Re: UAF during boot on MTL based devices with attached dock

public inbox for linux-pci@vger.kernel.org
 help / color / mirror / Atom feed

From: Lukas Wunner <lukas@wunner.de>
To: "Wassenberg, Dennis" <Dennis.Wassenberg@secunet.com>
Cc: "linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>,
	"kbusch@kernel.org" <kbusch@kernel.org>,
	"mika.westerberg@linux.intel.com"
	<mika.westerberg@linux.intel.com>,
	"mpearson-lenovo@squebb.ca" <mpearson-lenovo@squebb.ca>
Subject: Re: UAF during boot on MTL based devices with attached dock
Date: Tue, 24 Sep 2024 10:54:58 +0200	[thread overview]
Message-ID: <ZvJ-Yhidtc4IlU6P@wunner.de> (raw)
In-Reply-To: <6de4b45ff2b32dd91a805ec02ec8ec73ef411bf6.camel@secunet.com>

On Thu, Sep 19, 2024 at 08:06:03AM +0000, Wassenberg, Dennis wrote:
> We want to boot up an Intel MeteorLake based system (e.g. Lenovo
> ThinkPad X13 Gen5) with the Lenovo Thunderbolt 4 universal dock
> attached during boot.
[...]
> 0000:00 [root bus]
>       -> 0000:00:07.0 [bridge to 20-49]
>                      -> 0000:20:00.0 [bridge to 21-49]
>                                     -> 0000:21:00.0 [bridge to 22]
>                                        0000:21:01.0 [bridge to 23-2e]
>                                        0000:21:02.0 [bridge to 2f-3a]
>                                        0000:21:03.0 [bridge to 3b-48]
>                                        0000:21:04.0 [bridge to 49]
>          0000:00:07.2 [bridge to 50-79]

The kernel oopses in kthread irq/156-pciehp.  That belongs to
the Root Port 0000:00:07.0, as is evident from...

    [   12.850063] pcieport 0000:00:07.0: PME: Signaling with IRQ 156

...because PME and hotplug share the same interrupt.

What happens here is that pciehp checks on probe whether the slot is
not occupied (neither link nor presence bits set in config space)
but is in ON_STATE (the list subordinate->devices is non-empty,
see pcie_init()).

pciehp then synthesizes a Presence Detect Changed event to bring the
slot down, i.e. de-enumerate the device in the purportedly non-occupied
slot:

pciehp_probe()
  pciehp_check_presence()
    pciehp_request(ctrl, PCI_EXP_SLTSTA_PDC)

Corresponding messages:

    [   12.850866] pcieport 0000:00:07.0: pciehp: pciehp_check_link_active: lnk_status = 5041

Bit 13 in the Link Status register is not set (Data Link Layer Link Active).

    [   12.850880] pcieport 0000:00:07.0: pciehp: Slot(12): Card not present

Synthesize Presence Detect Changed event

    [   12.850887] pcieport 0000:00:07.0: pciehp: pciehp_unconfigure_device: domain:bus:dev = 0000:20:00

De-enumerate child device.

We need to find out why the oops occurs for sure, and it's good that
you found it and are able to reproduce it.  But the reason you're
seeing this on some devices and not on others is likely that the
Meteor Lake CPU oddly reports presence and link down even though
there's a device attached which is apparently accessible just fine.

Not sure if that's a hardware erratum in Meteor Lake or a BIOS issue.

I'll need some more time to root cause the oops.  Sorry for the delay,
everyone is still decompressing after Plumbers last week.

Thanks,

Lukas

     prev parent reply	other threads:[~2024-09-24  8:55 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-19  8:06 UAF during boot on MTL based devices with attached dock Wassenberg, Dennis
2024-09-21  9:08 ` Ilpo Järvinen
2024-09-23  8:38   ` Wassenberg, Dennis
2024-09-23  4:41 ` mika.westerberg
2024-09-23  8:43   ` Wassenberg, Dennis
2024-09-23 11:17     ` mika.westerberg
2024-09-23 13:42       ` Wassenberg, Dennis
2024-09-23 12:23 ` Wassenberg, Dennis
2024-09-24 10:51   ` Ilpo Järvinen
2024-09-25 15:38     ` Wassenberg, Dennis
2024-09-26 13:58       ` Ilpo Järvinen
2024-10-07 16:34         ` Wassenberg, Dennis
2024-10-03 13:46       ` Lukas Wunner
2024-10-04  7:45         ` Lukas Wunner
2024-10-07 16:49           ` Wassenberg, Dennis
2024-10-08 13:58             ` Lukas Wunner
2024-10-08 16:37               ` mika.westerberg
2024-10-08 18:23                 ` Lukas Wunner
2024-10-09  4:44                   ` mika.westerberg
2024-10-09 11:47                     ` Lukas Wunner
2024-10-09 12:55                       ` mika.westerberg
2024-10-09  6:26               ` Wassenberg, Dennis
2024-10-07 16:20         ` Wassenberg, Dennis
2024-09-24  8:54 ` Lukas Wunner [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZvJ-Yhidtc4IlU6P@wunner.de \
    --to=lukas@wunner.de \
    --cc=Dennis.Wassenberg@secunet.com \
    --cc=kbusch@kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=mika.westerberg@linux.intel.com \
    --cc=mpearson-lenovo@squebb.ca \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox