From nobody Tue Jun 16 08:52:23 2026
Received: from spark.kcore.it (spark.kcore.it [49.13.27.68])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94ED73A16A7;
	Fri, 17 Apr 2026 13:24:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=49.13.27.68
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776432288; cv=none;
 b=KXiVdPaZz07wdbyRUzrFd2hhdyR6Je+E1GUfJ0Wv6rOcDZUSxwv9QiAH/Tbrsk2/0v1NnwdpVkhRJgr2IUC42bRMtQzxEIOY2mxK3hdws1KjUFz55Mxps6dbLq3Ca/ckBWoDLlHdOJOpElabQ0HNnQdSiLjux6qSpcfimTDOJeo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776432288; c=relaxed/simple;
	bh=+7NpdMmWYEM3q5sy9cxgH2ACar+KhMk8tlirwg5hLUg=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=eUYE76PDHKTNXRCx/Dm0lOMDAbExd2GcDU91KJIf/c2mvQvbfzDOgL7Tm92rkEYY9hkWTxX7r4XVPTbmzCI8KJUOaDFljbaUsU8g164SBvgYrLQS8pdpmbIkk7ukZrPCxVaMgl8pap30UlLmF0YomD23JETp8uD0sZYzSpKQM1E=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=kcore.it;
 spf=pass smtp.mailfrom=kcore.it;
 dkim=pass (1024-bit key) header.d=kcore.it header.i=@kcore.it
 header.b=paSCx3Cw; arc=none smtp.client-ip=49.13.27.68
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=kcore.it
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=kcore.it
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=kcore.it header.i=@kcore.it
 header.b="paSCx3Cw"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kcore.it;
	s=spark; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:
	In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=pSYcOdNIP33VlmJbr9B6GAXWdNfuxXFHPUxe73o1NEc=; b=paSCx3CwSZyCSfmYCZ82bVLLsm
	0NoeMqU92U9GJCrcflhl/sLEQ1fqcX/C9W/YyHUDlp5EwOWgqNdggjIpZNbOR2gh91jhGLH6wGb8t
	uK8MVk4rX0hgkI1ZAHhzKukhLcqflxGx9mD/fWDZ/cbyxtw87PCx8Q/bNG1/0LqsLQCE=;
Received: from mnencia by spark.kcore.it with local (Exim 4.96)
	(envelope-from <mnencia@kcore.it>)
	id 1wDjBV-007w6F-1D;
	Fri, 17 Apr 2026 15:24:37 +0200
From: Marco Nenciarini <mnencia@kcore.it>
To: Bjorn Helgaas <bhelgaas@google.com>,
	linux-pci@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	=?UTF-8?q?Christian=20K=C3=B6nig?= <ckoenig.leichtzumerken@gmail.com>,
	Marco Nenciarini <mnencia@kcore.it>,
	stable@vger.kernel.org,
	=?UTF-8?q?Micha=C5=82=20Winiarski?= <michal.winiarski@intel.com>,
	=?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>,
	"Rafael J . Wysocki" <rafael@kernel.org>,
	Eric Chanudet <echanude@redhat.com>,
	Alex Williamson <alex@shazbot.org>,
	Lukas Wunner <lukas@wunner.de>
Subject: [PATCH v2 1/2] PCI: Skip Resizable BAR restore on read error
Date: Fri, 17 Apr 2026 15:24:36 +0200
Message-Id: 
 <666cac19b5daa0ab0e0ab64454e76b4d24465dbd.1776429882.git.mnencia@kcore.it>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <cover.1776429882.git.mnencia@kcore.it>
References: <20260408163922.1740497-1-mnencia@kcore.it>
 <cover.1776429882.git.mnencia@kcore.it>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

pci_restore_rebar_state() uses the Resizable BAR Control register to
decide how many BARs to restore (nbars) and which BAR each iteration
addresses (bar_idx).

When the device does not respond, config reads return the all-ones
pattern. Both fields are 3 bits wide, so nbars and bar_idx both
evaluate to 7, past the spec's valid ranges for both fields.
pci_resource_n() then returns an unrelated resource slot, whose
size is used to derive a nonsensical value written back to the
Resizable BAR Control register.

Bail out if any Resizable BAR Control read returns the error
pattern. No further BARs are touched, which is safe because a
config read that returns the error pattern indicates the device is
unreachable and restoration is pointless.

