1.7.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-pci" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
