linux

mirror of https://github.com/torvalds/linux.git synced 2025-11-04 18:49:34 +02:00

History

Mostafa Saleh 9eee533065 PCI/MSI: Fix UAF in msi_capability_init KFENCE reports the following UAF: BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488 Use-after-free read at 0x0000000024629571 (in kfence-#12): __pci_enable_msi_range+0x2c0/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128 allocated by task 81 on cpu 7 at 10.808142s: __kmem_cache_alloc_node+0x1f0/0x2bc kmalloc_trace+0x44/0x138 msi_alloc_desc+0x3c/0x9c msi_domain_insert_msi_desc+0x30/0x78 msi_setup_msi_desc+0x13c/0x184 __pci_enable_msi_range+0x258/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 freed by task 81 on cpu 7 at 10.811436s: msi_domain_free_descs+0xd4/0x10c msi_domain_free_locked.part.0+0xc0/0x1d8 msi_domain_alloc_irqs_all_locked+0xb4/0xbc pci_msi_setup_msi_irqs+0x30/0x4c __pci_enable_msi_range+0x2a8/0x488 pci_alloc_irq_vectors_affinity+0xec/0x14c pci_alloc_irq_vectors+0x18/0x28 Descriptor allocation done in: __pci_enable_msi_range msi_capability_init msi_setup_msi_desc msi_insert_msi_desc msi_domain_insert_msi_desc msi_alloc_desc ... Freed in case of failure in __msi_domain_alloc_locked() __pci_enable_msi_range msi_capability_init pci_msi_setup_msi_irqs msi_domain_alloc_irqs_all_locked msi_domain_alloc_locked __msi_domain_alloc_locked => fails msi_domain_free_locked ... That failure propagates back to pci_msi_setup_msi_irqs() in msi_capability_init() which accesses the descriptor for unmasking in the error exit path. Cure it by copying the descriptor and using the copy for the error exit path unmask operation. [ tglx: Massaged change log ] Fixes: `bf6e054e0e` ("genirq/msi: Provide msi_device_populate/destroy_sysfs()") Suggested-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Mostafa Saleh <smostafa@google.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Bjorn Heelgas <bhelgaas@google.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240624203729.1094506-1-smostafa@google.com		2024-06-24 23:33:38 +02:00
..
controller	Merge branch 'pci/controller/tegra194'	2024-05-16 18:14:13 -05:00
endpoint	Merge branch 'pci/endpoint'	2024-05-16 18:14:13 -05:00
hotplug	PCI: hotplug: Remove obsolete sgi_hotplug TODO notes	2024-05-03 16:26:50 -05:00
msi	PCI/MSI: Fix UAF in msi_capability_init	2024-06-24 23:33:38 +02:00
pcie	pci-v6.10-changes	2024-05-21 10:09:28 -07:00
switch
access.c	PCI: Revert the cfg_access_lock lockdep mechanism	2024-06-04 12:10:05 -05:00
ats.c
bus.c
devres.c
doe.c	PCI/DOE: Support discovery version 2	2024-04-09 09:33:15 -05:00
ecam.c
host-bridge.c
iomap.c
iov.c
irq.c
Kconfig
Makefile	Merge branch 'pci/sysfs'	2024-03-12 12:14:23 -05:00
mmap.c
of.c
of_property.c	PCI: of_property: Return error for int_map allocation failure	2024-05-02 17:15:01 -05:00
p2pdma.c
pci-acpi.c
pci-bridge-emul.c
pci-bridge-emul.h
pci-driver.c	Merge branch 'pci/misc'	2024-03-12 12:14:24 -05:00
pci-label.c
pci-mid.c
pci-pf-stub.c
pci-stub.c
pci-sysfs.c
pci.c	PCI: Revert the cfg_access_lock lockdep mechanism	2024-06-04 12:10:05 -05:00
pci.h	PCI: Make pcie_bandwidth_capable() static	2024-05-08 19:03:55 -05:00
probe.c	PCI: Revert the cfg_access_lock lockdep mechanism	2024-06-04 12:10:05 -05:00
proc.c
quirks.c	pci-v6.10-changes	2024-05-21 10:09:28 -07:00
remove.c
rom.c
search.c
setup-bus.c
setup-res.c
slot.c
syscall.c
vc.c
vgaarb.c
vpd.c
xen-pcifront.c