Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3010325imu; Sun, 9 Dec 2018 15:03:16 -0800 (PST) X-Google-Smtp-Source: AFSGD/VHHIR3LTp8wUzrULYBdMGMLW79yAqOiIy0q/4KQEvQO+kZ5dcdYLJ/H49zubxOm5NzWgNT X-Received: by 2002:a62:8a51:: with SMTP id y78mr10048790pfd.35.1544396596222; Sun, 09 Dec 2018 15:03:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544396596; cv=none; d=google.com; s=arc-20160816; b=xVRZhnWwP9sind2svc1eGXIF0TgKvHGHzx7q48I0HkRU1759Y39wzAA0VoUv8zApC3 jCQqAut/xQI320KnJ3zI94UieXc85Uw3tUQ2ZZtr6bxyFpYBmJU8usyQHlu10EssnhhV QPICHWl6+32MbwWffyISO6danR/om8hdiZ+O3JdH4UmzZRGqVN1N+xrwGkvtAG6SEAub D9tC/cuTrAH7Fd8vpIYDwjnLtxc04GdqGfs1XeMDXE5NXJ0SRdqtWmQULQBpcTVNSjg9 wL6atMYUedoysuNauopSBspwbc9th//9VedcMerDpR3bmTI1T18PupwsutyXn6LNEOi2 LgVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition; bh=ftHOz8l9v3riYi4vGp7u7lr7JTerqT2zG9EeoDzEBOM=; b=mqc0HrcJcek1jZFs12gZvFqNdKhcJC4TqAy2Ccb7zl9Y4luFGnTBVLJ0qxz8ZLBSnV tTKMAuPSAkBr3gBfibEQZfSw4lIsI9GjKykTsMRCVuBc0I6ScI6/hChTJwXcsR93BCLv 1LBI5zu4EuJZ7xie4he0qX/fa8b5FiTn9VaUqx8Vm/Dgy4hzG4DwPp6sXikM//bdmo4e 4LiyaR2kvwLo6v/PBPVQARxUZ9+nySQBWm194kmZDlZqUN57zGtDWOayGVslYGcsiX4A UtH7GB6O3owzi9D4u2ppi/RDZ/TGUi0jX9dCZRzqmZ6x0P0UMYqGSvRtEd4Y0ejnC/H5 ekEg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 2si8811467pfd.154.2018.12.09.15.03.00; Sun, 09 Dec 2018 15:03:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727932AbeLIWQE (ORCPT + 99 others); Sun, 9 Dec 2018 17:16:04 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:37952 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728428AbeLIWNo (ORCPT ); Sun, 9 Dec 2018 17:13:44 -0500 Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1gW73O-0002ij-Kd; Sun, 09 Dec 2018 21:55:58 +0000 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1gW72Z-0003GH-Tq; Sun, 09 Dec 2018 21:55:07 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Lukas Wunner" , "Bjorn Helgaas" Date: Sun, 09 Dec 2018 21:50:33 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) X-Patchwork-Hint: ignore Subject: [PATCH 3.16 052/328] PCI: pciehp: Fix unprotected list iteration in IRQ handler In-Reply-To: X-SA-Exim-Connect-IP: 81.174.156.145 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.62-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Lukas Wunner commit 1204e35bedf4e5015cda559ed8c84789a6dae24e upstream. Commit b440bde74f04 ("PCI: Add pci_ignore_hotplug() to ignore hotplug events for a device") iterates over the devices on a hotplug port's subordinate bus in pciehp's IRQ handler without acquiring pci_bus_sem. It is thus possible for a user to cause a crash by concurrently manipulating the device list, e.g. by disabling slot power via sysfs on a different CPU or by initiating a remove/rescan via sysfs. This can't be fixed by acquiring pci_bus_sem because it may sleep. The simplest fix is to avoid the list iteration altogether and just check the ignore_hotplug flag on the port itself. This works because pci_ignore_hotplug() sets the flag both on the device as well as on its parent bridge. We do lose the ability to print the name of the device blocking hotplug in the debug message, but that's probably bearable. Fixes: b440bde74f04 ("PCI: Add pci_ignore_hotplug() to ignore hotplug events for a device") Signed-off-by: Lukas Wunner Signed-off-by: Bjorn Helgaas [bwh: Backported to 3.16: s/events/intr_loc/] Signed-off-by: Ben Hutchings --- drivers/pci/hotplug/pciehp_hpc.c | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) --- a/drivers/pci/hotplug/pciehp_hpc.c +++ b/drivers/pci/hotplug/pciehp_hpc.c @@ -508,8 +508,6 @@ static irqreturn_t pcie_isr(int irq, voi { struct controller *ctrl = (struct controller *)dev_id; struct pci_dev *pdev = ctrl_dev(ctrl); - struct pci_bus *subordinate = pdev->subordinate; - struct pci_dev *dev; struct slot *slot = ctrl->slot; u16 detected, intr_loc; @@ -543,14 +541,9 @@ static irqreturn_t pcie_isr(int irq, voi wake_up(&ctrl->queue); } - if (subordinate) { - list_for_each_entry(dev, &subordinate->devices, bus_list) { - if (dev->ignore_hotplug) { - ctrl_dbg(ctrl, "ignoring hotplug event %#06x (%s requested no hotplug)\n", - intr_loc, pci_name(dev)); - return IRQ_HANDLED; - } - } + if (pdev->ignore_hotplug) { + ctrl_dbg(ctrl, "ignoring hotplug event %#06x\n", intr_loc); + return IRQ_HANDLED; } if (!(intr_loc & ~PCI_EXP_SLTSTA_CC))