* [PATCH v3] PCI: pnv_php: Add null checks for OpenCAPI PHBs
@ 2026-06-09 8:49 Aditya Gupta
0 siblings, 0 replies; only message in thread
From: Aditya Gupta @ 2026-06-09 8:49 UTC (permalink / raw)
To: linux-kernel, linuxppc-dev, linux-pci, Madhavan Srinivasan,
Timothy Pearson, Bjorn Helgaas, Shawn Anastasio
Cc: Bjorn Helgaas, Michael Ellerman, Nicholas Piggin,
Christophe Leroy (CS GROUP), stable
For OpenCAPI phb direct slots, the .pdev for php_slots will be NULL
Various sections of the code in pnv_php can do a null dereference and
crash the kernel.
Originally, the issue was hit during boot:
PowerPC PowerNV PCI Hotplug Driver version: 0.1
BUG: Kernel NULL pointer dereference at 0x00000074
Faulting instruction address: 0xc000000000b75fd0
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV
...
NIP [c000000000b75fd0] pnv_php_get_adapter_state+0x60/0x154
LR [c000000000b75fbc] pnv_php_get_adapter_state+0x4c/0x154
Call Trace:
[c000c0000688f990] [c000000000b75fbc] pnv_php_get_adapter_state+0x4c/0x154 (unreliable)
[c000c0000688fa20] [c000000000b78bd0] pnv_php_enable+0x94/0x378
[c000c0000688fac0] [c000000000b7912c] pnv_php_register_one.isra.0+0x11c/0x1e0
This occurs for hotplug slots on root buses where bus->self == NULL,
such as OpenCAPI PHB direct slots. An added debug print (not part of
this patch) confirmed it was OpenCAPI:
pnv_php: slot 'OPENCAPI-0009' has NULL pdev (bus 0009:00, parent=NO (root bus))
pnv_php: slot 'OPENCAPI-0009' dn->full_name='pciex@603a000000000', compatible='ibm,power10-pau-opencapi-pciex'
This only required null check in 'pnv_php_get_adapter_state', which
caused the kernel to boot.
Even with 'pnv_php_get_adapter_state' null check, there are more
possible null dereferences pointed by sashiko, including cases where
userspace crashes the kernel, such as:
$ cat /sys/bus/pci/slots/*/attention
...
Kernel attempted to read user page (6e) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on read at 0x0000006e
Faulting instruction address: 0xc000000000a83334
Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV
...
[c000000046707a20] [c000000046707b90] 0xc000000046707b90 (unreliable)
[c000000046707a70] [0000000000000001] 0x1
[c000000046707ab0] [c000000000acb00c] attention_read_file+0x54/0xa8
[c000000046707b30] [c000000000abfbfc] pci_slot_attr_show+0x3c/0x58
[c000000046707b50] [c0000000008181ec] sysfs_kf_seq_show+0xd4/0x204
[c000000046707be0] [c000000000815004] kernfs_seq_show+0x44/0x58
Add null checks to prevent the null dereferences.
Cc: stable@vger.kernel.org
Fixes: 80f9fc236279 ("PCI: pnv_php: Work around switches with broken presence detection")
Signed-off-by: Aditya Gupta <adityag@linux.ibm.com>
---
Changelog:
v3:
+ split the patch from v2 series, as it's independent
+ incorporate reviews from bjorn to improve the description
v2:
+ sashiko pointed out various pre-existing null pointer derefs, which
can give access to userspace to crash the kernel, fix them
---
---
drivers/pci/hotplug/pnv_php.c | 29 +++++++++++++++++++++++------
1 file changed, 23 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
index ff92a5c301b8..d0f5e8ad1f71 100644
--- a/drivers/pci/hotplug/pnv_php.c
+++ b/drivers/pci/hotplug/pnv_php.c
@@ -47,6 +47,9 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
struct pci_dev *pdev = php_slot->pdev;
u16 ctrl;
+ if (!pdev)
+ return;
+
if (php_slot->irq > 0) {
pcie_capability_read_word(pdev, PCI_EXP_SLTCTL, &ctrl);
ctrl &= ~(PCI_EXP_SLTCTL_HPIE |
@@ -414,7 +417,8 @@ static int pnv_php_get_adapter_state(struct hotplug_slot *slot, u8 *state)
*/
ret = pnv_pci_get_presence_state(php_slot->id, &presence);
if (ret >= 0) {
- if (pci_pcie_type(php_slot->pdev) == PCI_EXP_TYPE_DOWNSTREAM &&
+ if (php_slot->pdev &&
+ pci_pcie_type(php_slot->pdev) == PCI_EXP_TYPE_DOWNSTREAM &&
presence == OPAL_PCI_SLOT_EMPTY) {
/*
* Similar to pciehp_hpc, check whether the Link Active
@@ -442,6 +446,11 @@ static int pnv_php_get_raw_indicator_status(struct hotplug_slot *slot, u8 *state
struct pci_dev *bridge = php_slot->pdev;
u16 status;
+ if (!bridge) {
+ *state = 0;
+ return 0;
+ }
+
pcie_capability_read_word(bridge, PCI_EXP_SLTCTL, &status);
*state = (status & (PCI_EXP_SLTCTL_AIC | PCI_EXP_SLTCTL_PIC)) >> 6;
return 0;
@@ -514,11 +523,13 @@ static int pnv_php_activate_slot(struct pnv_php_slot *php_slot,
* fence / freeze.
*/
SLOT_WARN(php_slot, "Try %d...\n", i + 1);
- pci_set_pcie_reset_state(php_slot->pdev,
- pcie_warm_reset);
- msleep(250);
- pci_set_pcie_reset_state(php_slot->pdev,
- pcie_deassert_reset);
+ if (php_slot->pdev) {
+ pci_set_pcie_reset_state(php_slot->pdev,
+ pcie_warm_reset);
+ msleep(250);
+ pci_set_pcie_reset_state(php_slot->pdev,
+ pcie_deassert_reset);
+ }
ret = pnv_php_set_slot_power_state(
slot, OPAL_PCI_SLOT_POWER_ON);
@@ -911,6 +922,9 @@ pnv_php_detect_clear_suprise_removal_freeze(struct pnv_php_slot *php_slot)
struct eeh_pe *pe;
int i, rc;
+ if (!pdev)
+ return;
+
/*
* When a device is surprise removed from a downstream bridge slot,
* the upstream bridge port can still end up frozen due to related EEH
@@ -1093,6 +1107,9 @@ static void pnv_php_enable_irq(struct pnv_php_slot *php_slot)
struct pci_dev *pdev = php_slot->pdev;
int irq, ret;
+ if (!pdev)
+ return;
+
/*
* The MSI/MSIx interrupt might have been occupied by other
* drivers. Don't populate the surprise hotplug capability
--
2.54.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 8:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-09 8:49 [PATCH v3] PCI: pnv_php: Add null checks for OpenCAPI PHBs Aditya Gupta
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox