From: Lukas Wunner <lukas@wunner.de>
To: "Wassenberg, Dennis" <Dennis.Wassenberg@secunet.com>
Cc: "kbusch@kernel.org" <kbusch@kernel.org>,
"mika.westerberg@linux.intel.com"
<mika.westerberg@linux.intel.com>,
"ilpo.jarvinen@linux.intel.com" <ilpo.jarvinen@linux.intel.com>,
"linux-pci@vger.kernel.org" <linux-pci@vger.kernel.org>,
"mpearson-lenovo@squebb.ca" <mpearson-lenovo@squebb.ca>,
"Jonathan.Cameron@huawei.com" <Jonathan.Cameron@huawei.com>,
"minipli@grsecurity.net" <minipli@grsecurity.net>
Subject: Re: UAF during boot on MTL based devices with attached dock
Date: Tue, 8 Oct 2024 15:58:34 +0200 [thread overview]
Message-ID: <ZwU6ijD8I5hzMv9X@wunner.de> (raw)
In-Reply-To: <bdc3963903e7c4aeec7c34ac0d46c4368152a8c2.camel@secunet.com>
On Mon, Oct 07, 2024 at 04:49:19PM +0000, Wassenberg, Dennis wrote:
> > The unplug event happens at the top of the hierarchy (below the Root Port).
> > So pci_bus_add_devices() binds the Root Port, its driver starts stopping
> > and removing the hierarchy below, all the while pci_bus_add_devices()
> > continues binding drivers to the child devices.
> >
> > Could you try this patch (in addition to the one below and to the one
> > I sent yesterday):
> >
> > https://lore.kernel.org/all/20241003084342.27501-1-brgl@bgdev.pl/
> >
> > It should prevent pci_bus_add_devices() from racing with pciehp stopping
> > and removing devices.
>
> I checked the combination of all 3 patches as well. In the end it behaves
> the same like if I apply the first patch only (the one you sent the day
> before).
Thanks a lot for testing and the detailed feedback.
Would it be possible for you to try the above-linked patch alone
(on top of a recent stock kernel), i.e. without the refcounting
fix that you say was sufficient to avoid the UAF?
And I'd also appreciate if you could try the match_driver approach ...
https://lore.kernel.org/all/Zv-dIHDXNNYomG2Y@wunner.de/
... alone, i.e. without any other patches.
It's interesting that the refcounting fix was sufficient to avoid
the UAF but I can't get over the fact that the pcieport driver is
unbound from pci_remove_bus_device(), when it should no longer be
bound in the first place. My impression is that teardown of the
hierarchy by pciehp races with driver binding after the initial
root bus scan, so we probably should try to avoid that. I'd like
to confirm (or disprove) that hunch.
The refcounting fix could be applied as a safety net but normally
shouldn't be necessary if driver unbinding happens in pci_stop_dev()
and the device remains unbound afterwards. The match_driver patch
should achieve that. And the other patch by Bartosz (linked above)
should achieve the same by serializing driver binding after bus
enumeration with driver unbinding by pciehp.
Finally, I'd appreciate if you could send me dmesg output with the
refcounting fix applied. As said before, the MTL Thunderbolt controller
claims that the link and slot presence bits are cleared, so it
de-enumerates everything attached via Thunderbolt. I'm wondering
if it then re-enumerates the Thunderbolt-attached devices so they're
actually usable?
I'm hoping Mika can clarify with Intel Thunderbolt CoE whether this
is a hardware issue in MTL that can e.g. be fixed through a firmware
or BIOS update.
Thanks!
Lukas
next prev parent reply other threads:[~2024-10-08 13:58 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-19 8:06 UAF during boot on MTL based devices with attached dock Wassenberg, Dennis
2024-09-21 9:08 ` Ilpo Järvinen
2024-09-23 8:38 ` Wassenberg, Dennis
2024-09-23 4:41 ` mika.westerberg
2024-09-23 8:43 ` Wassenberg, Dennis
2024-09-23 11:17 ` mika.westerberg
2024-09-23 13:42 ` Wassenberg, Dennis
2024-09-23 12:23 ` Wassenberg, Dennis
2024-09-24 10:51 ` Ilpo Järvinen
2024-09-25 15:38 ` Wassenberg, Dennis
2024-09-26 13:58 ` Ilpo Järvinen
2024-10-07 16:34 ` Wassenberg, Dennis
2024-10-03 13:46 ` Lukas Wunner
2024-10-04 7:45 ` Lukas Wunner
2024-10-07 16:49 ` Wassenberg, Dennis
2024-10-08 13:58 ` Lukas Wunner [this message]
2024-10-08 16:37 ` mika.westerberg
2024-10-08 18:23 ` Lukas Wunner
2024-10-09 4:44 ` mika.westerberg
2024-10-09 11:47 ` Lukas Wunner
2024-10-09 12:55 ` mika.westerberg
2024-10-09 6:26 ` Wassenberg, Dennis
2024-10-07 16:20 ` Wassenberg, Dennis
2024-09-24 8:54 ` Lukas Wunner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZwU6ijD8I5hzMv9X@wunner.de \
--to=lukas@wunner.de \
--cc=Dennis.Wassenberg@secunet.com \
--cc=Jonathan.Cameron@huawei.com \
--cc=ilpo.jarvinen@linux.intel.com \
--cc=kbusch@kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=mika.westerberg@linux.intel.com \
--cc=minipli@grsecurity.net \
--cc=mpearson-lenovo@squebb.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox