Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling The recent commit 1010b4c012b0 ("powerpc/eeh: Make EEH driver device hotplug safe") restructured the EEH driver to improve synchronization with the PCI hotplug layer. However, it inadvertently moved pci_lock_rescan_remove() outside its intended scope in eeh_handle_normal_event(), leading to broken PCI error reporting and improper EEH event triggering. Specifically, eeh_handle_normal_event() acquired pci_lock_rescan_remove() before calling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to acquire the same lock internally, causing nested locking and disrupting normal EEH event handling paths. This patch adds a boolean parameter do_lock to _eeh_pe_bus_get(), with two public wrappers: eeh_pe_bus_get() with locking enabled. eeh_pe_bus_get_nolock() that skips locking. Callers that already hold pci_lock_rescan_remove() now use eeh_pe_bus_get_nolock() to avoid recursive lock acquisition. Additionally, pci_lock_rescan_remove() calls are restored to the correct position—after eeh_pe_bus_get() and immediately before iterating affected PEs and devices. This ensures EEH-triggered PCI removes occur under proper bus rescan locking without recursive lock contention. The eeh_pe_loc_get() function has been split into two functions: eeh_pe_loc_get(struct eeh_pe *pe) which retrieves the loc for given PE. eeh_pe_loc_get_bus(struct pci_bus *bus) which retrieves the location code for given bus. This resolves lockdep warnings such as: <snip> [ 84.964298] [ T928] ============================================ [ 84.964304] [ T928] WARNING: possible recursive locking detected [ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted [ 84.964315] [ T928] -------------------------------------------- [ 84.964320] [ T928] eehd/928 is trying to acquire lock: [ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964342] [ T928] but task is already holding lock: [ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964357] [ T928] other info that might help us debug this: [ 84.964363] [ T928] Possible unsafe locking scenario: [ 84.964367] [ T928] CPU0 [ 84.964370] [ T928] ---- [ 84.964373] [ T928] lock(pci_rescan_remove_lock); [ 84.964378] [ T928] lock(pci_rescan_remove_lock); [ 84.964383] [ T928] *** DEADLOCK *** [ 84.964388] [ T928] May be due to missing lock nesting notation [ 84.964393] [ T928] 1 lock held by eehd/928: [ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964408] [ T928] stack backtrace: [ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY [ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries [ 84.964419] [ T928] Call Trace: [ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable) [ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440 [ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80 [ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410 [ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050 [ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40 [ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0 [ 84.964442] [ T928] [c0000011a7157e50] [c00000 ---truncated---
Product status
502f08831a9afb72dc98a56ae6504da43e93b250 (git) before 89810e2d80281d42f855fac813786758ee16e323
f56e004b781719d8fdf6c9619b15caf2579bc1f2 (git) before 788dd28fd49610d6047cbb15dbf1186afffdfbaf
59c6d3d81d42bf543c90597b4f38c53d6874c5a1 (git) before f49faa4a64f8ac0e38983e606075b25dfcfc9ad4
a426e8a6ae161f51888585b065db0f8f93ab2e16 (git) before 87a1f93986aa1500b85aeff16b0b71c29ea116ea
d2c60a8a387e9fcc28447ef36c03f8e49fd052a6 (git) before f8b16d5764ee1e78c1ef333017ad383ffe76fcdc
1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 (git) before 6e6561231c6cfc32c5631aeecc0928ff2b14265c
1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 (git) before b85ee287bfe52c6b2d9b41758b5e0d08679d5b39
1010b4c012b0d78dfb9d3132b49aa2ef024a07a7 (git) before 815a8d2feb5615ae7f0b5befd206af0b0160614c
d42bbd8f30ac38b1ce54715bf08ec3dac18d6b25 (git)
19d5036e7ad766cf212aebec23b9f1d7924a62bc (git)
5.10.241 (semver) before 5.10.252
5.15.190 (semver) before 5.15.202
6.1.148 (semver) before 6.1.165
6.6.102 (semver) before 6.6.128
6.12.42 (semver) before 6.12.75
6.15.10 (semver) before 6.16
6.16.1 (semver) before 6.17
6.17
Any version before 6.17
5.10.252 (semver)
5.15.202 (semver)
6.1.165 (semver)
6.6.128 (semver)
6.12.75 (semver)
6.18.14 (semver)
6.19.4 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/89810e2d80281d42f855fac813786758ee16e323
git.kernel.org/...c/788dd28fd49610d6047cbb15dbf1186afffdfbaf
git.kernel.org/...c/f49faa4a64f8ac0e38983e606075b25dfcfc9ad4
git.kernel.org/...c/87a1f93986aa1500b85aeff16b0b71c29ea116ea
git.kernel.org/...c/f8b16d5764ee1e78c1ef333017ad383ffe76fcdc
git.kernel.org/...c/6e6561231c6cfc32c5631aeecc0928ff2b14265c
git.kernel.org/...c/b85ee287bfe52c6b2d9b41758b5e0d08679d5b39
git.kernel.org/...c/815a8d2feb5615ae7f0b5befd206af0b0160614c