| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Feb 2020 14:54:50 -0500
From: Stuart Hayes <stuart.w.hayes@...il.com>
To: Bjorn Helgaas <bhelgaas@...gle.com>
Cc: Austin Bolen <austin_bolen@...l.com>,
Keith Busch <kbusch@...nel.org>,
Alexandru Gagniuc <mr.nuke.me@...il.com>,
"Rafael J . Wysocki" <rafael.j.wysocki@...el.com>,
Mika Westerberg <mika.westerberg@...ux.intel.com>,
Andy Shevchenko <andy.shevchenko@...il.com>,
"Gustavo A . R . Silva" <gustavo@...eddedor.com>,
Sinan Kaya <okaya@...nel.org>,
Oza Pawandeep <poza@...eaurora.org>, linux-pci@...r.kernel.org,
linux-kernel@...r.kernel.org, lukas@...ner.de, narendra_k@...l.com,
Stuart Hayes <stuart.w.hayes@...il.com>
Subject: [PATCH v3] PCI: pciehp: Make sure pciehp_isr clears interrupt events
Without this patch, a pciehp hotplug port can stop generating interrupts
on hotplug events, so device adds and removals will not be seen.
The pciehp interrupt handler pciehp_isr() will read the slot status
register and then write back to it to clear the bits that caused the
interrupt. If a different interrupt event bit gets set between the read and
the write, pciehp_isr will exit without having cleared all of the interrupt
event bits. If this happens when the MSI isn't masked (it will never be,
for example, when MSR per-vector masking is not supported), we won't get
any more hotplug interrupts from that device.
That is expected behavior, according to the PCI Express Base Specification
Revision 5.0 Version 1.0, section 6.7.3.4, "Software Notification of Hot-
Plug Events".
Because the "presence detect changed" and "data link layer state changed"
event bits can both get set at nearly the same time when a device is added
or removed, this is more likely to happen than it might seem. The issue was
found (and can be reproduced rather easily) by connecting and disconnecting
an NVMe storage device on at least one system model where the NVMe devices
were being connected to an AMD PCIe port (PCI device 0x1022/0x1483).
This patch fixes this issue by modifying pciehp_isr() by looping back and
re-reading the slot status register immediately after writing to it, until
it sees that all of the event status bits have been cleared.
Signed-off-by: Stuart Hayes <stuart.w.hayes@...il.com>
---
v3:
* removed pvm_capable flag (from v2) since MSI may not be masked
regardless of whether per-vector masking is supported
* tweaked comments
v2:
* fixed ctrl_warn() call
* improved comments
* added pvm_capable flag and changed pciehp_isr() to loop back only when
pvm_capable flag not set (suggested by Lukas Wunner)
drivers/pci/hotplug/pciehp_hpc.c | 41 +++++++++++++++++++++++++++-----
1 file changed, 35 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
index 8a2cb1764386..0f99a150115e 100644
--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -522,12 +522,22 @@ void pciehp_power_off_slot(struct controller *ctrl)
PCI_EXP_SLTCTL_PWR_OFF);
}
+/*
+ * Set a limit to how many times the ISR will loop reading and writing the
+ * slot status register trying to clear the event bits. These bits should
+ * not toggle rapidly, and there are only six possible events that could
+ * generate this interrupt. If we still see events after this many reads,
+ * there is likely a bit stuck.
+ */
+#define MAX_ISR_STATUS_READS 6
+
static irqreturn_t pciehp_isr(int irq, void *dev_id)
{
struct controller *ctrl = (struct controller *)dev_id;
struct pci_dev *pdev = ctrl_dev(ctrl);
struct device *parent = pdev->dev.parent;
- u16 status, events;
+ u16 status, events = 0;
+ int status_reads = 0;
/*
* Interrupts only occur in D3hot or shallower and only if enabled
@@ -552,6 +562,7 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id)
}
}
+read_status:
pcie_capability_read_word(pdev, PCI_EXP_SLTSTA, &status);
if (status == (u16) ~0) {
ctrl_info(ctrl, "%s: no response from device\n", __func__);
@@ -564,24 +575,42 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id)
* Slot Status contains plain status bits as well as event
* notification bits; right now we only want the event bits.
*/
- events = status & (PCI_EXP_SLTSTA_ABP | PCI_EXP_SLTSTA_PFD |
- PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_CC |
- PCI_EXP_SLTSTA_DLLSC);
+ status &= (PCI_EXP_SLTSTA_ABP | PCI_EXP_SLTSTA_PFD |
+ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_CC |
+ PCI_EXP_SLTSTA_DLLSC);
/*
* If we've already reported a power fault, don't report it again
* until we've done something to handle it.
*/
if (ctrl->power_fault_detected)
- events &= ~PCI_EXP_SLTSTA_PFD;
+ status &= ~PCI_EXP_SLTSTA_PFD;
+ events |= status;
if (!events) {
if (parent)
pm_runtime_put(parent);
return IRQ_NONE;
}
- pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, events);
+ if (status) {
+ pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, status);
+
+ /*
+ * Unless the MSI happens to be masked, all of the event
+ * bits must be zero before the port will send a new
+ * interrupt (see PCI Express Base Specification Rev 5.0
+ * Version 1.0, section 6.7.3.4, "Software Notification of
+ * Hot-Plug Events"). So, if an event bit gets set between
+ * the read and the write of PCI_EXP_SLTSTA, we need to
+ * loop back and try again.
+ */
+ if (status_reads++ < MAX_ISR_STATUS_READS)
+ goto read_status;
+ ctrl_warn(ctrl, "Hot plug event bit stuck (%x)\n",
+ status);
+ }
+
ctrl_dbg(ctrl, "pending interrupts %#06x from Slot Status\n", events);
if (parent)
pm_runtime_put(parent);
--
2.18.1
Powered by blists - more mailing lists