From: Lukas Wunner <lukas@wunner.de>
To: Ricky WU <ricky_wu@realtek.com>
Cc: Kai-Heng Feng <kai.heng.feng@canonical.com>,
"bhelgaas@google.com" <bhelgaas@google.com>,
"linux-pm@vger.kernel.org" <linux-pm@vger.kernel.org>,
"linux-mmc@vger.kernel.org" <linux-mmc@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Tony Luck <tony.luck@intel.com>,
"Guilherme G. Piccoli" <gpiccoli@igalia.com>,
"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] PCI: pciehp: Prevent child devices from doing RPM on PCIe Link Down
Date: Wed, 18 Oct 2023 11:44:35 +0200 [thread overview]
Message-ID: <20231018094435.GA21090@wunner.de> (raw)
In-Reply-To: <263982e90fc046cf977ecb8727003690@realtek.com>
[cc -= unrelated mailing lists bpf, kernel-hardening]
On Tue, Oct 17, 2023 at 10:25:39AM +0000, Ricky WU wrote:
> > On Mon, Oct 16, 2023 at 12:01:31PM +0800, Kai-Heng Feng wrote:
> > > When inserting an SD7.0 card to Realtek card reader, it can trigger
> > > PCI slot Link down and causes the following error:
> >
> > Why does *inserting* a card cause a Link Down?
> >
> >
> > > [ 63.898861] pcieport 0000:00:1c.0: pciehp: Slot(8): Link Down
> > > [ 63.912118] BUG: unable to handle page fault for address:
> > ffffb24d403e5010
> > [...]
> > > [ 63.912198] ? asm_exc_page_fault+0x27/0x30
> > > [ 63.912203] ? ioread32+0x2e/0x70
> > > [ 63.912206] ? rtsx_pci_write_register+0x5b/0x90 [rtsx_pci]
> > > [ 63.912217] rtsx_set_l1off_sub+0x1c/0x30 [rtsx_pci]
> > > [ 63.912226] rts5261_set_l1off_cfg_sub_d0+0x36/0x40 [rtsx_pci]
> > > [ 63.912234] rtsx_pci_runtime_idle+0xc7/0x160 [rtsx_pci]
> > > [ 63.912243] ? __pfx_pci_pm_runtime_idle+0x10/0x10
> > > [ 63.912246] pci_pm_runtime_idle+0x34/0x70
> > > [ 63.912248] rpm_idle+0xc4/0x2b0
> > > [ 63.912251] pm_runtime_work+0x93/0xc0
> > > [ 63.912254] process_one_work+0x21a/0x430
> > > [ 63.912258] worker_thread+0x4a/0x3c0
> >
> > This looks like pcr->remap_addr is accessed after it has been iounmap'ed in
> > rtsx_pci_remove() or before it has been iomap'ed in rtsx_pci_probe().
> >
> > Is the card reader itself located below a hotplug port and unplugged here?
>
> Yes it is card reader unplug itself, because sd7.0 card is not used
> rtsx_pcr, it use nvme driver
I can only guess here as the dmesg and lspci output I requested
hasn't been provided:
I assume that this card reader may contain a PCIe switch with a
regular SD card reader below a first Downstream Port (which is
hotplug-capable). If an SD express card is inserted, the regular
SD card reader disappears from the Downstream Port and the
inserted card appears as an NVMe drive (possibly below a
second Downstream Port, or below the first Downstream Port).
The commit message is somewhat misleading in that it links the
unhandled page fault to card insertion. That may be the trigger,
but the root cause appears to be that a runtime PM request is
performed asynchronously after the SD card reader has iounmap'ed
pcr->remap_addr.
If that is indeed the root cause (as I suspect), the fix needs to
be placed somewhere else.
pciehp is only one of several hotplug drivers and fixing this only
in pciehp may leave the other hotplug drivers vulnerable to the same
issue.
Unfortunately the information provided so far is insufficient to
recommend a better fix. It would be necessary to debug why the
asynchronous RPM request is not canceled even though rtsx_pci_remove()
runtime resumes the device before iounmap'ing pcr->remap_addr.
Perhaps there's a bug in runtime PM code that causes asynchronous
requests to not be canceled upon a pm_runtime_get_sync()?
Or perhaps a wmb() is necessary in pci_device_remove() after setting
pci_dev->driver = NULL?
Thanks,
Lukas
next prev parent reply other threads:[~2023-10-18 9:44 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 4:01 [PATCH] PCI: pciehp: Prevent child devices from doing RPM on PCIe Link Down Kai-Heng Feng
2023-10-16 9:32 ` Lukas Wunner
2023-10-17 4:35 ` Kai-Heng Feng
2023-10-17 5:44 ` Ricky WU
2023-10-17 7:10 ` Lukas Wunner
2023-10-17 7:13 ` Lukas Wunner
2023-10-17 10:25 ` Ricky WU
2023-10-18 9:44 ` Lukas Wunner [this message]
2023-10-19 1:49 ` Ricky WU
2023-10-19 14:35 ` Lukas Wunner
2023-11-08 10:29 ` Kai-Heng Feng
2023-11-10 2:26 ` Ricky WU
2023-11-10 2:41 ` Ricky WU
2023-11-16 5:22 ` Kai-Heng Feng
2023-11-29 2:11 ` Ricky WU
2023-10-19 1:06 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231018094435.GA21090@wunner.de \
--to=lukas@wunner.de \
--cc=bhelgaas@google.com \
--cc=gpiccoli@igalia.com \
--cc=kai.heng.feng@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=ricky_wu@realtek.com \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox