Received: by 2002:a05:6500:2018:b0:1fb:9675:f89d with SMTP id t24csp370996lqh; Fri, 31 May 2024 04:09:03 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWKNRTVUmh5W1rFkB5spbl6SSv/znuSHQIbNJPk+KUbjXEdIVaeiWle/FevmPSEZm1ipFrMqVgrVJwHi/eW52FkJ4VZc4j8sihsj9Ze6Q== X-Google-Smtp-Source: AGHT+IG52KKSQyP3wkHUUHYDgNVNBjouMfZ5Nt8GNDJjmF2yhLus3UyUfypdYaMhv0wArg2RFUGH X-Received: by 2002:a05:6871:88b:b0:24c:ae57:b4ab with SMTP id 586e51a60fabf-2508b80dc81mr1916161fac.11.1717153742979; Fri, 31 May 2024 04:09:02 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717153742; cv=pass; d=google.com; s=arc-20160816; b=QMDEDYMqtNfbwhcQPkGjysqBOjQUs043Nv71OgD4mweR0nEpZDQgB5GH2+WKK7u4OC BbJiTqX1ZNESTLTIcMRw1HaR+cBZvrgfbh7QcUbX4dqD+IMpR4XBsDK8c+ZN1HHhvL4c lBxl14FV/1GrVNT+u0+I8+sri0QbrxdUwBTCFfKnLuks84yyPrFUzrleZShi/HScWXlT hI7O0H8oZpyzDEE+lHz43aIjMBvuzOAZdhHx4O6Rb66vGcAXUNlrJd09O0rnxgxIG5sP XR+CedgNOnSE6CgvVSzweyrAaFswAaMIj1OTQaMj6C751RbgOd+LaMAMhemKLRDnywzQ wbXw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :dkim-signature:dkim-signature:from; bh=VXsJccLpvrmqx5YxSwOp/LzJzocUhsfX7av87j9dTLk=; fh=8/Q/WWnzr+VmzeWRXtQDO+3qXFRVxmgz7BQuifb3qQE=; b=NELHsnhegS9PMP5hs0XbmDJAlB611b3Ujpd9oEEZ06Jq9vmJCEs7tacbEGpp/4I7Ti gDtycpRK3KE5j0bZ//8dhc2UW6QnoP5FadNrgrDHwkEvMkDtXssGST2QdO1faCy5195r uhoMDRMVj//tKmGiDjIEIFXRG2mrZTKMLvF+hdZKmpQnHwVTORK72M7mhGI4bouyb3Xd KJ1iQQNMvTKnbgsdyhIj9K2yPR1//pW5Y15UBIUXVWNwQaqBNMbzBkZq/T06PpiOK6Pv lvZZ6astC8JkB7o3kzPmawfdvNAqpAzEPaHScdviW0uUtXGFPm/mqyQojaoUEOMmrI78 btOA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=4ZZAJ6zD; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-196714-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196714-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id 41be03b00d2f7-6c35c181a38si1358267a12.647.2024.05.31.04.09.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 May 2024 04:09:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-196714-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=4ZZAJ6zD; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-196714-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196714-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 929BF282A5D for ; Fri, 31 May 2024 11:09:02 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C79DA15748D; Fri, 31 May 2024 11:08:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="4ZZAJ6zD"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="sqxT0t4M" Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 92D1615747A; Fri, 31 May 2024 11:08:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717153725; cv=none; b=CEZr2zSZkBHmgE4YV3HFdivmcCKSmaH8fayplBzG04DJZcssn/jqLAneHTQ5fW0NvcM+FBlrUyzEo7wbjJxLX9QQ6igR8jSZ78x4oiJVKuhlclXMlhfgACToGkvPetJvwXoGFHVBDCAastbdh1Lnd3fR11DVetl7OOSmFMpys6w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717153725; c=relaxed/simple; bh=v8EdGYHGsaTVTumDZ9stM10D6B3vf1X6bWQ3ALutTB8=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=ayw+slr3sm1wO7Kofy0nQyj2G/wi1vqolbfSCP3JZQuXrYa+dRD+frz0Sl+QDq6mtgLXKY26qHf+ln/KiRoaTkztKohCHUfaR1tCaC95j1QQz47HDvF/lsPNgSeY+0M1nz+RGbNAnmlrtSyvATDXJK49RHVHAps8rnwMlf7Fu3o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=4ZZAJ6zD; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=sqxT0t4M; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de From: Nam Cao DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1717153721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=VXsJccLpvrmqx5YxSwOp/LzJzocUhsfX7av87j9dTLk=; b=4ZZAJ6zDgX78teApoWDRVMHbIzzhhjaiKQhkxY9p07PkKD7Eq6ZibXi7rV3Ciac2UUQ0dj jkRunaR4yMiDiiud7qcyNWaa4rM4qQ3pMNilk27GlKP/ZUtP9aLs1IDpU0BtKfvPDPSEzF CkutIk5H+gGpgSSIOgaCuCBgMwh4jnbJ7ohfoiPo6a4E2biHMxouUroItziWt0GDk6uKAb M0mU8ZX0kDSlA/VsQRuzKRES9X/gP/qxxvMMaLJFFF/6J8AUurzcH/l93cQVS99ElkCXKN ztONsRa2gLvEbVr1ySEVAtyXhzpj/u6jFY6oQcyt7x2BPAZGVxO1KXK8Q7rMPQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1717153721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=VXsJccLpvrmqx5YxSwOp/LzJzocUhsfX7av87j9dTLk=; b=sqxT0t4MQuCeM/63L7u71ZRxT+s/JnA27hFu9Lhw64ZbCTO4krOEC/7wyWT65ESJ2Oj6ht 7iRb9PBWTcu8FgCQ== To: Bjorn Helgaas , linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Lukas Wunner , Nam Cao , stable@vger.kernel.org Subject: [PATCH] PCI: hotplug: shpchp: Prevent NULL pointer dereference during probe Date: Fri, 31 May 2024 13:08:35 +0200 Message-Id: <20240531110835.3800904-1-namcao@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit pci_dev->subordinate pointer can be NULL if we run out of bus number. The driver deferences this pointer without checking, and the kernel crashes. This crash can be reproduced by starting a QEMU instance: qemu-system-x86_64 -machine pc-q35-2.10 \ -kernel bzImage \ -drive "file=img,format=raw" \ -m 2048 -smp 1 -enable-kvm \ -append "console=ttyS0 root=/dev/sda debug" \ -nographic \ -device pcie-root-port,bus=pcie.0,slot=1,id=rp1 \ -device pcie-pci-bridge,id=br1,bus=rp1 Then hot-add a bridge with the QEMU command: device_add pci-bridge,id=br2,bus=br1,chassis_nr=1,addr=1 Then the kernel crashes: shpchp 0000:02:01.0: enabling device (0000 -> 0002) shpchp 0000:02:01.0: enabling bus mastering BUG: kernel NULL pointer dereference, address: 00000000000000da [snip] Call Trace: ? show_regs+0x63/0x70 ? __die+0x23/0x70 ? page_fault_oops+0x17a/0x480 ? shpc_init+0x3fb/0x9d0 ? search_module_extables+0x4e/0x80 ? shpc_init+0x3fb/0x9d0 ? kernelmode_fixup_or_oops+0x9b/0x120 ? __bad_area_nosemaphore+0x16e/0x240 ? bad_area_nosemaphore+0x11/0x20 ? do_user_addr_fault+0x2a3/0x610 ? exc_page_fault+0x6d/0x160 ? asm_exc_page_fault+0x2b/0x30 ? shpc_init+0x3fb/0x9d0 shpc_probe+0x92/0x390 NULL check this pointer first before proceeding. If there is no secondary bus number, there is no point in initializing this hot-plug controller, so just bails out. Signed-off-by: Nam Cao Cc: stable@vger.kernel.org # all --- This one exists since beginning of git history. So I didn't bother with a Fixes: tag. This patch is almost a copy-paste from pciehp --- drivers/pci/hotplug/shpchp_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/pci/hotplug/shpchp_core.c b/drivers/pci/hotplug/shpchp_core.c index 56c7795ed890..14cf9e894201 100644 --- a/drivers/pci/hotplug/shpchp_core.c +++ b/drivers/pci/hotplug/shpchp_core.c @@ -262,6 +262,12 @@ static int shpc_probe(struct pci_dev *pdev, const struct pci_device_id *ent) if (acpi_get_hp_hw_control_from_firmware(pdev)) return -ENODEV; + if (!pdev->subordinate) { + /* Can happen if we run out of bus numbers during probe */ + pci_err(pdev, "Hotplug bridge without secondary bus, ignoring\n"); + return -ENODEV; + } + ctrl = kzalloc(sizeof(*ctrl), GFP_KERNEL); if (!ctrl) goto err_out_none; -- 2.39.2