Fixes: d3252ace0bc6 ("PCI: Restore resized BAR state on resume")
Cc: stable@vger.kernel.org
Signed-off-by: Marco Nenciarini <mnencia@kcore.it>
---
Cc: Micha=C5=82 Winiarski <michal.winiarski@intel.com>
Cc: Ilpo J=C3=A4rvinen <ilpo.jarvinen@linux.intel.com>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Eric Chanudet <echanude@redhat.com>
Cc: Alex Williamson <alex@shazbot.org>
Cc: Lukas Wunner <lukas@wunner.de>

 drivers/pci/rebar.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/pci/rebar.c b/drivers/pci/rebar.c
index 39f8cf3b70d57..11965947c4cb5 100644
--- a/drivers/pci/rebar.c
+++ b/drivers/pci/rebar.c
@@ -231,6 +231,9 @@ void pci_restore_rebar_state(struct pci_dev *pdev)
 		return;
=20
 	pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl);
+	if (PCI_POSSIBLE_ERROR(ctrl))
+		return;
+
 	nbars =3D FIELD_GET(PCI_REBAR_CTRL_NBAR_MASK, ctrl);
=20
 	for (i =3D 0; i < nbars; i++, pos +=3D 8) {
@@ -238,6 +241,9 @@ void pci_restore_rebar_state(struct pci_dev *pdev)
 		int bar_idx, size;
=20
 		pci_read_config_dword(pdev, pos + PCI_REBAR_CTRL, &ctrl);
+		if (PCI_POSSIBLE_ERROR(ctrl))
+			return;
+
 		bar_idx =3D ctrl & PCI_REBAR_CTRL_BAR_IDX;
 		res =3D pci_resource_n(pdev, bar_idx);
 		size =3D pci_rebar_bytes_to_size(resource_size(res));
--=20
2.47.3

From nobody Tue Jun 16 08:52:23 2026
Received: from spark.kcore.it (spark.kcore.it [49.13.27.68])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9622C3A16B4;
	Fri, 17 Apr 2026 13:24:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=49.13.27.68
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776432288; cv=none;
 b=aR/ggDXadbzzg1TBIRsA/TwjOFv3acnTUuN6ROV341KcgV32NsUedPA/VOdqzzziDIJ1SVyQT6ZJe3JU/ohbuIfDRfDNylxlZqmlzZm9hsZh51asemYv8Gw8WADcCWBgmCj8IVLgtUI7Q+LCloMcdrm661iiJqzIk/6xO+6Z53U=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776432288; c=relaxed/simple;
	bh=LiqyxA4Fqp3E5PM/AtVrIZtpsvNwmNVzRuiijmPLyWQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=MT+t4xhlEXlPI1J/JO6Cp7GuUXS7b3z4+ytreMoKBm9cQN4es8u7EyiKmFq70V2voxe4VuePfPRSoWe8Gamzp6YSDdzkGM1rYv4MlG11XAyrw4rKmBJZJPxCTJt3cwKVZafs4u4ATCMecyFEpZj0YPRe0gKH4s4pCPpnPypiKcQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=kcore.it;
 spf=pass smtp.mailfrom=kcore.it;
 dkim=pass (1024-bit key) header.d=kcore.it header.i=@kcore.it
 header.b=MnCbf17X; arc=none smtp.client-ip=49.13.27.68
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=kcore.it
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=kcore.it
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=kcore.it header.i=@kcore.it
 header.b="MnCbf17X"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kcore.it;
	s=spark; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:
	In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=SXo38i+4gu74nYK9SMz135VuFHiRnpB/1O9Er+Qdjtk=; b=MnCbf17XcrLEfgEFC9OpnFaLzg
	DSEjzpzQLsaOr1e2GO5BQEEj2hVEsIdqeX7sZ+d31L4oVTcu9sE3WFRmybjkMqVaiEYfd9nS+b3oa
	9RJkYmDDPaTi+mno7dRUKQM2cIuV59dTWarDTJzfVAorxg7NcNcQq1Yq86dLlerVZp20=;
Received: from mnencia by spark.kcore.it with local (Exim 4.96)
	(envelope-from <mnencia@kcore.it>)
	id 1wDjBV-007w6I-1I;
	Fri, 17 Apr 2026 15:24:37 +0200
From: Marco Nenciarini <mnencia@kcore.it>
To: Bjorn Helgaas <bhelgaas@google.com>,
	linux-pci@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	=?UTF-8?q?Christian=20K=C3=B6nig?= <ckoenig.leichtzumerken@gmail.com>,
	Marco Nenciarini <mnencia@kcore.it>,
	stable@vger.kernel.org,
	=?UTF-8?q?Micha=C5=82=20Winiarski?= <michal.winiarski@intel.com>,
	=?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>,
	"Rafael J . Wysocki" <rafael@kernel.org>,
	Eric Chanudet <echanude@redhat.com>,
	Alex Williamson <alex@shazbot.org>,
	Lukas Wunner <lukas@wunner.de>
Subject: [PATCH v2 2/2] PCI/IOV: Skip VF Resizable BAR restore on read error
Date: Fri, 17 Apr 2026 15:24:37 +0200
Message-Id: 
 <44a4ae53ec2825816b816c85cd378430d9a95cc6.1776429882.git.mnencia@kcore.it>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <cover.1776429882.git.mnencia@kcore.it>
References: <20260408163922.1740497-1-mnencia@kcore.it>
 <cover.1776429882.git.mnencia@kcore.it>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

