From: Bjorn Helgaas <helgaas@kernel.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Marc Zyngier <maz@kernel.org>, Tong Zhang <ztong0001@gmail.com>,
Jason Gunthorpe <jgg@ziepe.ca>,
open list <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] PCI/MSI: Prevent UAF in error path
Date: Wed, 19 Jan 2022 12:37:37 -0600 [thread overview]
Message-ID: <20220119183737.GA954267@bhelgaas> (raw)
In-Reply-To: <87r1938vbn.ffs@tglx>
On Wed, Jan 19, 2022 at 06:54:52PM +0100, Thomas Gleixner wrote:
> When the core MSI allocation fails, then the PCI/MSI code uses an already
> freed MSI descriptor to unmask the MSI mask register in order to bring it back
> into reset state.
>
> Remove MSI_FLAG_FREE_MSI_DESCS from the PCI/MSI irqdomain flags and let the
> PCI/MSI code free the MSI descriptors after usage.
>
> Fixes: 0f62d941acf9 ("genirq/msi: Provide msi_domain_alloc/free_irqs_descs_locked()")
> Reported-by: Tong Zhang <ztong0001@gmail.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
What does "UAF" stand for? Ah, "use after free" I guess?
Let me know if I should take this. Otherwise I assume it'll go
whereever 0f62d941acf9 went.
> ---
> drivers/pci/msi/irqdomain.c | 4 ++--
> drivers/pci/msi/legacy.c | 1 -
> 2 files changed, 2 insertions(+), 3 deletions(-)
>
> --- a/drivers/pci/msi/irqdomain.c
> +++ b/drivers/pci/msi/irqdomain.c
> @@ -28,6 +28,7 @@ void pci_msi_teardown_msi_irqs(struct pc
> msi_domain_free_irqs_descs_locked(domain, &dev->dev);
> else
> pci_msi_legacy_teardown_msi_irqs(dev);
> + msi_free_msi_descs(&dev->dev);
> }
>
> /**
> @@ -171,8 +172,7 @@ struct irq_domain *pci_msi_create_irq_do
> if (info->flags & MSI_FLAG_USE_DEF_CHIP_OPS)
> pci_msi_domain_update_chip_ops(info);
>
> - info->flags |= MSI_FLAG_ACTIVATE_EARLY | MSI_FLAG_DEV_SYSFS |
> - MSI_FLAG_FREE_MSI_DESCS;
> + info->flags |= MSI_FLAG_ACTIVATE_EARLY | MSI_FLAG_DEV_SYSFS;
> if (IS_ENABLED(CONFIG_GENERIC_IRQ_RESERVATION_MODE))
> info->flags |= MSI_FLAG_MUST_REACTIVATE;
>
> --- a/drivers/pci/msi/legacy.c
> +++ b/drivers/pci/msi/legacy.c
> @@ -77,5 +77,4 @@ void pci_msi_legacy_teardown_msi_irqs(st
> {
> msi_device_destroy_sysfs(&dev->dev);
> arch_teardown_msi_irqs(dev);
> - msi_free_msi_descs(&dev->dev);
> }
next prev parent reply other threads:[~2022-01-19 18:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-17 9:27 [PATCH v1] genirq/msi: fix crash when handling Multi-MSI Tong Zhang
2022-01-17 9:59 ` Marc Zyngier
2022-01-17 10:10 ` Tong Zhang
2022-01-17 11:36 ` Marc Zyngier
2022-01-18 14:39 ` Thomas Gleixner
2022-01-19 0:44 ` Thomas Gleixner
2022-01-19 17:54 ` [PATCH] PCI/MSI: Prevent UAF in error path Thomas Gleixner
2022-01-19 18:37 ` Bjorn Helgaas [this message]
2022-01-19 18:54 ` Tong Zhang
2022-01-21 1:18 ` [tip: irq/urgent] " tip-bot2 for Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220119183737.GA954267@bhelgaas \
--to=helgaas@kernel.org \
--cc=jgg@ziepe.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=maz@kernel.org \
--cc=tglx@linutronix.de \
--cc=ztong0001@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.