From: sashiko-bot@kernel.org
To: "Gerd Bayer" <gbayer@linux.ibm.com>
Cc: linux-pci@vger.kernel.org
Subject: Re: [PATCH 3/5] powerpc/pci: Use official API to iterate over PCI buses
Date: Fri, 15 May 2026 15:31:59 +0000 [thread overview]
Message-ID: <20260515153200.5348CC2BCC9@smtp.kernel.org> (raw)
In-Reply-To: <20260515-priv_root_buses-v1-3-f8e393c57390@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Iterating over PCI buses inside the `pciconfig_iobase` syscall using `pci_find_next_bus()` is vulnerable to Use-After-Free (UAF) due to concurrent PCI hot-remove.
--
commit 84b1457ab2cb35e500a53ad0e4cc8f1330b88073
Author: Gerd Bayer <gbayer@linux.ibm.com>
powerpc/pci: Use official API to iterate over PCI buses
Replace iterating over pci_root_buses with the official
pci_find_next_bus() call provided by PCI core. This allows to make
pci_root_buses private to PCI core.
[ ... ]
> diff --git a/arch/powerpc/kernel/pci_64.c b/arch/powerpc/kernel/pci_64.c
> index e27342ef128b8..f816d063b984e 100644
> --- a/arch/powerpc/kernel/pci_64.c
> +++ b/arch/powerpc/kernel/pci_64.c
> @@ -248,7 +248,7 @@ SYSCALL_DEFINE3(pciconfig_iobase, long, which, unsigned long, in_bus,
> * used on pre-domains setup. We return the first match
> */
>
> - list_for_each_entry(tmp_bus, &pci_root_buses, node) {
> + while ((tmp_bus = pci_find_next_bus(tmp_bus)) != NULL) {
> if (in_bus >= tmp_bus->number &&
> in_bus <= tmp_bus->busn_res.end) {
> bus = tmp_bus;
While the previous list_for_each_entry loop was also unprotected against
concurrent hot-removes, does the new pci_find_next_bus() loop still leave a
vulnerability to a use-after-free?
Since pciconfig_iobase is a syscall, it can execute concurrently with PCI
hotplug operations. The pci_find_next_bus() helper acquires and drops
pci_bus_sem internally, returning an unreferenced struct pci_bus pointer.
If a concurrent root bus hot-remove frees tmp_bus immediately after
pci_find_next_bus() releases the semaphore, wouldn't the accesses to
tmp_bus->number and tmp_bus->busn_res.end evaluate freed memory?
Furthermore, if the loop continues, could passing the freed pointer back into
pci_find_next_bus() cause a crash when it evaluates from->node.next?
Would it be appropriate to hold pci_lock_rescan_remove() or acquire a reference
while traversing the buses here?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260515-priv_root_buses-v1-0-f8e393c57390@linux.ibm.com?part=3
next prev parent reply other threads:[~2026-05-15 15:32 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-15 14:22 [PATCH 0/5] PCI: Finally make pci_root_buses private Gerd Bayer
2026-05-15 14:22 ` [PATCH 1/5] alpha/pci: Use official API to iterate over PCI buses Gerd Bayer
2026-05-15 14:22 ` [PATCH 2/5] arm/pci: " Gerd Bayer
2026-05-15 14:59 ` sashiko-bot
2026-05-15 14:22 ` [PATCH 3/5] powerpc/pci: " Gerd Bayer
2026-05-15 15:31 ` sashiko-bot [this message]
2026-05-15 14:22 ` [PATCH 4/5] x86/pci: " Gerd Bayer
2026-05-15 15:13 ` Dave Hansen
2026-05-15 14:22 ` [PATCH 5/5] PCI: Make pci_root_buses private to PCI core Gerd Bayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260515153200.5348CC2BCC9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=gbayer@linux.ibm.com \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox