From: Bjorn Helgaas <helgaas@kernel.org>
To: Aditya Gupta <adityag@linux.ibm.com>
Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Timothy Pearson <tpearson@raptorengineering.com>,
Bjorn Helgaas <bhelgaas@google.com>,
Shawn Anastasio <sanastasio@raptorengineering.com>,
sashiko-bot@kernel.org, linux-pci@vger.kernel.org,
Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
"Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
stable@vger.kernel.org
Subject: Re: [PATCH v2 1/3] ppc/pnv: Add null checks for OpenCapi PHBs
Date: Mon, 8 Jun 2026 10:39:48 -0500 [thread overview]
Message-ID: <20260608153948.GA36499@bhelgaas> (raw)
In-Reply-To: <20260527180816.2749186-2-adityag@linux.ibm.com>
On Wed, May 27, 2026 at 11:38:14PM +0530, Aditya Gupta wrote:
> For opencapi phb direct slots, the .pdev for php_slots will be NULL
>
> Various sections of the code in pnv_php can do a null dereference and
> crash the kernel.
>
> Originally, the issue was hit during boot:
>
> [ 1.568588] PowerPC PowerNV PCI Hotplug Driver version: 0.1
> [ 1.569722] BUG: Kernel NULL pointer dereference at 0x00000074
> [ 1.569811] Faulting instruction address: 0xc000000000b75fd0
> [ 1.569890] Oops: Kernel access of bad area, sig: 11 [#1]
> [ 1.569963] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV
> ...
> [ 1.571492] NIP [c000000000b75fd0] pnv_php_get_adapter_state+0x60/0x154
> [ 1.571604] LR [c000000000b75fbc] pnv_php_get_adapter_state+0x4c/0x154
> [ 1.571690] Call Trace:
> [ 1.571725] [c000c0000688f990] [c000000000b75fbc] pnv_php_get_adapter_state+0x4c/0x154 (unreliable)
> [ 1.571783] [c000c0000688fa20] [c000000000b78bd0] pnv_php_enable+0x94/0x378
> [ 1.571951] [c000c0000688fac0] [c000000000b7912c] pnv_php_register_one.isra.0+0x11c/0x1e0
Drop timestamps since they don't add useful information.
Indent quoted material by two spaces to reduce wrapping.
Run "git log --oneline drivers/pci/hotplug/pnv_php.c" and "git log
--oneline drivers/pci/hotplug/" and match subject line style.
> This occurs for hotplug slots on root buses where bus->self == NULL,
> such as OpenCAPI PHB direct slots. An added debug print (not part of
> this patch) confirmed it was opencapi:
Style "OpenCAPI" and "PHB" consistently in commit log and subject.
> [ 1.617227] pnv_php: slot 'OPENCAPI-0009' has NULL pdev (bus 0009:00, parent=NO (root bus))
> [ 1.617308] pnv_php: slot 'OPENCAPI-0009' dn->full_name='pciex@603a000000000', compatible='ibm,power10-pau-opencapi-pciex'
>
> This only required null check in 'pnv_php_get_adapter_state', which
> caused the kernel to boot.
>
> Even with 'pnv_php_get_adapter_state' null check, there are more
> possible null dereferences pointed by sashiko, including cases where
> userspace crashes the kernel, such as:
>
> $ cat /sys/bus/pci/slots/*/attention
> ...
> [ 557.036295] Kernel attempted to read user page (6e) - exploit attempt? (uid: 0)
> [ 557.036354] BUG: Kernel NULL pointer dereference on read at 0x0000006e
> [ 557.036383] Faulting instruction address: 0xc000000000a83334
> [ 557.036413] Oops: Kernel access of bad area, sig: 11 [#1]
> [ 557.036449] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV
> ...
> [ 557.037749] [c000000046707a20] [c000000046707b90] 0xc000000046707b90 (unreliable)
> [ 557.037795] [c000000046707a70] [0000000000000001] 0x1
> [ 557.037850] [c000000046707ab0] [c000000000acb00c] attention_read_file+0x54/0xa8
> [ 557.037910] [c000000046707b30] [c000000000abfbfc] pci_slot_attr_show+0x3c/0x58
> [ 557.037977] [c000000046707b50] [c0000000008181ec] sysfs_kf_seq_show+0xd4/0x204
> [ 557.038022] [c000000046707be0] [c000000000815004] kernfs_seq_show+0x44/0x58
>
> Add null checks to prevent the null dereferences.
>
> Cc: stable@vger.kernel.org
> Fixes: 80f9fc236279 ("PCI: pnv_php: Work around switches with broken presence detection")
> Signed-off-by: Aditya Gupta <adityag@linux.ibm.com>
next prev parent reply other threads:[~2026-06-08 15:39 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 18:08 [PATCH v2 0/3] ppc/pnv: Fix panics and refactor pnv_php.c Aditya Gupta
2026-05-27 18:08 ` [PATCH v2 1/3] ppc/pnv: Add null checks for OpenCapi PHBs Aditya Gupta
2026-05-27 19:34 ` sashiko-bot
2026-06-08 15:39 ` Bjorn Helgaas [this message]
2026-06-09 8:51 ` Aditya Gupta
2026-05-27 18:08 ` [PATCH v2 2/3] ppc/pnv: Refactor PNV PCI hotplug driver Aditya Gupta
2026-05-27 20:00 ` sashiko-bot
2026-05-27 18:08 ` [PATCH v2 3/3] ppc/pnv: Refactor PNV PCI Hotplug to group PCIe functions Aditya Gupta
2026-05-27 20:26 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260608153948.GA36499@bhelgaas \
--to=helgaas@kernel.org \
--cc=adityag@linux.ibm.com \
--cc=bhelgaas@google.com \
--cc=chleroy@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=npiggin@gmail.com \
--cc=sanastasio@raptorengineering.com \
--cc=sashiko-bot@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tpearson@raptorengineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.