[PATCH AUTOSEL 6.1 5/5] PCI: apple: Fix missing OF node reference in apple_pcie_setup

linux-pci.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH AUTOSEL 6.1 5/5] PCI: apple: Fix missing OF node reference in apple_pcie_setup_port
       [not found] <20250608125543.934436-1-sashal@kernel.org>
@ 2025-06-08 12:55 ` Sasha Levin
  0 siblings, 0 replies; only message in thread
From: Sasha Levin @ 2025-06-08 12:55 UTC (permalink / raw)
  To: patches, stable
  Cc: Hector Martin, Alyssa Rosenzweig, Marc Zyngier,
	Manivannan Sadhasivam, Janne Grunau, Rob Herring, Sasha Levin,
	lpieralisi, kwilczynski, mani, linux-pci

From: Hector Martin <marcan@marcan.st>

[ Upstream commit 7fa9fbf39116b061f8a41cd84f1884c545f322c4 ]

In the success path, we hang onto a reference to the node, so make sure
to grab one. The caller iterator puts our borrowed reference when we
return.

Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Tested-by: Janne Grunau <j@jannau.net>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Acked-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
Link: https://patch.msgid.link/20250401091713.2765724-9-maz@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

Based on my analysis of the commit and the Apple PCIe driver code, here
is my assessment:

**YES**

This commit should be backported to stable kernel trees. Here's my
detailed analysis:

## Analysis of the Bug Fix

### Nature of the Bug
The commit fixes a **use-after-free vulnerability** in the Apple PCIe
driver's device tree node reference handling. The specific issue is:

1. **Missing Reference Count**: In `apple_pcie_setup_port()`, the
   function stores a device tree node pointer (`port->np = np`) without
   calling `of_node_get()` to increment its reference count.

2. **Automatic Cleanup Conflict**: The caller uses
   `for_each_child_of_node_scoped()` which automatically calls
   `of_node_put()` when the scoped variable goes out of scope, making
   the stored pointer invalid.

3. **Later Usage**: The stored node pointer is used in interrupt
   handlers and other functions that execute after the setup function
   returns, creating a use-after-free condition.

### Code Change Analysis
The fix adds a single line:
```c
+ /* In the success path, we keep a reference to np around */
+ of_node_get(np);
```

This increment to the node's reference count ensures the device tree
node remains valid for the lifetime of the port structure.

### Why This Should Be Backported

**1. Critical Bug Type**: Use-after-free vulnerabilities are serious
memory safety issues that can lead to:
   - System crashes when accessing freed memory
   - Memory corruption if freed memory is reused
   - Potential security exploits in kernel space

**2. Minimal Risk Fix**: The change is:
   - **Small and contained**: Only one line added
   - **Well-understood**: Standard device tree reference counting
     pattern
   - **No architectural changes**: Doesn't modify driver logic or
     behavior
   - **Low regression risk**: Following established kernel patterns

**3. User Impact**: Apple Silicon Mac users experience:
   - PCIe device crashes during interrupt handling
   - System instability when PCIe devices are accessed
   - Potential data corruption from memory safety violations

**4. Stable Tree Criteria Alignment**:
   - ✅ **Important bugfix**: Fixes memory safety issue affecting real
     users
   - ✅ **Minimal scope**: Change confined to single function in one
     driver
   - ✅ **Low risk**: Standard reference counting fix with established
     patterns
   - ✅ **No new features**: Pure bug fix with no functional changes

**5. Comparison with Similar Commits**: Looking at the provided
examples:
   - Similar to commit #2 (Xilinx PCIe `of_node_put()` fix) which was
     marked **YES** for backporting
   - Similar to commit #5 (pata_macio `of_node_put()` fix) which was
     also a reference counting fix
   - These device tree reference counting fixes are consistently
     backported due to their memory safety implications

### Conclusion
This commit fixes a genuine use-after-free bug in a critical driver
subsystem with minimal risk and clear benefit to users. The fix follows
established kernel patterns and meets all criteria for stable tree
backporting. The Apple PCIe driver is used by all Apple Silicon Mac
systems, making this fix important for a significant user base.

 drivers/pci/controller/pcie-apple.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c
index 2340dab6cd5bd..f380b0595768b 100644
--- a/drivers/pci/controller/pcie-apple.c
+++ b/drivers/pci/controller/pcie-apple.c
@@ -585,6 +585,9 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
 	list_add_tail(&port->entry, &pcie->ports);
 	init_completion(&pcie->event);

+	/* In the success path, we keep a reference to np around */
+	of_node_get(np);
+
 	ret = apple_pcie_port_register_irqs(port);
 	WARN_ON(ret);

-- 
2.39.5

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2025-06-08 12:55 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20250608125543.934436-1-sashal@kernel.org>
2025-06-08 12:55 ` [PATCH AUTOSEL 6.1 5/5] PCI: apple: Fix missing OF node reference in apple_pcie_setup_port Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).