[PATCH] PCI: Bail out if bus number overflows during scan
From: Nam Cao
Date: Fri May 31 2024 - 07:03:59 EST
In function pci_scan_bridge_extend(), if the variable next_busnr gets to
256, "child = pci_find_bus()" will return bus 0 (root bus). Consequently,
we have a circular PCI topology. The scan will then go in circle until the
kernel crashes due to stack overflow.
This can be reproduced with:
qemu-system-x86_64 -machine pc-q35-2.10 \
-kernel bzImage \
-m 2048 -smp 1 -enable-kvm \
-append "console=ttyS0 root=/dev/sda debug" \
-nographic \
-device pcie-root-port,bus=pcie.0,slot=1,id=rp1,bus-reserve=253 \
-device pcie-root-port,bus=pcie.0,slot=2,id=rp2,bus-reserve=0 \
-device pcie-root-port,bus=pcie.0,slot=3,id=rp3,bus-reserve=0
Check if next_busnr "overflow" and bail out if this is the case.
Signed-off-by: Nam Cao <namcao@xxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # all
---
This bug exists since the beginning of git history. So I didn't bother
tracing beyond git to see which patch introduced this.
---
drivers/pci/probe.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 1325fbae2f28..03caae76337c 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -1382,6 +1382,9 @@ static int pci_scan_bridge_extend(struct pci_bus *bus, struct pci_dev *dev,
else
next_busnr = max + 1;
+ if (next_busnr == 256)
+ goto out;
+
/*
* Prevent assigning a bus number that already exists.
* This can happen when a bridge is hot-plugged, so in this
--
2.39.2