linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Anders Roxell <anders.roxell@linaro.org>,
	Rob Herring <robh@kernel.org>,
	Bjorn Helgaas <bhelgaas@google.com>,
	Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>,
	Arnd Bergmann <arnd@arndb.de>,
	Tyler Hicks <tyhicks@linux.microsoft.com>
Subject: [PATCH 5.4 47/56] PCI: Fix pci_host_bridge struct device release/free handling
Date: Mon,  4 Oct 2021 14:53:07 +0200	[thread overview]
Message-ID: <20211004125031.486249023@linuxfoundation.org> (raw)
In-Reply-To: <20211004125030.002116402@linuxfoundation.org>

From: Rob Herring <robh@kernel.org>

commit 9885440b16b8fc1dd7275800fd28f56a92f60896 upstream.

The PCI code has several paths where the struct pci_host_bridge is freed
directly. This is wrong because it contains a struct device which is
refcounted and should be freed using put_device(). This can result in
use-after-free errors. I think this problem has existed since 2012 with
commit 7b5436635800 ("PCI: add generic device into pci_host_bridge
struct"). It generally hasn't mattered as most host bridge drivers are
still built-in and can't unbind.

The problem is a struct device should never be freed directly once
device_initialize() is called and a ref is held, but that doesn't happen
until pci_register_host_bridge(). There's then a window between allocating
the host bridge and pci_register_host_bridge() where kfree should be used.
This is fragile and requires callers to do the right thing. To fix this, we
need to split device_register() into device_initialize() and device_add()
calls, so that the host bridge struct is always freed by using a
put_device().

devm_pci_alloc_host_bridge() is using devm_kzalloc() to allocate struct
pci_host_bridge which will be freed directly. Instead, we can use a custom
devres action to call put_device().

Link: https://lore.kernel.org/r/20200513223859.11295-2-robh@kernel.org
Reported-by: Anders Roxell <anders.roxell@linaro.org>
Tested-by: Anders Roxell <anders.roxell@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
[tyhicks: Minor contextual change in pci_init_host_bridge() due to the
 lack of a native_dpc member in the pci_host_bridge struct. It was added
 in v5.7 with commit ac1c8e35a326 ("PCI/DPC: Add Error Disconnect
 Recover (EDR) support")]
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/pci/probe.c  |   36 +++++++++++++++++++-----------------
 drivers/pci/remove.c |    2 +-
 2 files changed, 20 insertions(+), 18 deletions(-)

--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -564,7 +564,7 @@ static struct pci_bus *pci_alloc_bus(str
 	return b;
 }
 
-static void devm_pci_release_host_bridge_dev(struct device *dev)
+static void pci_release_host_bridge_dev(struct device *dev)
 {
 	struct pci_host_bridge *bridge = to_pci_host_bridge(dev);
 
@@ -573,12 +573,7 @@ static void devm_pci_release_host_bridge
 
 	pci_free_resource_list(&bridge->windows);
 	pci_free_resource_list(&bridge->dma_ranges);
-}
-
-static void pci_release_host_bridge_dev(struct device *dev)
-{
-	devm_pci_release_host_bridge_dev(dev);
-	kfree(to_pci_host_bridge(dev));
+	kfree(bridge);
 }
 
 static void pci_init_host_bridge(struct pci_host_bridge *bridge)
@@ -597,6 +592,8 @@ static void pci_init_host_bridge(struct
 	bridge->native_shpc_hotplug = 1;
 	bridge->native_pme = 1;
 	bridge->native_ltr = 1;
+
+	device_initialize(&bridge->dev);
 }
 
 struct pci_host_bridge *pci_alloc_host_bridge(size_t priv)
@@ -614,17 +611,25 @@ struct pci_host_bridge *pci_alloc_host_b
 }
 EXPORT_SYMBOL(pci_alloc_host_bridge);
 
+static void devm_pci_alloc_host_bridge_release(void *data)
+{
+	pci_free_host_bridge(data);
+}
+
 struct pci_host_bridge *devm_pci_alloc_host_bridge(struct device *dev,
 						   size_t priv)
 {
+	int ret;
 	struct pci_host_bridge *bridge;
 
-	bridge = devm_kzalloc(dev, sizeof(*bridge) + priv, GFP_KERNEL);
+	bridge = pci_alloc_host_bridge(priv);
 	if (!bridge)
 		return NULL;
 
-	pci_init_host_bridge(bridge);
-	bridge->dev.release = devm_pci_release_host_bridge_dev;
+	ret = devm_add_action_or_reset(dev, devm_pci_alloc_host_bridge_release,
+				       bridge);
+	if (ret)
+		return NULL;
 
 	return bridge;
 }
@@ -632,10 +637,7 @@ EXPORT_SYMBOL(devm_pci_alloc_host_bridge
 
 void pci_free_host_bridge(struct pci_host_bridge *bridge)
 {
-	pci_free_resource_list(&bridge->windows);
-	pci_free_resource_list(&bridge->dma_ranges);
-
-	kfree(bridge);
+	put_device(&bridge->dev);
 }
 EXPORT_SYMBOL(pci_free_host_bridge);
 
@@ -866,7 +868,7 @@ static int pci_register_host_bridge(stru
 	if (err)
 		goto free;
 
