On Wed, May 27, 2026 at 11:38:14PM +0530, Aditya Gupta wrote: > For opencapi phb direct slots, the .pdev for php_slots will be NULL > > Various sections of the code in pnv_php can do a null dereference and > crash the kernel. > > Originally, the issue was hit during boot: > > [ 1.568588] PowerPC PowerNV PCI Hotplug Driver version: 0.1 > [ 1.569722] BUG: Kernel NULL pointer dereference at 0x00000074 > [ 1.569811] Faulting instruction address: 0xc000000000b75fd0 > [ 1.569890] Oops: Kernel access of bad area, sig: 11 [#1] > [ 1.569963] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV > ... > [ 1.571492] NIP [c000000000b75fd0] pnv_php_get_adapter_state+0x60/0x154 > [ 1.571604] LR [c000000000b75fbc] pnv_php_get_adapter_state+0x4c/0x154 > [ 1.571690] Call Trace: > [ 1.571725] [c000c0000688f990] [c000000000b75fbc] > pnv_php_get_adapter_state+0x4c/0x154 (unreliable) > [ 1.571783] [c000c0000688fa20] [c000000000b78bd0] > pnv_php_enable+0x94/0x378 > [ 1.571951] [c000c0000688fac0] [c000000000b7912c] > pnv_php_register_one.isra.0+0x11c/0x1e0
Drop timestamps since they don't add useful information. Indent quoted material by two spaces to reduce wrapping. Run "git log --oneline drivers/pci/hotplug/pnv_php.c" and "git log --oneline drivers/pci/hotplug/" and match subject line style. > This occurs for hotplug slots on root buses where bus->self == NULL, > such as OpenCAPI PHB direct slots. An added debug print (not part of > this patch) confirmed it was opencapi: Style "OpenCAPI" and "PHB" consistently in commit log and subject. > [ 1.617227] pnv_php: slot 'OPENCAPI-0009' has NULL pdev (bus 0009:00, > parent=NO (root bus)) > [ 1.617308] pnv_php: slot 'OPENCAPI-0009' > dn->full_name='pciex@603a000000000', > compatible='ibm,power10-pau-opencapi-pciex' > > This only required null check in 'pnv_php_get_adapter_state', which > caused the kernel to boot. > > Even with 'pnv_php_get_adapter_state' null check, there are more > possible null dereferences pointed by sashiko, including cases where > userspace crashes the kernel, such as: > > $ cat /sys/bus/pci/slots/*/attention > ... > [ 557.036295] Kernel attempted to read user page (6e) - exploit attempt? > (uid: 0) > [ 557.036354] BUG: Kernel NULL pointer dereference on read at 0x0000006e > [ 557.036383] Faulting instruction address: 0xc000000000a83334 > [ 557.036413] Oops: Kernel access of bad area, sig: 11 [#1] > [ 557.036449] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA PowerNV > ... > [ 557.037749] [c000000046707a20] [c000000046707b90] 0xc000000046707b90 > (unreliable) > [ 557.037795] [c000000046707a70] [0000000000000001] 0x1 > [ 557.037850] [c000000046707ab0] [c000000000acb00c] > attention_read_file+0x54/0xa8 > [ 557.037910] [c000000046707b30] [c000000000abfbfc] > pci_slot_attr_show+0x3c/0x58 > [ 557.037977] [c000000046707b50] [c0000000008181ec] > sysfs_kf_seq_show+0xd4/0x204 > [ 557.038022] [c000000046707be0] [c000000000815004] > kernfs_seq_show+0x44/0x58 > > Add null checks to prevent the null dereferences. > > Cc: [email protected] > Fixes: 80f9fc236279 ("PCI: pnv_php: Work around switches with broken presence > detection") > Signed-off-by: Aditya Gupta <[email protected]>
