FAILED: patch "[PATCH] PCI/MSI: Fix UAF in msi_capability_init" failed to apply to 6.1-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* FAILED: patch "[PATCH] PCI/MSI: Fix UAF in msi_capability_init" failed to apply to 6.1-stable tree
@ 2024-07-01 14:22 gregkh
  2024-07-01 16:28 ` Mostafa Saleh
  0 siblings, 1 reply; 2+ messages in thread
From: gregkh @ 2024-07-01 14:22 UTC (permalink / raw)
  To: smostafa, bhelgaas, tglx; +Cc: stable


The patch below does not apply to the 6.1-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable@vger.kernel.org>.

To reproduce the conflict and resubmit, you may use the following commands:

git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
git checkout FETCH_HEAD
git cherry-pick -x 9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2024070120-undergo-stipulate-9aae@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..

Possible dependencies:

9eee5330656b ("PCI/MSI: Fix UAF in msi_capability_init")
b12d0bec385b ("PCI/MSI: Move pci_disable_msi() to api.c")
c93fd5266cff ("PCI/MSI: Move mask and unmask helpers to msi.h")
a474d3fbe287 ("PCI/MSI: Get rid of PCI_MSI_IRQ_DOMAIN")

thanks,

greg k-h

------------------ original commit in Linus's tree ------------------

From 9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1 Mon Sep 17 00:00:00 2001
From: Mostafa Saleh <smostafa@google.com>
Date: Mon, 24 Jun 2024 20:37:28 +0000
Subject: [PATCH] PCI/MSI: Fix UAF in msi_capability_init

KFENCE reports the following UAF:

 BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488

 Use-after-free read at 0x0000000024629571 (in kfence-#12):
  __pci_enable_msi_range+0x2c0/0x488
  pci_alloc_irq_vectors_affinity+0xec/0x14c
  pci_alloc_irq_vectors+0x18/0x28

 kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128

 allocated by task 81 on cpu 7 at 10.808142s:
  __kmem_cache_alloc_node+0x1f0/0x2bc
  kmalloc_trace+0x44/0x138
  msi_alloc_desc+0x3c/0x9c
  msi_domain_insert_msi_desc+0x30/0x78
  msi_setup_msi_desc+0x13c/0x184
  __pci_enable_msi_range+0x258/0x488
  pci_alloc_irq_vectors_affinity+0xec/0x14c
  pci_alloc_irq_vectors+0x18/0x28

 freed by task 81 on cpu 7 at 10.811436s:
  msi_domain_free_descs+0xd4/0x10c
  msi_domain_free_locked.part.0+0xc0/0x1d8
  msi_domain_alloc_irqs_all_locked+0xb4/0xbc
  pci_msi_setup_msi_irqs+0x30/0x4c
  __pci_enable_msi_range+0x2a8/0x488
  pci_alloc_irq_vectors_affinity+0xec/0x14c
  pci_alloc_irq_vectors+0x18/0x28

Descriptor allocation done in:
__pci_enable_msi_range
    msi_capability_init
        msi_setup_msi_desc
            msi_insert_msi_desc
                msi_domain_insert_msi_desc
                    msi_alloc_desc
                        ...

Freed in case of failure in __msi_domain_alloc_locked()
__pci_enable_msi_range
    msi_capability_init
        pci_msi_setup_msi_irqs
            msi_domain_alloc_irqs_all_locked
                msi_domain_alloc_locked
                    __msi_domain_alloc_locked => fails
                    msi_domain_free_locked
                        ...

That failure propagates back to pci_msi_setup_msi_irqs() in
msi_capability_init() which accesses the descriptor for unmasking in the
error exit path.

Cure it by copying the descriptor and using the copy for the error exit path
unmask operation.

[ tglx: Massaged change log ]

Fixes: bf6e054e0e3f ("genirq/msi: Provide msi_device_populate/destroy_sysfs()")
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Mostafa Saleh <smostafa@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bjorn Heelgas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240624203729.1094506-1-smostafa@google.com

diff --git a/drivers/pci/msi/msi.c b/drivers/pci/msi/msi.c
index c5625dd9bf49..3a45879d85db 100644
--- a/drivers/pci/msi/msi.c
+++ b/drivers/pci/msi/msi.c
@@ -352,7 +352,7 @@ static int msi_capability_init(struct pci_dev *dev, int nvec,
 			       struct irq_affinity *affd)
 {
 	struct irq_affinity_desc *masks = NULL;
-	struct msi_desc *entry;
+	struct msi_desc *entry, desc;
 	int ret;
 
 	/* Reject multi-MSI early on irq domain enabled architectures */
@@ -377,6 +377,12 @@ static int msi_capability_init(struct pci_dev *dev, int nvec,
 	/* All MSIs are unmasked by default; mask them all */
 	entry = msi_first_desc(&dev->dev, MSI_DESC_ALL);
 	pci_msi_mask(entry, msi_multi_mask(entry));
+	/*
+	 * Copy the MSI descriptor for the error path because
+	 * pci_msi_setup_msi_irqs() will free it for the hierarchical
+	 * interrupt domain case.
+	 */
+	memcpy(&desc, entry, sizeof(desc));
 
 	/* Configure MSI capability structure */
 	ret = pci_msi_setup_msi_irqs(dev, nvec, PCI_CAP_ID_MSI);
@@ -396,7 +402,7 @@ static int msi_capability_init(struct pci_dev *dev, int nvec,
 	goto unlock;
 
 err:
-	pci_msi_unmask(entry, msi_multi_mask(entry));
+	pci_msi_unmask(&desc, msi_multi_mask(&desc));
 	pci_free_msi_irqs(dev);
 fail:
 	dev->msi_enabled = 0;


