Hi,
thank you for your mail!
On Thu, 2024-10-03 at 15:46 +0200, Lukas Wunner wrote:
> On Wed, Sep 25, 2024 at 03:38:34PM +0000, Wassenberg, Dennis wrote:
> > [ 2.858063] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1]
> > PREEMPT SMP NOPTI
> > [ 2.858071] CPU: 13 UID: 0 PID: 137 Comm: irq/156-pciehp Not tainted 6.11.0-devel+ #3
> > [ 2.858090] Hardware name: LENOVO 21LVS1CV00/21LVS1CV00, BIOS N45ET18W (1.08 ) 07/08/2024
> > [ 2.858097] RIP: 0010:dev_driver_string+0x12/0x40
> > [ 2.858111] Code: 5c c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00
> > 00 48 8b 47 68 48 85 c0 74 08 <48> 8b 00 c3 cc cc cc cc 48 8b 47 60 48 85 c0 75 ef 48 8b 97 a8 02
> > [ 2.858123] RSP: 0000:ffff9493009cfa00 EFLAGS: 00010202
> > [ 2.858132] RAX: 6b6b6b6b6b6b6b6b RBX: ffff8e53029cb918 RCX: 0000000000000000
> > [ 2.858139] RDX: ffffffffa586b18a RSI: ffff8e53029cb918 RDI: ffff8e53029cb918
> > [ 2.858144] RBP: ffff9493009cfb10 R08: 0000000000000000 R09: ffff8e5304f61000
> > [ 2.858150] R10: ffff9493009cfb20 R11: 0000000000005627 R12: ffffffffa64db188
> > [ 2.858156] R13: 6b6b6b6b6b6b6b6b R14: 0000000000000080 R15: ffff8e5302b1c0c0
> > [ 2.858161] FS: 0000000000000000(0000) GS:ffff8e5a50140000(0000) knlGS:0000000000000000
> > [ 2.858169] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [ 2.858175] CR2: 0000000000000000 CR3: 000000030162e001 CR4: 0000000000f70ef0
> > [ 2.858182] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [ 2.858187] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
> > [ 2.858193] PKRU: 55555554
> > [ 2.858196] Call Trace:
>
> [...]
> > [ 2.858258] __dynamic_dev_dbg+0x170/0x210
> > [ 2.858287] pci_destroy_slot+0x59/0x60
> > [ 2.858296] pciehp_remove+0x2e/0x50
> > [ 2.858304] pcie_port_remove_service+0x30/0x50
> > [ 2.858311] device_release_driver_internal+0x19f/0x200
> > [ 2.858322] bus_remove_device+0xc6/0x130
> > [ 2.858335] device_del+0x165/0x3f0
> > [ 2.858348] device_unregister+0x17/0x60
> > [ 2.858355] remove_iter+0x1f/0x30
> > [ 2.858361] device_for_each_child+0x6a/0xb0
> > [ 2.858368] pcie_portdrv_remove+0x2f/0x60
> > [ 2.858374] pci_device_remove+0x3f/0xa0
> > [ 2.858383] device_release_driver_internal+0x19f/0x200
> > [ 2.858392] bus_remove_device+0xc6/0x130
> > [ 2.858398] device_del+0x165/0x3f0
> > [ 2.858413] pci_remove_bus_device+0x91/0x140
> > [ 2.858422] pci_remove_bus_device+0x3e/0x140
> > [ 2.858430] pciehp_unconfigure_device+0x98/0x160
> > [ 2.858439] pciehp_disable_slot+0x69/0x130
> > [ 2.858447] pciehp_handle_presence_or_link_change+0x281/0x4c0
> > [ 2.858456] pciehp_ist+0x14a/0x150
>
> Could you try the patch below and report back if it fixes the issue?
>
> Thanks!
>
> Lukas
>
> -- >8 --
>
> diff --git a/drivers/pci/slot.c b/drivers/pci/slot.c
> index 0f87cade10f7..ed645c7a4e4b 100644
> --- a/drivers/pci/slot.c
> +++ b/drivers/pci/slot.c
> @@ -79,6 +79,7 @@ static void pci_slot_release(struct kobject *kobj)
> up_read(&pci_bus_sem);
>
> list_del(&slot->list);
> + pci_bus_put(slot->bus);
>
> kfree(slot);
> }
> @@ -261,7 +262,7 @@ struct pci_slot *pci_create_slot(struct pci_bus *parent, int slot_nr,
> goto err;
> }
>
> - slot->bus = parent;
> + slot->bus = pci_bus_get(parent);
> slot->number = slot_nr;
>
> slot->kobj.kset = pci_slots_kset;
> @@ -269,6 +270,7 @@ struct pci_slot *pci_create_slot(struct pci_bus *parent, int slot_nr,
> slot_name = make_slot_name(name);
> if (!slot_name) {
> err = -ENOMEM;
> + pci_bus_put(slot->bus);
> kfree(slot);
> goto err;
> }
I tested the patch. For me this is the breakthrough. I tried it very hard (running automated boot-up and shut-down
sequences the hole day). For me it was not possible to run into the UAF any more. This will definitely fix the issue we
ran into! At least I can not reproduce it any more ;)
Thank you & best regards,
Dennis
