From: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
To: Rob Herring <robh@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>,
linux-pci@vger.kernel.org,
Anders Roxell <anders.roxell@linaro.org>,
Arnd Bergmann <arnd@arndb.de>
Subject: Re: [PATCH 2/2] PCI: Fix pci_host_bridge struct device release/free handling
Date: Thu, 14 May 2020 11:30:28 +0100 [thread overview]
Message-ID: <20200514103028.GA16121@red-moon.cambridge.arm.com> (raw)
In-Reply-To: <20200513223859.11295-2-robh@kernel.org>
On Wed, May 13, 2020 at 05:38:59PM -0500, Rob Herring wrote:
> The PCI code has several paths where the struct pci_host_bridge is freed
> directly. This is wrong because it contains a struct device which is
> refcounted and should be freed using put_device(). This can result in
> use-after-free errors. I think this problem has existed since 2012 with
> commit 7b5436635800 ("PCI: add generic device into pci_host_bridge
> struct"). It generally hasn't mattered as most host bridge drivers are
> still built-in and can't unbind.
>
> The problem is a struct device should never be freed directly once
> device_initialize() is called and a ref is held, but that doesn't happen
> until pci_register_host_bridge(). There's then a window between
> allocating the host bridge and pci_register_host_bridge() where kfree
> should be used. This is fragile and requires callers to do the right
> thing. To fix this, we need to split device_register() into
> device_initialize() and device_add() calls, so that the host bridge
> struct is always freed by using a put_device().
>
> devm_pci_alloc_host_bridge() is using devm_kzalloc() to allocate struct
> pci_host_bridge which will be freed directly. Instead, we can use a
> custom devres action to call put_device().
>
> Reported-by: Anders Roxell <anders.roxell@linaro.org>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Cc: Bjorn Helgaas <bhelgaas@google.com>
> Signed-off-by: Rob Herring <robh@kernel.org>
> ---
> drivers/pci/probe.c | 36 +++++++++++++++++++-----------------
> drivers/pci/remove.c | 2 +-
> 2 files changed, 20 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
> index e21dc71b1907..e064ded6fbec 100644
> --- a/drivers/pci/probe.c
> +++ b/drivers/pci/probe.c
> @@ -565,7 +565,7 @@ static struct pci_bus *pci_alloc_bus(struct pci_bus *parent)
> return b;
> }
>
> -static void devm_pci_release_host_bridge_dev(struct device *dev)
> +static void pci_release_host_bridge_dev(struct device *dev)
> {
> struct pci_host_bridge *bridge = to_pci_host_bridge(dev);
>
> @@ -574,12 +574,7 @@ static void devm_pci_release_host_bridge_dev(struct device *dev)
>
> pci_free_resource_list(&bridge->windows);
> pci_free_resource_list(&bridge->dma_ranges);
> -}
> -
> -static void pci_release_host_bridge_dev(struct device *dev)
> -{
> - devm_pci_release_host_bridge_dev(dev);
> - kfree(to_pci_host_bridge(dev));
> + kfree(bridge);
> }
>
> static void pci_init_host_bridge(struct pci_host_bridge *bridge)
> @@ -599,6 +594,8 @@ static void pci_init_host_bridge(struct pci_host_bridge *bridge)
> bridge->native_pme = 1;
> bridge->native_ltr = 1;
> bridge->native_dpc = 1;
> +
> + device_initialize(&bridge->dev);
> }
>
> struct pci_host_bridge *pci_alloc_host_bridge(size_t priv)
> @@ -616,17 +613,25 @@ struct pci_host_bridge *pci_alloc_host_bridge(size_t priv)
> }
> EXPORT_SYMBOL(pci_alloc_host_bridge);
>
> +static void devm_pci_alloc_host_bridge_release(void *data)
> +{
> + pci_free_host_bridge(data);
> +}
> +
> struct pci_host_bridge *devm_pci_alloc_host_bridge(struct device *dev,
> size_t priv)
> {
> + int ret;
> struct pci_host_bridge *bridge;
>
> - bridge = devm_kzalloc(dev, sizeof(*bridge) + priv, GFP_KERNEL);
> + bridge = pci_alloc_host_bridge(priv);
> if (!bridge)
> return NULL;
>
> - pci_init_host_bridge(bridge);
> - bridge->dev.release = devm_pci_release_host_bridge_dev;
> + ret = devm_add_action_or_reset(dev, devm_pci_alloc_host_bridge_release,
> + bridge);
> + if (ret)
> + return NULL;
>
> return bridge;
> }
> @@ -634,10 +639,7 @@ EXPORT_SYMBOL(devm_pci_alloc_host_bridge);
>
> void pci_free_host_bridge(struct pci_host_bridge *bridge)
> {
> - pci_free_resource_list(&bridge->windows);
> - pci_free_resource_list(&bridge->dma_ranges);
> -
> - kfree(bridge);
> + put_device(&bridge->dev);
> }
> EXPORT_SYMBOL(pci_free_host_bridge);
>
> @@ -908,7 +910,7 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
> if (err)
> goto free;
>
> - err = device_register(&bridge->dev);
> + err = device_add(&bridge->dev);
> if (err) {
> put_device(&bridge->dev);
> goto free;
> @@ -978,7 +980,7 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
>
> unregister:
> put_device(&bridge->dev);
> - device_unregister(&bridge->dev);
> + device_del(&bridge->dev);
I think we need to execute device_del() first, then put_device().
Thank you for fixing this code path.
Lorenzo
> free:
> kfree(bus);
> @@ -2953,7 +2955,7 @@ struct pci_bus *pci_create_root_bus(struct device *parent, int bus,
> return bridge->bus;
>
> err_out:
> - kfree(bridge);
> + put_device(&bridge->dev);
> return NULL;
> }
> EXPORT_SYMBOL_GPL(pci_create_root_bus);
> diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c
> index e9c6b120cf45..95dec03d9f2a 100644
> --- a/drivers/pci/remove.c
> +++ b/drivers/pci/remove.c
> @@ -160,6 +160,6 @@ void pci_remove_root_bus(struct pci_bus *bus)
> host_bridge->bus = NULL;
>
> /* remove the host bridge */
> - device_unregister(&host_bridge->dev);
> + device_del(&host_bridge->dev);
> }
> EXPORT_SYMBOL_GPL(pci_remove_root_bus);
> --
> 2.20.1
>
next prev parent reply other threads:[~2020-05-14 10:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 22:38 [PATCH 1/2] PCI: Fix pci_register_host_bridge() device_register() error handling Rob Herring
2020-05-13 22:38 ` [PATCH 2/2] PCI: Fix pci_host_bridge struct device release/free handling Rob Herring
2020-05-14 10:27 ` Anders Roxell
2020-05-14 10:30 ` Lorenzo Pieralisi [this message]
2020-05-14 12:50 ` Rob Herring
2020-05-14 16:43 ` Lorenzo Pieralisi
2020-05-14 21:22 ` Arnd Bergmann
2020-05-14 16:41 ` [PATCH 1/2] PCI: Fix pci_register_host_bridge() device_register() error handling Lorenzo Pieralisi
2020-05-14 21:16 ` Arnd Bergmann
2020-05-14 21:37 ` Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200514103028.GA16121@red-moon.cambridge.arm.com \
--to=lorenzo.pieralisi@arm.com \
--cc=anders.roxell@linaro.org \
--cc=arnd@arndb.de \
--cc=bhelgaas@google.com \
--cc=linux-pci@vger.kernel.org \
--cc=robh@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.