-	err = device_register(&bridge->dev);
+	err = device_add(&bridge->dev);
 	if (err) {
 		put_device(&bridge->dev);
 		goto free;
@@ -933,7 +935,7 @@ static int pci_register_host_bridge(stru
 
 unregister:
 	put_device(&bridge->dev);
-	device_unregister(&bridge->dev);
+	device_del(&bridge->dev);
 
 free:
 	kfree(bus);
@@ -2945,7 +2947,7 @@ struct pci_bus *pci_create_root_bus(stru
 	return bridge->bus;
 
 err_out:
-	kfree(bridge);
+	put_device(&bridge->dev);
 	return NULL;
 }
 EXPORT_SYMBOL_GPL(pci_create_root_bus);
--- a/drivers/pci/remove.c
+++ b/drivers/pci/remove.c
@@ -160,6 +160,6 @@ void pci_remove_root_bus(struct pci_bus
 	host_bridge->bus = NULL;
 
 	/* remove the host bridge */
-	device_unregister(&host_bridge->dev);
+	device_del(&host_bridge->dev);
 }
 EXPORT_SYMBOL_GPL(pci_remove_root_bus);



  parent reply	other threads:[~2021-10-04 13:18 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-10-04 12:52 [PATCH 5.4 00/56] 5.4.151-rc1 review Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 01/56] tty: Fix out-of-bound vmalloc access in imageblit Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 02/56] cpufreq: schedutil: Use kobject release() method to free sugov_tunables Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 03/56] cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 04/56] usb: cdns3: fix race condition before setting doorbell Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 05/56] fs-verity: fix signed integer overflow with i_size near S64_MAX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 06/56] hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 07/56] hwmon: (w83792d) " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 08/56] hwmon: (w83791d) " Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 09/56] scsi: ufs: Fix illegal offset in UPIU event trace Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 10/56] mac80211: fix use-after-free in CCMP/GCMP RX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 11/56] x86/kvmclock: Move this_cpu_pvti into kvmclock.h Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 12/56] drm/amd/display: Pass PCI deviceid into DC Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 13/56] ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 14/56] hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 15/56] mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 16/56] mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 17/56] mac80211: mesh: fix potentially unaligned access Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 18/56] mac80211-hwsim: fix late beacon hrtimer handling Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 19/56] sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 20/56] hwmon: (tmp421) report /PVLD condition as fault Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 21/56] hwmon: (tmp421) fix rounding for negative values Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 22/56] net: ipv4: Fix rtnexthop len when RTA_FLOW is present Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 23/56] e100: fix length calculation in e100_get_regs_len Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 24/56] e100: fix buffer overrun in e100_get_regs Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 25/56] selftests, bpf: test_lwt_ip_encap: Really disable rp_filter Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 26/56] Revert "block, bfq: honor already-setup queue merges" Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 27/56] scsi: csiostor: Add module softdep on cxgb4 Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 28/56] net: hns3: do not allow call hns3_nic_net_open repeatedly Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 29/56] net: phy: bcm7xxx: request and manage GPHY clock Greg Kroah-Hartman
2021-10-04 20:35   ` Florian Fainelli
2021-10-05  6:56     ` Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 30/56] net: phy: bcm7xxx: Fixed indirect MMD operations Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 31/56] net: sched: flower: protect fl_walk() with rcu Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 32/56] af_unix: fix races in sk_peer_pid and sk_peer_cred accesses Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 33/56] perf/x86/intel: Update event constraints for ICX Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 34/56] elf: dont use MAP_FIXED_NOREPLACE for elf interpreter mappings Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 35/56] debugfs: debugfs_create_file_size(): use IS_ERR to check for error Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 36/56] ipack: ipoctal: fix stack information leak Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 37/56] ipack: ipoctal: fix tty registration race Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 38/56] ipack: ipoctal: fix tty-registration error handling Greg Kroah-Hartman
2021-10-04 12:52 ` [PATCH 5.4 39/56] ipack: ipoctal: fix missing allocation-failure check Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 40/56] ipack: ipoctal: fix module reference leak Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 41/56] ext4: fix loff_t overflow in ext4_max_bitmap_size() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 42/56] ext4: fix reserved space counter leakage Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 43/56] ext4: fix potential infinite loop in ext4_dx_readdir() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 44/56] HID: u2fzero: ignore incomplete packets without data Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 45/56] net: udp: annotate data race around udp_sk(sk)->corkflag Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 46/56] net: stmmac: dont attach interface until resume finishes Greg Kroah-Hartman
2021-10-04 12:53 ` Greg Kroah-Hartman [this message]
2021-10-04 12:53 ` [PATCH 5.4 48/56] libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 49/56] hso: fix bailout in error case of probe Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 50/56] usb: hso: fix error handling code of hso_create_net_device Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 51/56] usb: hso: remove the bailout parameter Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 52/56] crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 53/56] HID: betop: fix slab-out-of-bounds Write in betop_probe Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 54/56] netfilter: ipset: Fix oversized kvmalloc() calls Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 55/56] HID: usbhid: free raw_report buffers in usbhid_stop Greg Kroah-Hartman
2021-10-04 12:53 ` [PATCH 5.4 56/56] net: mdiobus: Fix memory leak in __mdiobus_register Greg Kroah-Hartman
2021-10-04 20:36   ` Florian Fainelli
2021-10-04 19:47 ` [PATCH 5.4 00/56] 5.4.151-rc1 review Shuah Khan
2021-10-05  2:17 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211004125031.486249023@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=anders.roxell@linaro.org \
    --cc=arnd@arndb.de \
    --cc=bhelgaas@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lorenzo.pieralisi@arm.com \
    --cc=robh@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=tyhicks@linux.microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).