From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 46558CE7A89 for ; Mon, 25 Sep 2023 09:41:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Subject:Cc:To:From:Message-ID:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ouyF27QHvtaDBIp0lRykJTIbipze+GRrbOYfazsaMI4=; b=wBkgHq/ToxiW4O yWVV7dCs8w8F6lRTtJ/KIAg/I8YQv5S2HgImtTac8EAO9lQsP5iGI9XPOERg+Q8vJQG8X5IGejr43 6Q44FviNgeAfGOvQaWIzRUiJy3KCAXp7dCCPOuVg2Dr1ZHHC+P7tT9yWmiVJusI3UN6ahALyN0yXf aTRNHn5Gisvzx8L3dWQ7KM6y1Ctq7JQprd/mgfIylIf4IEiP7rqm+CwXclUFbZaytoaHzU856XHTq HbY4+T2R+rbggdeLPeG7ckTDcO2nbTjv6DVKZ4KX0HyinYWYdrkHQLHOV/TI4PwYfni4Tur3zVAAe Js85chvzcwLwwbxcbYSA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qki5Q-00DsRG-0e; Mon, 25 Sep 2023 09:41:04 +0000 Received: from sin.source.kernel.org ([2604:1380:40e1:4800::1]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qki5M-00DsQ7-2g for linux-arm-kernel@lists.infradead.org; Mon, 25 Sep 2023 09:41:02 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id ADC17CE0EA7; Mon, 25 Sep 2023 09:40:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E281CC433C7; Mon, 25 Sep 2023 09:40:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1695634856; bh=9Y5s5dKINe7oEtHzTXF73tYS8713PuiQMueQX6bZOPA=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=k+upIy2X5ZwP6S4r1bv0vjtzxBdaUJkdI/m/NRTBqTYMsm1p37QYLUR3Ov9YMIGv6 4rzfXLPFxGcoEiy/XLmY7DzKYVsyFdM2hqUA20A69TSiXWgg536Qyw2e7uX7BrhM7C 11slhaTiUEf8vKfQi03MvF9NX494e2fev+QTTLtnL/oGqLOwfziW0LMHkNjE3QwfIO OjsefkJOZkL0dC6tKwozgZGIdXi8hmsjH3+gelIK+a1PZ2dpnrOkWTUoblimPYhNhA ch2cl0XoK8eUnZtZ+9NOVL2iTgfbB124TgZ/FQSqb6mED/cRfXrqn52zQyhvnnAqBI TJ4xBrz8BC8EQ== Received: from [148.252.128.169] (helo=wait-a-minute.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qki5F-00Fuof-9b; Mon, 25 Sep 2023 10:40:53 +0100 Date: Mon, 25 Sep 2023 10:40:48 +0100 Message-ID: <87o7hqmvz3.wl-maz@kernel.org> From: Marc Zyngier To: Dinghao Liu Cc: Toan Le , Lorenzo Pieralisi , Krzysztof =?UTF-8?B?V2lsY3p5xYRza2k=?= , Rob Herring , Bjorn Helgaas , Duc Dang , Tanmay Inamdar , linux-pci@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe In-Reply-To: <20230925062133.14170-1-dinghao.liu@zju.edu.cn> References: <20230925062133.14170-1-dinghao.liu@zju.edu.cn> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/28.2 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") X-SA-Exim-Connect-IP: 148.252.128.169 X-SA-Exim-Rcpt-To: dinghao.liu@zju.edu.cn, toan@os.amperecomputing.com, lpieralisi@kernel.org, kw@linux.com, robh@kernel.org, bhelgaas@google.com, dhdang@apm.com, tinamdar@apm.com, linux-pci@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230925_024101_312281_F666E235 X-CRM114-Status: GOOD ( 22.58 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Mon, 25 Sep 2023 07:21:32 +0100, Dinghao Liu wrote: > > xgene_allocate_domains() will call irq_domain_remove() to free > msi->inner_domain on failure. However, its caller, xgene_msi_probe(), > will also call irq_domain_remove() through xgene_msi_remove() on the > same failure, which may lead to a use-after-free. Set the freed pointer > to NULL to fix this issue. > > Fixes: dcd19de36775 ("PCI: xgene: Add APM X-Gene v1 PCIe MSI/MSIX termination driver") > Signed-off-by: Dinghao Liu > --- > drivers/pci/controller/pci-xgene-msi.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/pci/controller/pci-xgene-msi.c b/drivers/pci/controller/pci-xgene-msi.c > index 3ce38dfd0d29..c0192c5ff0f3 100644 > --- a/drivers/pci/controller/pci-xgene-msi.c > +++ b/drivers/pci/controller/pci-xgene-msi.c > @@ -253,6 +253,7 @@ static int xgene_allocate_domains(struct xgene_msi *msi) > > if (!msi->msi_domain) { > irq_domain_remove(msi->inner_domain); > + msi->inner_domain = NULL; > return -ENOMEM; > } Why can't we just drop the irq_domain_remove() call here instead, and simply rely on xgene_msi_remove() to do the right thing? Something like the untested patch below. Thanks, M. diff --git a/drivers/pci/controller/pci-xgene-msi.c b/drivers/pci/controller/pci-xgene-msi.c index 0234e528b9a5..f98c9eb7bebf 100644 --- a/drivers/pci/controller/pci-xgene-msi.c +++ b/drivers/pci/controller/pci-xgene-msi.c @@ -251,10 +251,8 @@ static int xgene_allocate_domains(struct xgene_msi *msi) &xgene_msi_domain_info, msi->inner_domain); - if (!msi->msi_domain) { - irq_domain_remove(msi->inner_domain); + if (!msi->msi_domain) return -ENOMEM; - } return 0; } -- Without deviation from the norm, progress is not possible. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel