From patchwork Tue Dec 22 21:44:51 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Daney X-Patchwork-Id: 560289 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 6DE0B1402DE for ; Wed, 23 Dec 2015 08:45:57 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=w3tFLYQp; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933151AbbLVVpK (ORCPT ); Tue, 22 Dec 2015 16:45:10 -0500 Received: from mail-io0-f174.google.com ([209.85.223.174]:34485 "EHLO mail-io0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932973AbbLVVpC (ORCPT ); Tue, 22 Dec 2015 16:45:02 -0500 Received: by mail-io0-f174.google.com with SMTP id e126so199608410ioa.1; Tue, 22 Dec 2015 13:45:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=IBw0Z1qCpDAGEDmrxN5dlOBkZg0GSKrc10D+C1PYWzA=; b=w3tFLYQpvclOXFPDU8hS8UoMyoPi//IbGWrU5JZqxztMv9WQuCZ4A9dbH16aD3STtc 830upm15yHkRPhL5GenwvN0dhHDRRUfVz5RA0JbTxZwmu3nlhCFru/oxwNBAC92H47Sq aMYPsoBaIgIBhH4qBaYD235tYnDlNrHzUkr3FUnMOwzLbvOtDstJD0/3ufSi/Nj5hhm3 K0bLlkeyL16HnC5Viq0rbyi7wlRzCCg0r9kCzDD53AHZdV1VfsTfYXR6dVuCwT1gbC2l zcUhZQS/TULLw75JuY/COJ+sJLsEfVVWBTI9J45Y0zq26EdshTfbAS1yWcNSIP17ma5L 4e1Q== X-Received: by 10.107.149.205 with SMTP id x196mr27461983iod.181.1450820701655; Tue, 22 Dec 2015 13:45:01 -0800 (PST) Received: from dl.caveonetworks.com ([64.2.3.194]) by smtp.gmail.com with ESMTPSA id ht2sm10862021igb.22.2015.12.22.13.44.59 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 22 Dec 2015 13:44:59 -0800 (PST) Received: from dl.caveonetworks.com (localhost.localdomain [127.0.0.1]) by dl.caveonetworks.com (8.14.5/8.14.5) with ESMTP id tBMLirDr027622; Tue, 22 Dec 2015 13:44:53 -0800 Received: (from ddaney@localhost) by dl.caveonetworks.com (8.14.5/8.14.5/Submit) id tBMLirhX027621; Tue, 22 Dec 2015 13:44:53 -0800 From: David Daney To: linux-kernel@vger.kernel.org, Bjorn Helgaas , linux-pci@vger.kernel.org Cc: David Daney Subject: [PATCH] PCI: aer_inject: Don't call config read/write functions with invalid ops structure. Date: Tue, 22 Dec 2015 13:44:51 -0800 Message-Id: <1450820691-27588-1-git-send-email-ddaney.cavm@gmail.com> X-Mailer: git-send-email 1.7.11.7 Sender: linux-pci-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pci@vger.kernel.org From: David Daney The aer_inject module, when active, replaces the pci_ops structure of the bus so that it can intercept config space accesses. If the config space access needs to be forwarded to the original pci_ops, we must restore the bus's original ops, as the read()/write() functions may require use of the data in the pci_ops structure. An example of such functions are the pci_generic_config*() functions in drivers/pci/access.c. A failure to call these with a valid bus->ops results in dereferencing an invalid bus->ops->map_bus pointer and subsequent OOPs and system crash. So, do as suggested above. When calling to the original read()/write() functions, temporarily switch back to the original pci_ops. This is safe to do as the pci_lock must already be held, and thus no other users of the bus->ops are possible. Signed-off-by: David Daney --- drivers/pci/pcie/aer/aer_inject.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pcie/aer/aer_inject.c b/drivers/pci/pcie/aer/aer_inject.c index 182224a..2d60e0e 100644 --- a/drivers/pci/pcie/aer/aer_inject.c +++ b/drivers/pci/pcie/aer/aer_inject.c @@ -188,7 +188,9 @@ static int pci_read_aer(struct pci_bus *bus, unsigned int devfn, int where, struct aer_error *err; unsigned long flags; struct pci_ops *ops; + struct pci_ops *my_ops; int domain; + int rv; spin_lock_irqsave(&inject_lock, flags); if (size != sizeof(u32)) @@ -208,8 +210,19 @@ static int pci_read_aer(struct pci_bus *bus, unsigned int devfn, int where, } out: ops = __find_pci_bus_ops(bus); + /* + * pci_lock must already be held, so we can directly + * manipulate bus->ops. Many config access functions, + * including pci_generic_config_read() require the original + * bus->ops be installed to function, so temporarily put them + * back. + */ + my_ops = bus->ops; + bus->ops = ops; + rv = ops->read(bus, devfn, where, size, val); + bus->ops = my_ops; spin_unlock_irqrestore(&inject_lock, flags); - return ops->read(bus, devfn, where, size, val); + return rv; } static int pci_write_aer(struct pci_bus *bus, unsigned int devfn, int where, @@ -220,7 +233,9 @@ static int pci_write_aer(struct pci_bus *bus, unsigned int devfn, int where, unsigned long flags; int rw1cs; struct pci_ops *ops; + struct pci_ops *my_ops; int domain; + int rv; spin_lock_irqsave(&inject_lock, flags); if (size != sizeof(u32)) @@ -243,8 +258,19 @@ static int pci_write_aer(struct pci_bus *bus, unsigned int devfn, int where, } out: ops = __find_pci_bus_ops(bus); + /* + * pci_lock must already be held, so we can directly + * manipulate bus->ops. Many config access functions, + * including pci_generic_config_write() require the original + * bus->ops be installed to function, so temporarily put them + * back. + */ + my_ops = bus->ops; + bus->ops = ops; + rv = ops->write(bus, devfn, where, size, val); + bus->ops = my_ops; spin_unlock_irqrestore(&inject_lock, flags); - return ops->write(bus, devfn, where, size, val); + return rv; } static struct pci_ops pci_ops_aer = {