From: Lukas Wunner <lukas@wunner.de>
To: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>,
Dennis Wassenberg <Dennis.Wassenberg@secunet.com>,
Rafael Wysocki <rafael@kernel.org>,
Alex Williamson <alex.williamson@redhat.com>,
linux-pci@vger.kernel.org, Keith Busch <kbusch@kernel.org>,
Ilpo Jarvinen <ilpo.jarvinen@linux.intel.com>,
Jonathan Cameron <Jonathan.Cameron@huawei.com>,
Mathias Krause <minipli@grsecurity.net>,
Mark Pearson <mpearson-lenovo@squebb.ca>,
Stuart Hayes <stuart.w.hayes@gmail.com>
Subject: Re: [PATCH] PCI: Fix use-after-free of slot->bus on hot remove
Date: Fri, 11 Oct 2024 12:12:39 +0200 [thread overview]
Message-ID: <Zwj6Fycjyp6jlgY5@wunner.de> (raw)
In-Reply-To: <20241011054115.GG275077@black.fi.intel.com>
On Fri, Oct 11, 2024 at 08:41:15AM +0300, Mika Westerberg wrote:
> On Thu, Oct 10, 2024 at 07:10:34PM +0200, Lukas Wunner wrote:
> > Dennis reports a boot crash on recent Lenovo laptops with a USB4 dock.
> >
> > Since commit 0fc70886569c ("thunderbolt: Reset USB4 v2 host router") and
> > commit 59a54c5f3dbd ("thunderbolt: Reset topology created by the boot
> > firmware"), USB4 v2 and v1 Host Routers are reset on probe of the
> > thunderbolt driver.
> >
> > The reset clears the Presence Detect State and Data Link Layer Link Active
> > bits at the USB4 Host Router's Root Port and thus causes hot removal of
> > the dock.
>
> Can't this happen also simply unplug at some part of the PCIe topology?
> I don't think this is specific to TB/USB4.
The crash seems to occur because the boot-time invocation of
pci_bus_add_devices() races with pciehp's pci_stop_and_remove_bus_device().
In principle, yes, on a non-USB4 system you could unplug the dock exactly
when pci_bus_add_devices() is running and cause the same crash, even though
the Host Router is not reset. But that's very hard to reproduce.
You need to unplug at just the right moment.
In this case however the reset of the Host Router seems to reliably
reproduce the conditions to cause the crash, so I thought it's worth
calling that out explicitly. USB4 Host Routers are readily available
in the field and becoming more and more commonplace, so chances that
users experience the crash are high -- specifically if they're booting
a USB4 system with attached Thunderbolt devices.
Thanks,
Lukas
next prev parent reply other threads:[~2024-10-11 10:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-10 17:10 [PATCH] PCI: Fix use-after-free of slot->bus on hot remove Lukas Wunner
2024-10-11 5:41 ` Mika Westerberg
2024-10-11 10:12 ` Lukas Wunner [this message]
2024-10-11 10:55 ` Mika Westerberg
2024-10-30 21:35 ` Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zwj6Fycjyp6jlgY5@wunner.de \
--to=lukas@wunner.de \
--cc=Dennis.Wassenberg@secunet.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=alex.williamson@redhat.com \
--cc=bhelgaas@google.com \
--cc=ilpo.jarvinen@linux.intel.com \
--cc=kbusch@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=minipli@grsecurity.net \
--cc=mpearson-lenovo@squebb.ca \
--cc=rafael@kernel.org \
--cc=stuart.w.hayes@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox