From: Marco Nenciarini <mnencia@kcore.it>
To: Bjorn Helgaas <bhelgaas@google.com>, linux-pci@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
"Christian König" <ckoenig.leichtzumerken@gmail.com>,
"Marco Nenciarini" <mnencia@kcore.it>
Subject: [PATCH v2 0/2] PCI: Guard Resizable BAR restore against unreachable devices
Date: Fri, 17 Apr 2026 15:24:35 +0200 [thread overview]
Message-ID: <cover.1776429882.git.mnencia@kcore.it> (raw)
In-Reply-To: <20260408163922.1740497-1-mnencia@kcore.it>
This series addresses Bjorn's review feedback on v1 [1].
v1 bounds-checked bar_idx before indexing dev->sriov->barsz[] in
sriov_restore_vf_rebar_state(). Bjorn pointed out that the non-SRIOV
sibling pci_restore_rebar_state() has the same issue, and that a
PCI_POSSIBLE_ERROR(ctrl) check on the config read makes the intent
of the guard more obvious than a post-hoc range check on the
extracted field.
v2 therefore adopts PCI_POSSIBLE_ERROR(ctrl) after each Resizable
BAR Control read in both functions, bailing out when config reads
return the all-ones pattern. Patch 1 covers pci_restore_rebar_state().
Patch 2 covers sriov_restore_vf_rebar_state(), with the NVIDIA GC6
UBSAN splat as motivation.
Note that this changes behavior versus v1: on a bad read we abort
the loop instead of skipping just the current BAR. This matches
the structure Bjorn suggested in review and is safe because the
all-ones pattern means the device is unreachable, so restoring the
remaining BARs is moot.
Compile-tested on pci/next (full drivers/pci/ build). The error
path cannot be exercised without reproducing the GC6 failure that
killed the GPU in the original report.
The broader v1 discussion on the pci_restore_config_dword() retry
loop and on save/restore behavior when the device has fallen off
the bus is out of scope for this fix. Happy to tackle that
separately if there is consensus.
[1] https://lore.kernel.org/all/20260408163922.1740497-1-mnencia@kcore.it/
Marco Nenciarini (2):
PCI: Skip Resizable BAR restore on read error
PCI/IOV: Skip VF Resizable BAR restore on read error
drivers/pci/iov.c | 6 ++++++
drivers/pci/rebar.c | 6 ++++++
2 files changed, 12 insertions(+)
base-commit: 40286d6379aacfcc053253ef78dc78b09addffda
--
2.47.3
next prev parent reply other threads:[~2026-04-17 13:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 16:39 [PATCH] PCI/IOV: Fix out-of-bounds access in sriov_restore_vf_rebar_state() Marco Nenciarini
2026-04-14 13:34 ` Michał Winiarski
2026-04-16 22:42 ` Bjorn Helgaas
2026-04-16 22:57 ` Bjorn Helgaas
2026-04-17 4:57 ` Lukas Wunner
2026-04-17 13:24 ` Marco Nenciarini [this message]
2026-04-17 13:24 ` [PATCH v2 1/2] PCI: Skip Resizable BAR restore on read error Marco Nenciarini
2026-04-17 13:24 ` [PATCH v2 2/2] PCI/IOV: Skip VF " Marco Nenciarini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1776429882.git.mnencia@kcore.it \
--to=mnencia@kcore.it \
--cc=bhelgaas@google.com \
--cc=ckoenig.leichtzumerken@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox