[PATCH] PCI: endpoint: use after free in pci_epf_unregister

linux-pci.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] PCI: endpoint: use after free in pci_epf_unregister_driver()
@ 2018-05-31  6:21 Dan Carpenter
  2018-06-29 10:00 ` Lorenzo Pieralisi
  2018-06-29 13:47 ` Lorenzo Pieralisi
  0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2018-05-31  6:21 UTC (permalink / raw)
  To: Kishon Vijay Abraham I
  Cc: Lorenzo Pieralisi, Bjorn Helgaas, linux-pci, kernel-janitors

We need to use list_for_each_entry_safe() because the
pci_ep_cfs_remove_epf_group() function frees "group".

Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c
index 523a8cab3bfb..bf53fad636a5 100644
--- a/drivers/pci/endpoint/pci-epf-core.c
+++ b/drivers/pci/endpoint/pci-epf-core.c
@@ -145,10 +145,10 @@ EXPORT_SYMBOL_GPL(pci_epf_alloc_space);
  */
 void pci_epf_unregister_driver(struct pci_epf_driver *driver)
 {
-	struct config_group *group;
+	struct config_group *group, *tmp;
 
 	mutex_lock(&pci_epf_mutex);
-	list_for_each_entry(group, &driver->epf_group, group_entry)
+	list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
 		pci_ep_cfs_remove_epf_group(group);
 	list_del(&driver->epf_group);
 	mutex_unlock(&pci_epf_mutex);

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] PCI: endpoint: use after free in pci_epf_unregister_driver()
  2018-05-31  6:21 [PATCH] PCI: endpoint: use after free in pci_epf_unregister_driver() Dan Carpenter
@ 2018-06-29 10:00 ` Lorenzo Pieralisi
  2018-06-29 10:00   ` Kishon Vijay Abraham I
  2018-06-29 13:47 ` Lorenzo Pieralisi
  1 sibling, 1 reply; 4+ messages in thread
From: Lorenzo Pieralisi @ 2018-06-29 10:00 UTC (permalink / raw)
  To: Dan Carpenter, Kishon Vijay Abraham I
  Cc: Bjorn Helgaas, linux-pci, kernel-janitors

On Thu, May 31, 2018 at 09:21:48AM +0300, Dan Carpenter wrote:
> We need to use list_for_each_entry_safe() because the
> pci_ep_cfs_remove_epf_group() function frees "group".
> 
> Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c
> index 523a8cab3bfb..bf53fad636a5 100644
> --- a/drivers/pci/endpoint/pci-epf-core.c
> +++ b/drivers/pci/endpoint/pci-epf-core.c
> @@ -145,10 +145,10 @@ EXPORT_SYMBOL_GPL(pci_epf_alloc_space);
>   */
>  void pci_epf_unregister_driver(struct pci_epf_driver *driver)
>  {
> -	struct config_group *group;
> +	struct config_group *group, *tmp;
>  
>  	mutex_lock(&pci_epf_mutex);
> -	list_for_each_entry(group, &driver->epf_group, group_entry)
> +	list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
>  		pci_ep_cfs_remove_epf_group(group);
>  	list_del(&driver->epf_group);
>  	mutex_unlock(&pci_epf_mutex);

Kishon, I need your ACK to merge this fix, thanks.

Lorenzo

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] PCI: endpoint: use after free in pci_epf_unregister_driver()
  2018-06-29 10:00 ` Lorenzo Pieralisi
@ 2018-06-29 10:00   ` Kishon Vijay Abraham I
  0 siblings, 0 replies; 4+ messages in thread
From: Kishon Vijay Abraham I @ 2018-06-29 10:00 UTC (permalink / raw)
  To: Lorenzo Pieralisi, Dan Carpenter
  Cc: Bjorn Helgaas, linux-pci, kernel-janitors



On Friday 29 June 2018 03:30 PM, Lorenzo Pieralisi wrote:
> On Thu, May 31, 2018 at 09:21:48AM +0300, Dan Carpenter wrote:
>> We need to use list_for_each_entry_safe() because the
>> pci_ep_cfs_remove_epf_group() function frees "group".
>>
>> Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>>
>> diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c
>> index 523a8cab3bfb..bf53fad636a5 100644
>> --- a/drivers/pci/endpoint/pci-epf-core.c
>> +++ b/drivers/pci/endpoint/pci-epf-core.c
>> @@ -145,10 +145,10 @@ EXPORT_SYMBOL_GPL(pci_epf_alloc_space);
>>   */
>>  void pci_epf_unregister_driver(struct pci_epf_driver *driver)
>>  {
>> -	struct config_group *group;
>> +	struct config_group *group, *tmp;
>>  
>>  	mutex_lock(&pci_epf_mutex);
>> -	list_for_each_entry(group, &driver->epf_group, group_entry)
>> +	list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
>>  		pci_ep_cfs_remove_epf_group(group);
>>  	list_del(&driver->epf_group);
>>  	mutex_unlock(&pci_epf_mutex);
> 
> Kishon, I need your ACK to merge this fix, thanks.

Looks correct to me.
Acked-by: Kishon Vijay Abraham I <kishon@ti.com>
> 
> Lorenzo
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] PCI: endpoint: use after free in pci_epf_unregister_driver()
  2018-05-31  6:21 [PATCH] PCI: endpoint: use after free in pci_epf_unregister_driver() Dan Carpenter
  2018-06-29 10:00 ` Lorenzo Pieralisi
@ 2018-06-29 13:47 ` Lorenzo Pieralisi
  1 sibling, 0 replies; 4+ messages in thread
From: Lorenzo Pieralisi @ 2018-06-29 13:47 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Kishon Vijay Abraham I, Bjorn Helgaas, linux-pci, kernel-janitors

On Thu, May 31, 2018 at 09:21:48AM +0300, Dan Carpenter wrote:
> We need to use list_for_each_entry_safe() because the
> pci_ep_cfs_remove_epf_group() function frees "group".
> 
> Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c

Applied to pci/controller-fixes to be tentatively merged for -rc4,
thanks.

Lorenzo

> index 523a8cab3bfb..bf53fad636a5 100644
> --- a/drivers/pci/endpoint/pci-epf-core.c
> +++ b/drivers/pci/endpoint/pci-epf-core.c
> @@ -145,10 +145,10 @@ EXPORT_SYMBOL_GPL(pci_epf_alloc_space);
>   */
>  void pci_epf_unregister_driver(struct pci_epf_driver *driver)
>  {
> -	struct config_group *group;
> +	struct config_group *group, *tmp;
>  
>  	mutex_lock(&pci_epf_mutex);
> -	list_for_each_entry(group, &driver->epf_group, group_entry)
> +	list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
>  		pci_ep_cfs_remove_epf_group(group);
>  	list_del(&driver->epf_group);
>  	mutex_unlock(&pci_epf_mutex);

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2018-06-29 13:45 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-05-31  6:21 [PATCH] PCI: endpoint: use after free in pci_epf_unregister_driver() Dan Carpenter
2018-06-29 10:00 ` Lorenzo Pieralisi
2018-06-29 10:00   ` Kishon Vijay Abraham I
2018-06-29 13:47 ` Lorenzo Pieralisi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).