[PATCH 2/2] PCI: Fix NULL pointer access in pci_store_saved_state()

[Krishna Chaitanya Chundru]

If the PCIe link goes down while pci_save_state() is in progress, reads
from the device configuration space may return invalid values(all 0xF's).

This can lead to saving corrupted or inconsistent capability state and
subsequent memory corruption. The issue is not limited to a specific
capability type and may occur at any point during the save process.

One example is, while saving VC extended capability save path
(pci_save_vc_state() / pci_vc_do_save_buffer()) then interprets all-1s
capability fields as valid and ends up writing far beyond the allocated
pci_cap_saved_state buffer, corrupting the pci_dev->saved_cap_space list.

The call stack of the issue as follows.

[ T1634] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000013
[ T1634] Mem abort info:
[ T1634]   ESR = 0x96000005
[ T1634]   EC = 0x25: DABT (current EL), IL = 32 bits
[ T1634]   SET = 0, FnV = 0
[ T1634]   EA = 0, S1PTW = 0
[ T1634]   FSC = 0x05: level 1 translation fault
[ T1634] Data abort info:
[ T1634]   ISV = 0, ISS = 0x00000005
[ T1634]   CM = 0, WnR = 0
[ T1634] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000ac2ed000
[ T1634] [0000000000000013] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[ T1634] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
[ T1634] Dumping ftrace buffer:
[ T1634]    (ftrace buffer empty)
[ T1634] pc : pci_store_saved_state+0x40/0xd8
[ T1634] lr : cnss_set_pci_config_space+0x54/0x100 [cnss2]
[ T1634] Call trace:
[ T1634]  pci_store_saved_state+0x40/0xd8
[ T1634]  cnss_set_pci_config_space+0x54/0x100 [cnss2]

Fix this issue by bailing out early from pci_store_saved_state() if link
is not active and also make saved_state = false.

The link state check here is racy since the link may transition at any
time. This is a best-effort attempt to avoid saving PCI state when the
link is already down.

Signed-off-by: Krishna Chaitanya Chundru <krishna.chundru@xxxxxxxxxxxxxxxx>
---
 drivers/pci/pci.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
index 1488c93d4e22371480165cb55afc7a0c3cae238e..06bd6b7d62ec1a41bd12af2ab47ecd2b77665c7e 100644
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -1875,6 +1875,16 @@ struct pci_saved_state *pci_store_saved_state(struct pci_dev *dev)
 	if (!dev->state_saved)
 		return NULL;
 
+	/*
+	 * The link state check here is racy since the link may transition at
+	 * any time. This is a best-effort attempt to avoid saving PCI state
+	 * when the link is already down.
+	 */
+	if (!pcie_link_is_active(dev)) {
+		dev->state_saved = false;
+		return NULL;
+	}
+
 	size = sizeof(*state) + sizeof(struct pci_cap_saved_data);
 
 	hlist_for_each_entry(tmp, &dev->saved_cap_space, next)

-- 
2.34.1