sriov_restore_vf_rebar_state() uses the VF Resizable BAR Control
register to decide how many VF BARs to restore (nbars) and which
VF BAR each iteration addresses (bar_idx). bar_idx indexes into
dev->sriov->barsz[], which has only PCI_SRIOV_NUM_BARS (6) entries.

When the device does not respond, config reads return the all-ones
pattern. Both fields are 3 bits wide, so nbars and bar_idx both
evaluate to 7. The barsz[] access then goes out of bounds. UBSAN
reports this as:

  UBSAN: array-index-out-of-bounds in drivers/pci/iov.c:948:51
  index 7 is out of range for type 'resource_size_t [6]'

Observed on an NVIDIA RTX PRO 1000 GPU (GB207GLM) that fell off the
PCIe bus during a failed GC6 power state exit. The subsequent
pci_restore_state() invoked sriov_restore_vf_rebar_state() while
config reads returned 0xffffffff, triggering the splat.

Bail out if any VF Resizable BAR Control read returns the error
pattern. No further VF BARs are touched, which is safe because a
config read that returns the error pattern indicates the device is
unreachable and restoration is pointless. This mirrors the guard
in pci_restore_rebar_state().

Fixes: 5a8f77e24a30 ("PCI/IOV: Restore VF resizable BAR state after reset")
Cc: stable@vger.kernel.org
Signed-off-by: Marco Nenciarini <mnencia@kcore.it>
---
Cc: Micha=C5=82 Winiarski <michal.winiarski@intel.com>
Cc: Ilpo J=C3=A4rvinen <ilpo.jarvinen@linux.intel.com>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Eric Chanudet <echanude@redhat.com>
Cc: Alex Williamson <alex@shazbot.org>
Cc: Lukas Wunner <lukas@wunner.de>

 drivers/pci/iov.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
index 91ac4e37ecb9c..08df9bace13d1 100644
--- a/drivers/pci/iov.c
+++ b/drivers/pci/iov.c
@@ -938,12 +938,18 @@ static void sriov_restore_vf_rebar_state(struct pci_d=
ev *dev)
 		return;
=20
 	pci_read_config_dword(dev, pos + PCI_VF_REBAR_CTRL, &ctrl);
+	if (PCI_POSSIBLE_ERROR(ctrl))
+		return;
+
 	nbars =3D FIELD_GET(PCI_VF_REBAR_CTRL_NBAR_MASK, ctrl);
=20
 	for (i =3D 0; i < nbars; i++, pos +=3D 8) {
 		int bar_idx, size;
=20
 		pci_read_config_dword(dev, pos + PCI_VF_REBAR_CTRL, &ctrl);
+		if (PCI_POSSIBLE_ERROR(ctrl))
+			return;
+
 		bar_idx =3D FIELD_GET(PCI_VF_REBAR_CTRL_BAR_IDX, ctrl);
 		size =3D pci_rebar_bytes_to_size(dev->sriov->barsz[bar_idx]);
 		ctrl &=3D ~PCI_VF_REBAR_CTRL_BAR_SIZE;
--=20
2.47.3