Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2193939imu; Thu, 17 Jan 2019 09:54:04 -0800 (PST) X-Google-Smtp-Source: ALg8bN58LruFL637j67f3erXxyTXfnR+8nkbAZGZj4GbQ4D9ezR22JgeeZdG28LsQDCkAcEh+xQ7 X-Received: by 2002:aa7:80d7:: with SMTP id a23mr15641156pfn.86.1547747644718; Thu, 17 Jan 2019 09:54:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547747644; cv=none; d=google.com; s=arc-20160816; b=P1aVOQi8e8Ci0k8Xcl9Yf3imCAVVB6Lx+/2E8i3VbuVm+oCGER4wPGHg/8usubB5VI j0uQG77nwtb5Qh0lwGMQqk+9cZMxgp+RZQZwcvNxuqrYKGwIIQ7C+5vv4WSRzpNWoRmE N7oaPNVafwKYRLEExWNC5yO0PN3KYhZy66uioQDTrVS3HRfTmfv9ulYLbcQke4dSPwrG vNZT1Jj4iq5jm16meLeFz15+tdp15xF6jvBnTQx4ztGgEsuffSl3NDfYl7/JAO3e3HSA uNwEoeLaVRCpS6U9bhV1AtCaRXoCRRktWKTke0wonQhs3K6mfG/PWN13wZdPKu4T0b2J udNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=xCntJmvMUeJ9C79NaIH2AOKgNHGzYAFSjF3qU3wDb8k=; b=UFMF3hpZMPwEaV3BX0vvPI4kBo+oDdjuiyA7XnbzT70mOpZZwABn48MGeHpmn8njoo D2tWpClc2j1cyPoIOh2YHv87fV7uZt6fnyC18ktJUN6zgKl6xDAW9XdpM1MnSPkkWSBx WeACRGIw2UvKr4L8Y+oDfgleU++nAgNahyFpfEsaQRr6Tx79HaMtOi8ur7FXfbtCdMl6 7hYvitKtT1i4X+m6t8qzKLEmmG+cPTZwjIHChM5JvJijiV70BNw6ZWu0zH5/kDPYGjLp 4C6DdqpyAug4R3mmuvX1hSbLNlKYOZidCXvp9to0zuwm118coYdJhEviqomv4AqyfvaQ MRYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hRQteO3w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a17si2153630pfn.213.2019.01.17.09.53.49; Thu, 17 Jan 2019 09:54:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hRQteO3w; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727537AbfAQOrF (ORCPT + 99 others); Thu, 17 Jan 2019 09:47:05 -0500 Received: from mail.kernel.org ([198.145.29.99]:59312 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727083AbfAQOrF (ORCPT ); Thu, 17 Jan 2019 09:47:05 -0500 Received: from localhost (173-25-171-118.client.mchsi.com [173.25.171.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 580A020652; Thu, 17 Jan 2019 14:47:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1547736424; bh=DET5lPdVz4oKb2peBHvW/UlN0wKOs+MypNk5v2wp02U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hRQteO3w6XtMth6mwZjk2WVSnGaFiyyAdDoaUYx2lwdHhB39pgiZS6NQ3SFwaPmLf I4Kwafb2J/WfFOVLS8PhRHTzUcN9ZjaWaBQhod8B+VfvjKs9lusLD/c/f3GjtTKcZP 2waUBW75QoapIXh7uYOnIGCGVhvh+BdjqyZ49oM0= Date: Thu, 17 Jan 2019 08:47:03 -0600 From: Bjorn Helgaas To: Logan Gunthorpe Cc: linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org, Stephen Bates , Jarkko Nikula Subject: Re: [PATCH] PCI: fix using __initdata memory after free in disable_acs_redir parameter Message-ID: <20190117144703.GC158366@google.com> References: <20190115173203.14850-1-logang@deltatee.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190115173203.14850-1-logang@deltatee.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 15, 2019 at 10:32:03AM -0700, Logan Gunthorpe wrote: > The disable_acs_redir parameter stores a pointer to the string passed to > pci_setup(). However, the string passed to PCI setup is actually a > temporary copy allocated in static __initdata memory. After init, once > the memory is freed, it is no longer valid to reference this pointer. > > This bug was noticed in v5.0-rc1 after a change in commit c5eb1190074c > ("PCI / PM: Allow runtime PM without callback functions") caused > pci_disable_acs_redir() to be called during shutdown which manifested > as an unable to handle kernel paging request at: > > RIP: 0010:pci_enable_acs+0x3f/0x1e0 > Call Trace: > pci_restore_state.part.44+0x159/0x3c0 > pci_restore_standard_config+0x33/0x40 > pci_pm_runtime_resume+0x2b/0xd0 > ? pci_restore_standard_config+0x40/0x40 > __rpm_callback+0xbc/0x1b0 > rpm_callback+0x1f/0x70 > ? pci_restore_standard_config+0x40/0x40 > rpm_resume+0x4f9/0x710 > ? pci_conf1_read+0xb6/0xf0 > ? pci_conf1_write+0xb2/0xe0 > __pm_runtime_resume+0x47/0x70 > pci_device_shutdown+0x1e/0x60 > device_shutdown+0x14a/0x1f0 > kernel_restart+0xe/0x50 > __do_sys_reboot+0x1ee/0x210 > ? __fput+0x144/0x1d0 > do_writev+0x5e/0xf0 > ? do_writev+0x5e/0xf0 > do_syscall_64+0x48/0xf0 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > It was also likely possible to trigger this bug when hotplugging PCI > devices. > > To fix this, instead of storing a pointer, we use kstrdup to copy the > disable_acs_redir_param to its own buffer which will never be freed. > > Fixes: aaca43fda742 ("PCI: Add "pci=disable_acs_redir=" parameter for peer-to-peer support") > Signed-off-by: Logan Gunthorpe > Cc: Jarkko Nikula > Cc: Bjorn Helgaas Applied with Jarkko's tested- and reviewed-by to for-linus for v5.0, thanks! > --- > drivers/pci/pci.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c > index c9d8e3c837de..c25acace7d91 100644 > --- a/drivers/pci/pci.c > +++ b/drivers/pci/pci.c > @@ -6195,7 +6195,8 @@ static int __init pci_setup(char *str) > } else if (!strncmp(str, "pcie_scan_all", 13)) { > pci_add_flags(PCI_SCAN_ALL_PCIE_DEVS); > } else if (!strncmp(str, "disable_acs_redir=", 18)) { > - disable_acs_redir_param = str + 18; > + disable_acs_redir_param = > + kstrdup(str + 18, GFP_KERNEL); > } else { > printk(KERN_ERR "PCI: Unknown option `%s'\n", > str); > -- > 2.19.0 >