[PATCH v3] PCI: Unify ECAM constants in native PCI Express drivers

Bjorn Helgaas helgaas at kernel.org
Fri Oct 2 17:29:37 EDT 2020 

On Thu, Oct 01, 2020 at 10:02:44PM +0000, Krzysztof Wilczyński wrote:
> Unify ECAM-related constants into a single set of standard constants
> defining memory address shift values for the byte-level address that can
> be used when accessing the PCI Express Configuration Space, and then
> move native PCI Express controller drivers to use newly introduced
> definitions retiring any driver-specific ones.
> 
> The ECAM ("Enhanced Configuration Access Mechanism") is defined by the
> PCI Express specification (see PCI Express Base Specification, Revision
> 5.0, Version 1.0, Section 7.2.2, p. 676), thus most hardware should
> implement it the same way.  Most of the native PCI Express controller
> drivers define their ECAM-related constants, many of these could be
> shared, or use open-coded values when setting the .bus_shift field of
> the struct pci_ecam_ops.
> 
> All of the newly added constants should remove ambiguity and reduce the
> number of open-coded values, and also correlate more strongly with the
> descriptions in the aforementioned specification (see Table 7-1
> "Enhanced Configuration Address Mapping", p. 677).

> --- a/drivers/pci/controller/pci-host-generic.c
> +++ b/drivers/pci/controller/pci-host-generic.c
> @@ -15,7 +15,7 @@
>  #include <linux/platform_device.h>
>  
>  static const struct pci_ecam_ops gen_pci_cfg_cam_bus_ops = {
> -	.bus_shift	= 16,
> +	.bus_shift	= PCIE_CAM_BUS_SHIFT,

I'm not sure this code was safe even before you touched it.
pci_ecam_map_bus() doesn't limit "where" at all, so if we try to
access extended config space (offset 0x100 - 0xfff), I think we'll
generate

  (busnr << 16) | (devfn << 8) + where

If "where >= 0x100", we'll target the wrong device.

Even for ECAM, it doesn't look like anything prevents a defective or
malicious caller from supplying a config offset of, say, 0x2000 and
targeting the wrong device.

>  	.pci_ops	= {
>  		.map_bus	= pci_ecam_map_bus,
>  		.read		= pci_generic_config_read,

> --- a/drivers/pci/controller/pci-xgene.c
> +++ b/drivers/pci/controller/pci-xgene.c
> @@ -60,6 +60,15 @@
>  #define XGENE_PCIE_IP_VER_1		1
>  #define XGENE_PCIE_IP_VER_2		2
>  
> +/*
> + * Enhanced Configuration Access Mechanism (ECAM)
> + *
> + * N.B. This is a non-standard platform-specific ECAM bus shift value.  For
> + * standard values defined in the PCI Express Base Specification see
> + * include/linux/pci-ecam.h.
> + */
> +#define XGENE_PCIE_ECAM_BUS_SHIFT	16

Is this even used anywhere?  xgene_pcie_map_bus() doesn't use
bus_shift.  Maybe we can just drop the .bus_shift initializers?

>  #if defined(CONFIG_PCI_XGENE) || (defined(CONFIG_ACPI) && defined(CONFIG_PCI_QUIRKS))
>  struct xgene_pcie_port {
>  	struct device_node	*node;
> @@ -257,7 +266,7 @@ static int xgene_v1_pcie_ecam_init(struct pci_config_window *cfg)
>  }
>  
>  const struct pci_ecam_ops xgene_v1_pcie_ecam_ops = {
> -	.bus_shift	= 16,
> +	.bus_shift	= XGENE_PCIE_ECAM_BUS_SHIFT,
>  	.init		= xgene_v1_pcie_ecam_init,
>  	.pci_ops	= {
>  		.map_bus	= xgene_pcie_map_bus,
> @@ -272,7 +281,7 @@ static int xgene_v2_pcie_ecam_init(struct pci_config_window *cfg)
>  }
>  
>  const struct pci_ecam_ops xgene_v2_pcie_ecam_ops = {
> -	.bus_shift	= 16,
> +	.bus_shift	= XGENE_PCIE_ECAM_BUS_SHIFT,
>  	.init		= xgene_v2_pcie_ecam_init,
>  	.pci_ops	= {
>  		.map_bus	= xgene_pcie_map_bus,

More information about the Linux-rockchip mailing list