Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

src: track bus-range for every bus and restrict config space acc...



details:   https://anonhg.NetBSD.org/src/rev/514073b8ff1a
branches:  trunk
changeset: 318149:514073b8ff1a
user:      macallan <macallan%NetBSD.org@localhost>
date:      Fri Apr 13 22:13:09 2018 +0000
description:
track bus-range for every bus and restrict config space accesses to that
range. Now pcictl pci* list no longer crashes the kernel.

diffstat:

 sys/arch/macppc/pci/u3.c |  19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

diffs (77 lines):

diff -r 24a48dff138a -r 514073b8ff1a sys/arch/macppc/pci/u3.c
--- a/sys/arch/macppc/pci/u3.c  Fri Apr 13 21:52:48 2018 +0000
+++ b/sys/arch/macppc/pci/u3.c  Fri Apr 13 22:13:09 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: u3.c,v 1.8 2015/10/02 05:22:51 msaitoh Exp $ */
+/* $NetBSD: u3.c,v 1.9 2018/04/13 22:13:09 macallan Exp $ */
 
 /*
  * Copyright 2006 Kyma Systems LLC.
@@ -54,8 +54,12 @@
        struct genppc_pci_chipset sc_pc[8];
        struct powerpc_bus_space sc_iot;
        struct powerpc_bus_space sc_memt;
+       int sc_ranges[8];       
 };
 
+/* kinda ugly but there can be only one */
+static struct ibmcpc_softc *cpc0 = NULL;
+
 static void ibmcpc_attach(device_t, device_t, void *);
 static int ibmcpc_match(device_t, cfdata_t, void *);
 
@@ -108,6 +112,8 @@
            reg[1], reg[2]);
        pc_data = mapiodev(reg[1], reg[2], false);
 
+       cpc0 = sc;
+
        for (child = OF_child(OF_finddevice("/ht")), i = 1; child;
            child = OF_peer(child), i++) {
 
@@ -141,6 +147,7 @@
                macppc_pci_get_chipset_tag(pc);
                pc->pc_node = child;
                pc->pc_bus = busrange[0];
+               sc->sc_ranges[pc->pc_bus] = busrange[1];
                pc->pc_addr = 0x0;
                pc->pc_data = pc_data;
                pc->pc_conf_read = ibmcpc_conf_read;
@@ -167,6 +174,7 @@
 ibmcpc_conf_read(void *cookie, pcitag_t tag, int reg)
 {
        pci_chipset_tag_t pc = cookie;
+       struct ibmcpc_softc *sc = cpc0;
        u_int32_t daddr = (u_int32_t) pc->pc_data;
        pcireg_t data;
        u_int32_t bus, dev, func, x, devfn;
@@ -176,6 +184,11 @@
 
        pci_decompose_tag(pc, tag, &bus, &dev, &func);
 
+       if ((bus < pc->pc_bus) || (bus > sc->sc_ranges[pc->pc_bus])) {
+               data = 0xffffffff;
+               goto done;
+       }                
+
        devfn = PCI_DEVFN(dev, func);
 
        if (bus == 0) {
@@ -200,6 +213,7 @@
 ibmcpc_conf_write(void *cookie, pcitag_t tag, int reg, pcireg_t data)
 {
        pci_chipset_tag_t pc = cookie;
+       struct ibmcpc_softc *sc = cpc0;
        int32_t *daddr = pc->pc_data;
        u_int32_t bus, dev, func;
        u_int32_t x, devfn;
@@ -209,6 +223,9 @@
 
        pci_decompose_tag(pc, tag, &bus, &dev, &func);
 
+       if ((bus < pc->pc_bus) || (bus > sc->sc_ranges[pc->pc_bus]))
+               return;
+
        devfn = PCI_DEVFN(dev, func);
 
        if (bus == 0) {



Home | Main Index | Thread Index | Old Index