Commit c37b6908 authored by Russell Currey's avatar Russell Currey Committed by Michael Ellerman

powerpc/iommu: Fix notifiers being shared by PCI and VIO buses

fail_iommu_setup() registers the fail_iommu_bus_notifier struct to both
PCI and VIO buses.  struct notifier_block is a linked list node, so this
causes any notifiers later registered to either bus type to also be
registered to the other since they share the same node.

This causes issues in (at least) the vgaarb code, which registers a
notifier for PCI buses.  pci_notify() ends up being called on a vio
device, converted with to_pci_dev() even though it's not a PCI device,
and finally makes a bad access in vga_arbiter_add_pci_device() as
discovered with KASAN:

 BUG: KASAN: slab-out-of-bounds in vga_arbiter_add_pci_device+0x60/0xe00
 Read of size 4 at addr c000000264c26fdc by task swapper/0/1

 Call Trace:
   dump_stack_lvl+0x1bc/0x2b8 (unreliable)
   print_report+0x3f4/0xc60
   kasan_report+0x244/0x698
   __asan_load4+0xe8/0x250
   vga_arbiter_add_pci_device+0x60/0xe00
   pci_notify+0x88/0x444
   notifier_call_chain+0x104/0x320
   blocking_notifier_call_chain+0xa0/0x140
   device_add+0xac8/0x1d30
   device_register+0x58/0x80
   vio_register_device_node+0x9ac/0xce0
   vio_bus_scan_register_devices+0xc4/0x13c
   __machine_initcall_pseries_vio_device_init+0x94/0xf0
   do_one_initcall+0x12c/0xaa8
   kernel_init_freeable+0xa48/0xba8
   kernel_init+0x64/0x400
   ret_from_kernel_thread+0x5c/0x64

Fix this by creating separate notifier_block structs for each bus type.

Fixes: d6b9a81b ("powerpc: IOMMU fault injection")
Reported-by: default avatarNageswara R Sastry <rnsastry@linux.ibm.com>
Signed-off-by: default avatarRussell Currey <ruscur@russell.cc>
Tested-by: default avatarNageswara R Sastry <rnsastry@linux.ibm.com>
Reviewed-by: default avatarAndrew Donnellan <ajd@linux.ibm.com>
[mpe: Add #ifdef to fix CONFIG_IBMVIO=n build]
Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20230322035322.328709-1-ruscur@russell.cc
parent b9bbbf49
...@@ -172,17 +172,28 @@ static int fail_iommu_bus_notify(struct notifier_block *nb, ...@@ -172,17 +172,28 @@ static int fail_iommu_bus_notify(struct notifier_block *nb,
return 0; return 0;
} }
static struct notifier_block fail_iommu_bus_notifier = { /*
* PCI and VIO buses need separate notifier_block structs, since they're linked
* list nodes. Sharing a notifier_block would mean that any notifiers later
* registered for PCI buses would also get called by VIO buses and vice versa.
*/
static struct notifier_block fail_iommu_pci_bus_notifier = {
.notifier_call = fail_iommu_bus_notify .notifier_call = fail_iommu_bus_notify
}; };
#ifdef CONFIG_IBMVIO
static struct notifier_block fail_iommu_vio_bus_notifier = {
.notifier_call = fail_iommu_bus_notify
};
#endif
static int __init fail_iommu_setup(void) static int __init fail_iommu_setup(void)
{ {
#ifdef CONFIG_PCI #ifdef CONFIG_PCI
bus_register_notifier(&pci_bus_type, &fail_iommu_bus_notifier); bus_register_notifier(&pci_bus_type, &fail_iommu_pci_bus_notifier);
#endif #endif
#ifdef CONFIG_IBMVIO #ifdef CONFIG_IBMVIO
bus_register_notifier(&vio_bus_type, &fail_iommu_bus_notifier); bus_register_notifier(&vio_bus_type, &fail_iommu_vio_bus_notifier);
#endif #endif
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment