Re: [PATCH 1/2] Fix pointer dereference before call to pcie_bus_configure_settings

Re: [PATCH 1/2] Fix pointer dereference before call to pcie_bus_configure_settings

[Linus Torvalds]

Jon Mason,
 I just noticed that you had just an "Acked-by:" on this one. It
really should be a "Signed-off-by:" since it's passing through you.
Can I get that?

Also, the commit message is a bit unclear. "introduces a few issues"?
Can you guys elaborate on details? Oopses? Not being able to find
devices? What?

                       Linus

On Thu, Sep 8, 2011 at 2:41 PM, Jon Mason <mason@myri.com> wrote:
> From: Shyam Iyer <shyam.iyer.t@gmail.com>
>
> Commit b03e7495a862b028294f59fc87286d6d78ee7fa1 introduces a few issues by dereferencing bus->self in the call to pcie_bus_configure_settings.
>
> This fixes it by checking existence of bus->self before dereferencing it.
>
> Reported-by: Stanislaw Gruszka <sgruszka@redhat.com>
> Signed-off-by: Shyam Iyer <shyam_iyer@dell.com>
> Acked-by: Jon Mason <mason@myri.com>
> ---
>  arch/x86/pci/acpi.c              |    9 +++++++--
>  drivers/pci/hotplug/pcihp_slot.c |    4 +++-
>  drivers/pci/probe.c              |    3 ---
>  3 files changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
> index c953302..039d913 100644
> --- a/arch/x86/pci/acpi.c
> +++ b/arch/x86/pci/acpi.c
> @@ -365,8 +365,13 @@ struct pci_bus * __devinit pci_acpi_scan_root(struct acpi_pci_root *root)
>         */
>        if (bus) {
>                struct pci_bus *child;
> -               list_for_each_entry(child, &bus->children, node)
> -                       pcie_bus_configure_settings(child, child->self->pcie_mpss);
> +               list_for_each_entry(child, &bus->children, node) {
> +                       struct pci_dev *self = child->self;
> +                       if (!self)
> +                               continue;
> +
> +                       pcie_bus_configure_settings(child, self->pcie_mpss);
> +               }
>        }
>
>        if (!bus)
> diff --git a/drivers/pci/hotplug/pcihp_slot.c b/drivers/pci/hotplug/pcihp_slot.c
> index 753b21a..3ffd9c1 100644
> --- a/drivers/pci/hotplug/pcihp_slot.c
> +++ b/drivers/pci/hotplug/pcihp_slot.c
> @@ -169,7 +169,9 @@ void pci_configure_slot(struct pci_dev *dev)
>                        (dev->class >> 8) == PCI_CLASS_BRIDGE_PCI)))
>                return;
>
> -       pcie_bus_configure_settings(dev->bus, dev->bus->self->pcie_mpss);
> +       if (dev->bus && dev->bus->self)
> +               pcie_bus_configure_settings(dev->bus,
> +                                           dev->bus->self->pcie_mpss);
>
>        memset(&hpp, 0, sizeof(hpp));
>        ret = pci_get_hp_params(dev, &hpp);
> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index 8473727..0820fc1 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
> @@ -1456,9 +1456,6 @@ void pcie_bus_configure_settings(struct pci_bus *bus, u8 mpss)
>  {
>        u8 smpss = mpss;
>
> -       if (!bus->self)
> -               return;
> -
>        if (!pci_is_pcie(bus->self))
>                return;
>
> --
> 1.7.6
>
>

[PATCH 1/2] Fix pointer dereference before call to pcie_bus_configure_settings

[Jon Mason]

There is a potential NULL pointer dereference in calls to
pcie_bus_configure_settings due to attempts to access pci_bus self
variables when the self pointer is NULL.  To correct this, verify that
the self pointer in pci_bus is non-NULL before dereferencing it.
    
Reported-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Shyam Iyer <shyam_iyer@dell.com>
Signed-off-by: Jon Mason <mason@myri.com>

diff --git a/arch/x86/pci/acpi.c b/arch/x86/pci/acpi.c
index c953302..039d913 100644
--- a/arch/x86/pci/acpi.c
+++ b/arch/x86/pci/acpi.c
@@ -365,8 +365,13 @@ struct pci_bus * __devinit pci_acpi_scan_root(struct acpi_pci_root *root)
 	 */
 	if (bus) {
 		struct pci_bus *child;
-		list_for_each_entry(child, &bus->children, node)
-			pcie_bus_configure_settings(child, child->self->pcie_mpss);
+		list_for_each_entry(child, &bus->children, node) {
+			struct pci_dev *self = child->self;
+			if (!self)
+				continue;
+
+			pcie_bus_configure_settings(child, self->pcie_mpss);
+		}
 	}
 
 	if (!bus)
diff --git a/drivers/pci/hotplug/pcihp_slot.c b/drivers/pci/hotplug/pcihp_slot.c
index 753b21a..3ffd9c1 100644
--- a/drivers/pci/hotplug/pcihp_slot.c
+++ b/drivers/pci/hotplug/pcihp_slot.c
@@ -169,7 +169,9 @@ void pci_configure_slot(struct pci_dev *dev)
 			(dev->class >> 8) == PCI_CLASS_BRIDGE_PCI)))
 		return;
 
-	pcie_bus_configure_settings(dev->bus, dev->bus->self->pcie_mpss);
+	if (dev->bus && dev->bus->self)
+		pcie_bus_configure_settings(dev->bus,
+					    dev->bus->self->pcie_mpss);
 
 	memset(&hpp, 0, sizeof(hpp));
 	ret = pci_get_hp_params(dev, &hpp);
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 8473727..0820fc1 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1456,9 +1456,6 @@ void pcie_bus_configure_settings(struct pci_bus *bus, u8 mpss)
 {
 	u8 smpss = mpss;
 
-	if (!bus->self)
-		return;
-
 	if (!pci_is_pcie(bus->self))
 		return;
 

Re: [PATCH 1/2] Fix pointer dereference before call to pcie_bus_configure_settings

[Linus Torvalds]

On Fri, Sep 9, 2011 at 5:59 PM, Jon Mason <mason@myri.com> wrote:
>
> There is a potential NULL pointer dereference in calls to
> pcie_bus_configure_settings due to attempts to access pci_bus self
> variables when the self pointer is NULL.  To correct this, verify that
> the self pointer in pci_bus is non-NULL before dereferencing it.

Thanks,

               Linus