From: Andrew Donnellan <ajd@linux.ibm.com>
To: Russell Currey <ruscur@russell.cc>, linuxppc-dev@lists.ozlabs.org
Cc: Nageswara R Sastry <rnsastry@linux.ibm.com>
Subject: Re: [PATCH] powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
Date: Wed, 22 Mar 2023 17:18:52 +1100 [thread overview]
Message-ID: <d6b00ea8c9282434ad5bed97fe567e91f847a4ac.camel@linux.ibm.com> (raw)
In-Reply-To: <20230322035322.328709-1-ruscur@russell.cc>
On Wed, 2023-03-22 at 14:53 +1100, Russell Currey wrote:
> fail_iommu_setup() registers the fail_iommu_bus_notifier struct to
> both
> PCI and VIO buses. struct notifier_block is a linked list node, so
> this
> causes any notifiers later registered to either bus type to also be
> registered to the other since they share the same node.
>
> This causes issues in (at least) the vgaarb code, which registers a
> notifier for PCI buses. pci_notify() ends up being called on a vio
> device, converted with to_pci_dev() even though it's not a PCI
> device,
> and finally makes a bad access in vga_arbiter_add_pci_device() as
> discovered with KASAN:
>
> BUG: KASAN: slab-out-of-bounds in
> vga_arbiter_add_pci_device+0x60/0xe00
> Read of size 4 at addr c000000264c26fdc by task swapper/0/1
>
> Call Trace:
> [c000000263607520] [c000000010f7023c] dump_stack_lvl+0x1bc/0x2b8
> (unreliable)
> [c000000263607560] [c00000000f142a64] print_report+0x3f4/0xc60
> [c000000263607640] [c00000000f142144] kasan_report+0x244/0x698
> [c000000263607740] [c00000000f1460e8] __asan_load4+0xe8/0x250
> [c000000263607760] [c00000000ff4b850]
> vga_arbiter_add_pci_device+0x60/0xe00
> [c000000263607850] [c00000000ff4c678] pci_notify+0x88/0x444
> [c0000002636078b0] [c00000000e94dfc4]
> notifier_call_chain+0x104/0x320
> [c000000263607950] [c00000000e94f050]
> blocking_notifier_call_chain+0xa0/0x140
> [c000000263607990] [c0000000100cb3b8] device_add+0xac8/0x1d30
> [c000000263607aa0] [c0000000100ccd98] device_register+0x58/0x80
> [c000000263607ad0] [c00000000e84247c]
> vio_register_device_node+0x9ac/0xce0
> [c000000263607ba0] [c0000000126c95d8]
> vio_bus_scan_register_devices+0xc4/0x13c
> [c000000263607bd0] [c0000000126c96e4]
> __machine_initcall_pseries_vio_device_init+0x94/0xf0
> [c000000263607c00] [c00000000e69467c] do_one_initcall+0x12c/0xaa8
> [c000000263607cf0] [c00000001268b8a8]
> kernel_init_freeable+0xa48/0xba8
> [c000000263607dd0] [c00000000e695f24] kernel_init+0x64/0x400
> [c000000263607e50] [c00000000e68e0e4]
> ret_from_kernel_thread+0x5c/0x64
>
> Fix this by creating separate notifier_block structs for each bus
> type.
>
> Fixes: d6b9a81b2a45 ("powerpc: IOMMU fault injection")
> Reported-by: Nageswara R Sastry <rnsastry@linux.ibm.com>
> Signed-off-by: Russell Currey <ruscur@russell.cc>
Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
--
Andrew Donnellan OzLabs, ADL Canberra
ajd@linux.ibm.com IBM Australia Limited
next prev parent reply other threads:[~2023-03-22 6:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-22 3:53 [PATCH] powerpc/iommu: Fix notifiers being shared by PCI and VIO buses Russell Currey
2023-03-22 6:18 ` Andrew Donnellan [this message]
2023-03-22 12:49 ` R Nageswara Sastry
2023-08-31 4:02 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6b00ea8c9282434ad5bed97fe567e91f847a4ac.camel@linux.ibm.com \
--to=ajd@linux.ibm.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=rnsastry@linux.ibm.com \
--cc=ruscur@russell.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).