From: Guixin Liu <kanie@linux.alibaba.com>
To: Andy Shevchenko <andriy.shevchenko@intel.com>
Cc: "Bjorn Helgaas" <bhelgaas@google.com>,
"Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>,
linux-pci@vger.kernel.org
Subject: Re: [PATCH v9 2/2] PCI: Check rom header and data structure addr before accessing
Date: Fri, 12 Dec 2025 09:58:48 +0800 [thread overview]
Message-ID: <22a877be-508c-4367-bdb0-617c5398ac60@linux.alibaba.com> (raw)
In-Reply-To: <aTrQJ3HuTIlpRwmO@smile.fi.intel.com>
在 2025/12/11 22:07, Andy Shevchenko 写道:
> On Thu, Dec 11, 2025 at 08:59:06PM +0800, Guixin Liu wrote:
>> We meet a crash when running stress-ng on x86_64 machine:
>>
>> BUG: unable to handle page fault for address: ffa0000007f40000
>> RIP: 0010:pci_get_rom_size+0x52/0x220
>> Call Trace:
>> <TASK>
>> pci_map_rom+0x80/0x130
>> pci_read_rom+0x4b/0xe0
>> kernfs_file_read_iter+0x96/0x180
>> vfs_read+0x1b1/0x300
>>
>> Our analysis reveals that the rom space's start address is
>> 0xffa0000007f30000, and size is 0x10000. Because of broken rom
>> space, before calling readl(pds), the pds's value is
>> 0xffa0000007f3ffff, which is already pointed to the rom space
>> end, invoking readl() would read 4 bytes therefore cause an
>> out-of-bounds access and trigger a crash.
>> Fix this by adding image header and data structure checking.
>>
>> We also found another crash on arm64 machine:
>>
>> Unable to handle kernel paging request at virtual address
>> ffff8000dd1393ff
>> Mem abort info:
>> ESR = 0x0000000096000021
>> EC = 0x25: DABT (current EL), IL = 32 bits
>> SET = 0, FnV = 0
>> EA = 0, S1PTW = 0
>> FSC = 0x21: alignment fault
>>
>> The call trace is the same with x86_64, but the crash reason is
>> that the data structure addr is not aligned with 4, and arm64
>> machine report "alignment fault". Fix this by adding alignment
>> checking.
> ...
>
>> +#include <linux/align.h>
>> #include <linux/bits.h>
>> -#include <linux/kernel.h>
>> #include <linux/export.h>
>> +#include <linux/io.h>
>> +#include <linux/kernel.h>
>> +#include <linux/overflow.h>
>> #include <linux/pci.h>
>> #include <linux/slab.h>
>> #include <linux/sizes.h>
> I would not touch kernel.h position in this patch. The real change (a third one
> if you wish to make that) should replace kernel.h with real includes, making it
> disappear. Now this move is unneeded churn.
>
OK, I will not touch kernel.h in v10.
Best Regards,
Guixin Liu
prev parent reply other threads:[~2025-12-12 1:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 12:59 [PATCH v9 0/2] PCI: Fix crash when access broken rom Guixin Liu
2025-12-11 12:59 ` [PATCH v9 1/2] PCI: Introduce named defines for pci rom Guixin Liu
2025-12-11 14:05 ` Andy Shevchenko
2025-12-12 1:57 ` Guixin Liu
2025-12-11 12:59 ` [PATCH v9 2/2] PCI: Check rom header and data structure addr before accessing Guixin Liu
2025-12-11 14:07 ` Andy Shevchenko
2025-12-12 1:58 ` Guixin Liu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22a877be-508c-4367-bdb0-617c5398ac60@linux.alibaba.com \
--to=kanie@linux.alibaba.com \
--cc=andriy.shevchenko@intel.com \
--cc=bhelgaas@google.com \
--cc=ilpo.jarvinen@linux.intel.com \
--cc=linux-pci@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox