| Message ID | 20201112094429.541667-2-frank.heimes@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | NULL pointer dereference when configuring multi-function with devfn != 0 before devfn == 0 (LP: 1903682) | expand |
On 12.11.20 10:44, frank.heimes@canonical.com wrote: > From: Niklas Schnelle <schnelle@linux.ibm.com> > > BugLink: https://bugs.launchpad.net/bugs/1903682 > > Under some circumstances in particular with "Reconfigure I/O Path" > a zPCI function may first appear in Standby through a PCI event with > PEC 0x0302 which initially makes it visible to the zPCI subsystem, > Only after that is it configured with a zPCI event with PEC 0x0301. > If the zbus is still missing a PCI function zero (devfn == 0) when the > PCI event 0x0301 is handled zdev->zbus->bus is still NULL and gets > dereferenced in common code. > Check for this case and enable but don't scan the zPCI function. > This matches what would happen if we immediately got the 0x0301 > configuration request or the function was included in CLP List PCI. > In all cases the PCI functions with devfn != 0 will be scanned once > function 0 appears. > > Fixes: 3047766bc6ec ("s390/pci: fix enabling a reserved PCI function") > Cc: <stable@vger.kernel.org> # 5.8 > Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com> > Acked-by: Pierre Morel <pmorel@linux.ibm.com> > Signed-off-by: Heiko Carstens <hca@linux.ibm.com> > (cherry picked from commit 0b2ca2c7d0c9e2731d01b6c862375d44a7e13923) > Signed-off-by: Frank Heimes <frank.heimes@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > arch/s390/pci/pci_event.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c > index d9ae7456dd4c..40a569b548cc 100644 > --- a/arch/s390/pci/pci_event.c > +++ b/arch/s390/pci/pci_event.c > @@ -101,6 +101,10 @@ static void __zpci_event_availability(struct zpci_ccdf_avail *ccdf) > if (ret) > break; > > + /* the PCI function will be scanned once function 0 appears */ > + if (!zdev->zbus->bus) > + break; > + > pdev = pci_scan_single_device(zdev->zbus->bus, zdev->devfn); > if (!pdev) > break; >
On Thu, Nov 12, 2020 at 10:44:29AM +0100, frank.heimes@canonical.com wrote: > From: Niklas Schnelle <schnelle@linux.ibm.com> > > BugLink: https://bugs.launchpad.net/bugs/1903682 > > Under some circumstances in particular with "Reconfigure I/O Path" > a zPCI function may first appear in Standby through a PCI event with > PEC 0x0302 which initially makes it visible to the zPCI subsystem, > Only after that is it configured with a zPCI event with PEC 0x0301. > If the zbus is still missing a PCI function zero (devfn == 0) when the > PCI event 0x0301 is handled zdev->zbus->bus is still NULL and gets > dereferenced in common code. > Check for this case and enable but don't scan the zPCI function. > This matches what would happen if we immediately got the 0x0301 > configuration request or the function was included in CLP List PCI. > In all cases the PCI functions with devfn != 0 will be scanned once > function 0 appears. > > Fixes: 3047766bc6ec ("s390/pci: fix enabling a reserved PCI function") > Cc: <stable@vger.kernel.org> # 5.8 > Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com> > Acked-by: Pierre Morel <pmorel@linux.ibm.com> > Signed-off-by: Heiko Carstens <hca@linux.ibm.com> > (cherry picked from commit 0b2ca2c7d0c9e2731d01b6c862375d44a7e13923) > Signed-off-by: Frank Heimes <frank.heimes@canonical.com> Clean upstream cherry pick that fixes a potential NULL pointer derfererence. Looks good to me. Acked-by: Andrea Righi <andrea.righi@canonical.com>
diff --git a/arch/s390/pci/pci_event.c b/arch/s390/pci/pci_event.c index d9ae7456dd4c..40a569b548cc 100644 --- a/arch/s390/pci/pci_event.c +++ b/arch/s390/pci/pci_event.c @@ -101,6 +101,10 @@ static void __zpci_event_availability(struct zpci_ccdf_avail *ccdf) if (ret) break; + /* the PCI function will be scanned once function 0 appears */ + if (!zdev->zbus->bus) + break; + pdev = pci_scan_single_device(zdev->zbus->bus, zdev->devfn); if (!pdev) break;