[PATCH QEMU] acpiphp: hack to send BusCheck to missing device on root bus
From: Igor Mammedov
Date: Mon Jul 31 2023 - 08:48:32 EST
A reproducer for [1], faking a missing device (supposedly root port)
on root bus, and ability to send BusCheck to it.
Usage:
./qemu-system-x86_64 -monitor stdio -M q35 -cpu host -smp 4 -enable-kvm -m 4G
-nographic
-monitor stdio
-snapshot
-serial file:/tmp/s
-kernel ~/builds/linux-2.6/arch/x86/boot/bzImage
-append 'root=/dev/sda1 console=ttyS0'
-device pcie-root-port,id=rp1,bus=pcie.0,chassis=0,addr=8
vm_disk_image
wait till it boots and then at monitor prompt hotplug a device
(no hotplug will happen since hacked AML code will send only
notify to missing device, but it's sufficient to reproduce kernel crash
at commit [2]):
(qemu) device_add e1000e,bus=rp1
observe in guest logs:
[ 612.277651] BUG: kernel NULL pointer dereference, address: 0000000000000018
[...]
[ 612.277798] ? pci_assign_unassigned_bridge_resources+0x1f/0x260
[ 612.277804] ? pcibios_allocate_dev_resources+0x3c/0x2a0
[ 612.277809] enable_slot+0x21f/0x3e0
[ 612.277816] acpiphp_hotplug_notify+0x13d/0x260
[ 612.277822] ? __pfx_acpiphp_hotplug_notify+0x10/0x10
[ 612.277827] acpi_device_hotplug+0xbc/0x540
[ 612.277834] acpi_hotplug_work_fn+0x15/0x20
[ 612.277839] process_one_work+0x1f7/0x370
[ 612.277845] worker_thread+0x45/0x3b0
[ 612.277850] ? __pfx_worker_thread+0x10/0x10
[ 612.277854] kthread+0xdc/0x110
[ 612.277860] ? __pfx_kthread+0x10/0x10
[ 612.277866] ret_from_fork+0x28/0x40
[ 612.277871] ? __pfx_kthread+0x10/0x10
[ 612.277876] ret_from_fork_asm+0x1b/0x30
1)
Link: https://lore.kernel.org/r/11fc981c-af49-ce64-6b43-3e282728bd1a@xxxxxxxxx
2)
commit 40613da52b13fb ("PCI: acpiphp: Reassign resources on bridge if necessary")
Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
---
hw/i386/acpi-build.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 9c74fa17ad..f6c2584289 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -1784,11 +1784,18 @@ build_dsdt(GArray *table_data, BIOSLinker *linker,
if (pci_host) {
PCIBus *bus = PCI_HOST_BRIDGE(pci_host)->bus;
Aml *scope = aml_scope("PCI0");
+ Aml *dev;
/* Scan all PCI buses. Generate tables to support hotplug. */
build_append_pci_bus_devices(scope, bus);
if (object_property_find(OBJECT(bus), ACPI_PCIHP_PROP_BSEL)) {
build_append_pcihp_slots(scope, bus);
}
+
+ /* nonexisting PCI device */
+ dev = aml_device("RPX");
+ aml_append(dev, aml_name_decl("_ADR", aml_int(0x100000)));
+ aml_append(scope, dev);
+
aml_append(sb_scope, scope);
}
}
@@ -1852,12 +1859,8 @@ build_dsdt(GArray *table_data, BIOSLinker *linker,
scope = aml_scope("_GPE");
{
method = aml_method("_E01", 0, AML_NOTSERIALIZED);
- if (has_pcnt) {
- aml_append(method,
- aml_acquire(aml_name("\\_SB.PCI0.BLCK"), 0xFFFF));
- aml_append(method, aml_call0("\\_SB.PCI0.PCNT"));
- aml_append(method, aml_release(aml_name("\\_SB.PCI0.BLCK")));
- }
+ /* send BusCheck to non-present PCI device */
+ aml_append(method, aml_notify(aml_name("\\_SB.PCI0.RPX"), aml_int(0)));
aml_append(scope, method);
}
aml_append(dsdt, scope);
--
2.39.3