From patchwork Mon Jan 19 08:53:20 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Michel_D=C3=A4nzer?= <michel@daenzer.net>
X-Patchwork-Id: 5655651
X-Patchwork-Delegate: bhelgaas@google.com
Return-Path: <linux-pci-owner@kernel.org>
X-Original-To: patchwork-linux-pci@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 3C0979F333
	for <patchwork-linux-pci@patchwork.kernel.org>;
	Mon, 19 Jan 2015 08:58:42 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 992862026F
	for <patchwork-linux-pci@patchwork.kernel.org>;
	Mon, 19 Jan 2015 08:58:36 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id B05B020254
	for <patchwork-linux-pci@patchwork.kernel.org>;
	Mon, 19 Jan 2015 08:58:35 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751226AbbASI6e (ORCPT
	<rfc822;patchwork-linux-pci@patchwork.kernel.org>);
	Mon, 19 Jan 2015 03:58:34 -0500
Received: from darkcity.gna.ch ([195.226.6.51]:54488 "EHLO mail.gna.ch"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1751194AbbASI6e (ORCPT <rfc822;linux-pci@vger.kernel.org>);
	Mon, 19 Jan 2015 03:58:34 -0500
X-Greylist: delayed 306 seconds by postgrey-1.27 at vger.kernel.org;
	Mon, 19 Jan 2015 03:58:33 EST
Received: from kaveri (125-14-38-183.rev.home.ne.jp [125.14.38.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by darkcity.gna.ch (Postfix) with ESMTPSA id 967E6C069C;
	Mon, 19 Jan 2015 09:53:11 +0100 (CET)
Received: from daenzer by kaveri with local (Exim 4.84)
	(envelope-from <michel@daenzer.net>)
	id 1YD85I-0008Dg-NJ; Mon, 19 Jan 2015 17:53:20 +0900
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel@daenzer.net>
To: Bjorn Helgaas <bhelgaas@google.com>
Cc: linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org,
	Federico <federicotg@gmail.com>, dri-devel@lists.freedesktop.org
Subject: [PATCH v2] pci: Fix infinite loop with ROM image of size 0
Date: Mon, 19 Jan 2015 17:53:20 +0900
Message-Id: <1421657600-31561-1-git-send-email-michel@daenzer.net>
X-Mailer: git-send-email 2.1.4
In-Reply-To: 
 <CAFUqUc6JPgSK4tTP7KuJ8TmVLZR6Abaf9uHUTRZA+OJhv8DoBA@mail.gmail.com>
References: 
 <CAFUqUc6JPgSK4tTP7KuJ8TmVLZR6Abaf9uHUTRZA+OJhv8DoBA@mail.gmail.com>
MIME-Version: 1.0
Sender: linux-pci-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-pci.vger.kernel.org>
X-Mailing-List: linux-pci@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Michel Dänzer <michel.daenzer@amd.com>

If the image size would ever read as 0, pci_get_rom_size could keep
processing the same image over and over again.

Reported-by: Federico <federicotg@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
---

v2:
* Use unsigned instead of u16 for the local length variable (not sure if
  the multiplication by 512 could overflow otherwise)
* Integrate length condition into while statement
* Add stable tag

 drivers/pci/rom.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
index f955edb..eb0ad53 100644
--- a/drivers/pci/rom.c
+++ b/drivers/pci/rom.c
@@ -71,6 +71,7 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
 {
 	void __iomem *image;
 	int last_image;
+	unsigned length;
 
 	image = rom;
 	do {
@@ -93,9 +94,9 @@ size_t pci_get_rom_size(struct pci_dev *pdev, void __iomem *rom, size_t size)
 		if (readb(pds + 3) != 'R')
 			break;
 		last_image = readb(pds + 21) & 0x80;
-		/* this length is reliable */
-		image += readw(pds + 16) * 512;
-	} while (!last_image);
+		length = readw(pds + 16);
+		image += length * 512;
+	} while (length && !last_image);
 
 	/* never return a size larger than the PCI resource window */
 	/* there are known ROMs that get the size wrong */