[LTP] [PATCH] tpci: Unbind/rebind driver in test_assign_resources()

[LTP] [PATCH] tpci: Unbind/rebind driver in test_assign_resources()

[Hongtao Zhang via ltp]

[Problem]
A kernel panic (UAF) occurs during cat /proc/iomem following this sequence:
ltp_tpci test -> remove driver module -> cat /proc/iomem.
The crash happens when the kernel traverses the iomem tree and attempts to
access the driver name of a hinic NIC node.

[Panic Log]
[ 1621.313131] Unable to handle kernel paging request at virtual address ffffc272c2eb21c0
...
[ 1621.699915] Call trace:
[ 1621.706132]  string+0x54/0x130
[ 1621.712899]  vsnprintf+0x248/0x6f0
[ 1621.719989]  seq_printf+0xc4/0xe8
[ 1621.726941]  r_show+0xc4/0x100
[ 1621.733555]  seq_read_iter+0x358/0x478
[ 1621.740846]  proc_reg_read_iter+0x68/0xe8
[ 1621.748410]  vfs_read+0x200/0x2b0
[ 1621.755224]  ksys_read+0x78/0x118
[ 1621.761961]  __arm64_sys_read+0x24/0x38
[ 1621.769169]  invoke_syscall+0x50/0x128
[ 1621.776226]  el0_svc_common.constprop.0+0xc8/0xf0
[ 1621.784206]  do_el0_svc+0x24/0x38
[ 1621.790723]  el0_svc+0x44/0x200
[ 1621.796996]  el0t_64_sync_handler+0x100/0x130
[ 1621.804445]  el0t_64_sync+0x188/0x190

[Output of cat /proc/iomem in vmcore]
(res@ffff284005be3b00):30a000000000-313fffffffff : PCI Bus 0000:95 (name@ffff08400fd074e8)
  (res@ffff282006696778):30a000000000-30a0113fffff : PCI Bus 0000:96 (name@ffff28200668d0e8)
    (res@ffff282006690778):30a000000000-30a0113fffff : PCI Bus 0000:97 (name@ffff28200668f8e8)
      (res@ffff282006693778):30a000000000-30a0044fffff : PCI Bus 0000:9b (name@ffff2820066990e8)
        (res@ffff2820066a7678):30a000000000-30a003bfffff : 0000:9b:00.0 (name@ffff08400fd063d0)
        (res@ffff2820066a74b8):30a003c00000-30a003cfffff : 0000:9b:00.0 (name@ffff08400fd063d0)
        (res@ffff2820066a73b8):30a003d00000-30a003d1ffff : 0000:9b:00.0 (name@ffff08400fd063d0)
        (res@ffff2820066a75f8):30a003d20000-30a003efffff : 0000:9b:00.0 (name@ffff08400fd063d0)
        (res@ffff2820066a7438):30a003f00000-30a003f07fff : 0000:9b:00.0 (name@ffff08400fd063d0)
			(res@ffff28201699cf00):30a0044a0000-30a0044a7fff : gdb: invalid kernel virtual address:	ffffc272c2eb21c0: type:	"gdb readmem callback"
gdb: gdb request failed: dump_iomem
crash>

[Root Cause]
In test_assign_resources(), a hinic BAR is reassigned to a different physical
address. When the hinic driver is later removed, its .remove callback fails to
release the resource because the driver's claimed range no longer matches the
reassigned BAR range.
Consequently, the resource node remains in the iomem tree after the module is
unloaded. Since resource->name points to the module's reclaimed memory,
it becomes a dangling pointer. Traversing /proc/iomem dereferences this
invalid pointer, triggering the UAF panic.

[Fix]
In test_assign_resources(), for end-devices:
unbind drivers before calling pci_release_resource;
rebind driver after pci_assign_resource().

Fixes: d631e9caef68 ("ltp_tpci.c: Add release operation before allocation")
Signed-off-by: Hongtao Zhang <zhanghongtao35@huawei.com>
---
 .../device-drivers/pci/tpci_kernel/ltp_tpci.c   | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/testcases/kernel/device-drivers/pci/tpci_kernel/ltp_tpci.c b/testcases/kernel/device-drivers/pci/tpci_kernel/ltp_tpci.c
index 660b3a423..2790a15d6 100644
--- a/testcases/kernel/device-drivers/pci/tpci_kernel/ltp_tpci.c
+++ b/testcases/kernel/device-drivers/pci/tpci_kernel/ltp_tpci.c
@@ -442,9 +442,26 @@ static int test_assign_resources(void)
 
 		if (r->flags & IORESOURCE_MEM &&
 			r->flags & IORESOURCE_PREFETCH) {
+
+			if (dev->hdr_type == PCI_HEADER_TYPE_NORMAL) {
+				if (dev->dev.driver)
+					device_release_driver(&dev->dev);
+			}
+
 			pci_release_resource(dev, i);
 			ret = pci_assign_resource(dev, i);
 			prk_info("assign resource to '%d', ret '%d'", i, ret);
+
+			if (ret == 0) {
+				if (dev->hdr_type == PCI_HEADER_TYPE_NORMAL) {
+					int attach_ret;
+
+					attach_ret = device_attach(&dev->dev);
+					if (attach_ret < 0)
+						prk_info("device_attach failed for endpoint, ret: %d", attach_ret);
+				}
+			}
+
 			rc |= (ret < 0 && ret != -EBUSY) ? TFAIL : TPASS;
 		}
 	}
-- 
2.43.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] tpci: Unbind/rebind driver in test_assign_resources()

[linuxtestproject.agent]

Hi Hongtao,

On Fri, 17 Apr 2026 10:29:49 +0800, Hongtao Zhang wrote:
> tpci: Unbind/rebind driver in test_assign_resources()

> +			if (dev->hdr_type == PCI_HEADER_TYPE_NORMAL) {
> +				if (dev->dev.driver)
> +					device_release_driver(&dev->dev);
> +			}
> +
>  			pci_release_resource(dev, i);
>  			ret = pci_assign_resource(dev, i);
> +
> +			if (ret == 0) {
> +				if (dev->hdr_type == PCI_HEADER_TYPE_NORMAL) {
> +					int attach_ret;
> +
> +					attach_ret = device_attach(&dev->dev);
> +					if (attach_ret < 0)
> +						prk_info("device_attach failed for endpoint, ret: %d", attach_ret);
> +				}
> +			}

Properly unbinding before BAR reassignment and rebinding afterward
prevents the dangling resource->name pointer UAF in /proc/iomem.

Reviewed-by: LTP AI Reviewer <ltp-ai@noreply.github.com>

---
Note:

Our agent completed the review of the patch.

The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.

Regards,
LTP AI Reviewer

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp