[PATCH] PCI: Bail out if bus number overflows during scan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In function pci_scan_bridge_extend(), if the variable next_busnr gets to
256, "child = pci_find_bus()" will return bus 0 (root bus). Consequently,
we have a circular PCI topology. The scan will then go in circle until the
kernel crashes due to stack overflow.

This can be reproduced with:
    qemu-system-x86_64 -machine pc-q35-2.10 \
    -kernel bzImage \
    -m 2048 -smp 1 -enable-kvm \
    -append "console=ttyS0 root=/dev/sda debug" \
    -nographic \
    -device pcie-root-port,bus=pcie.0,slot=1,id=rp1,bus-reserve=253 \
    -device pcie-root-port,bus=pcie.0,slot=2,id=rp2,bus-reserve=0 \
    -device pcie-root-port,bus=pcie.0,slot=3,id=rp3,bus-reserve=0

Check if next_busnr "overflow" and bail out if this is the case.

Signed-off-by: Nam Cao <namcao@xxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # all
---
This bug exists since the beginning of git history. So I didn't bother
tracing beyond git to see which patch introduced this.
---
 drivers/pci/probe.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 1325fbae2f28..03caae76337c 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1382,6 +1382,9 @@ static int pci_scan_bridge_extend(struct pci_bus *bus, struct pci_dev *dev,
 		else
 			next_busnr = max + 1;
 
+		if (next_busnr == 256)
+			goto out;
+
 		/*
 		 * Prevent assigning a bus number that already exists.
 		 * This can happen when a bridge is hot-plugged, so in this
-- 
2.39.2





[Index of Archives]     [DMA Engine]     [Linux Coverity]     [Linux USB]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Greybus]

  Powered by Linux