x86 pat.c:phys_mem_access_prot_allowed() bogosity
From: Adrian Bunk
Date: Sun Apr 27 2008 - 08:31:57 EST
Commit e7f260a276f2c9184fe753732d834b1f6fbe9f17
(x86: PAT use reserve free memtype in mmap of /dev/mem)
added the following gem to arch/x86/mm/pat.c:
<-- snip -->
...
int phys_mem_access_prot_allowed(struct file *file, unsigned long pfn,
unsigned long size, pgprot_t *vma_prot)
{
u64 offset = ((u64) pfn) << PAGE_SHIFT;
unsigned long flags = _PAGE_CACHE_UC_MINUS;
unsigned long ret_flags;
...
... (nothing that touches ret_flags)
...
if (flags != _PAGE_CACHE_UC_MINUS) {
retval = reserve_memtype(offset, offset + size, flags, NULL);
} else {
retval = reserve_memtype(offset, offset + size, -1, &ret_flags);
}
if (retval < 0)
return 0;
flags = ret_flags;
if (pfn <= max_pfn_mapped &&
ioremap_change_attr((unsigned long)__va(offset), size, flags) < 0) {
free_memtype(offset, offset + size);
printk(KERN_INFO
"%s:%d /dev/mem ioremap_change_attr failed %s for %Lx-%Lx\n",
current->comm, current->pid,
cattr_name(flags),
offset, offset + size);
return 0;
}
*vma_prot = __pgprot((pgprot_val(*vma_prot) & ~_PAGE_CACHE_MASK) |
flags);
return 1;
}
<-- snip -->
If (flags != _PAGE_CACHE_UC_MINUS) we pass garbage from the stack to
ioremap_change_attr() and/or __pgprot().
Spotted by the Coverity checker.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/