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: FAILED: patch "[PATCH] PCI/MSI: Fix UAF in msi_capability_init" failed to apply to 6.1-stable tree
  2024-07-01 14:22 FAILED: patch "[PATCH] PCI/MSI: Fix UAF in msi_capability_init" failed to apply to 6.1-stable tree gregkh
@ 2024-07-01 16:28 ` Mostafa Saleh
  0 siblings, 0 replies; 2+ messages in thread
From: Mostafa Saleh @ 2024-07-01 16:28 UTC (permalink / raw)
  To: gregkh; +Cc: bhelgaas, tglx, stable

Hi Greg,

On Mon, Jul 01, 2024 at 04:22:20PM +0200, gregkh@linuxfoundation.org wrote:
> 
> The patch below does not apply to the 6.1-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
> 

I can’t repro the UAF in 6.1. Looking more, I think the bug was actual
introduced when MSI_COMMON_FLAGS was added with MSI_FLAG_FREE_MSI_DESCS in
commit "a737b7d0e721 (PCI/MSI: Add support for per device MSI[X] domains)"

And not from the freeing logic mentioned in the Fixes, so the first affected
version is 6.2

Thanks,
Mostafa

> To reproduce the conflict and resubmit, you may use the following commands:
> 
> git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y
> git checkout FETCH_HEAD
> git cherry-pick -x 9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1
> # <resolve conflicts, build, test, etc.>
> git commit -s
> git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2024070120-undergo-stipulate-9aae@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^..
> 
> Possible dependencies:
> 
> 9eee5330656b ("PCI/MSI: Fix UAF in msi_capability_init")
> b12d0bec385b ("PCI/MSI: Move pci_disable_msi() to api.c")
> c93fd5266cff ("PCI/MSI: Move mask and unmask helpers to msi.h")
> a474d3fbe287 ("PCI/MSI: Get rid of PCI_MSI_IRQ_DOMAIN")
> 
> thanks,
> 
> greg k-h
> 
> ------------------ original commit in Linus's tree ------------------
> 
> From 9eee5330656bf92f51cb1f09b2dc9f8cf975b3d1 Mon Sep 17 00:00:00 2001
> From: Mostafa Saleh <smostafa@google.com>
> Date: Mon, 24 Jun 2024 20:37:28 +0000
> Subject: [PATCH] PCI/MSI: Fix UAF in msi_capability_init
> 
> KFENCE reports the following UAF:
> 
>  BUG: KFENCE: use-after-free read in __pci_enable_msi_range+0x2c0/0x488
> 
>  Use-after-free read at 0x0000000024629571 (in kfence-#12):
>   __pci_enable_msi_range+0x2c0/0x488
>   pci_alloc_irq_vectors_affinity+0xec/0x14c
>   pci_alloc_irq_vectors+0x18/0x28
> 
>  kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128
> 
>  allocated by task 81 on cpu 7 at 10.808142s:
>   __kmem_cache_alloc_node+0x1f0/0x2bc
>   kmalloc_trace+0x44/0x138
>   msi_alloc_desc+0x3c/0x9c
>   msi_domain_insert_msi_desc+0x30/0x78
>   msi_setup_msi_desc+0x13c/0x184
>   __pci_enable_msi_range+0x258/0x488
>   pci_alloc_irq_vectors_affinity+0xec/0x14c
>   pci_alloc_irq_vectors+0x18/0x28
> 
>  freed by task 81 on cpu 7 at 10.811436s:
>   msi_domain_free_descs+0xd4/0x10c
>   msi_domain_free_locked.part.0+0xc0/0x1d8
>   msi_domain_alloc_irqs_all_locked+0xb4/0xbc
>   pci_msi_setup_msi_irqs+0x30/0x4c
>   __pci_enable_msi_range+0x2a8/0x488
>   pci_alloc_irq_vectors_affinity+0xec/0x14c
>   pci_alloc_irq_vectors+0x18/0x28
> 
> Descriptor allocation done in:
> __pci_enable_msi_range
>     msi_capability_init
>         msi_setup_msi_desc
>             msi_insert_msi_desc
>                 msi_domain_insert_msi_desc
>                     msi_alloc_desc
>                         ...
> 
> Freed in case of failure in __msi_domain_alloc_locked()
> __pci_enable_msi_range
>     msi_capability_init
>         pci_msi_setup_msi_irqs
>             msi_domain_alloc_irqs_all_locked
>                 msi_domain_alloc_locked
>                     __msi_domain_alloc_locked => fails
>                     msi_domain_free_locked
>                         ...
> 
> That failure propagates back to pci_msi_setup_msi_irqs() in
> msi_capability_init() which accesses the descriptor for unmasking in the
> error exit path.
> 
> Cure it by copying the descriptor and using the copy for the error exit path
> unmask operation.
> 
> [ tglx: Massaged change log ]
> 
> Fixes: bf6e054e0e3f ("genirq/msi: Provide msi_device_populate/destroy_sysfs()")
> Suggested-by: Thomas Gleixner <tglx@linutronix.de>
> Signed-off-by: Mostafa Saleh <smostafa@google.com>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: Bjorn Heelgas <bhelgaas@google.com>
> Cc: stable@vger.kernel.org
> Link: https://lore.kernel.org/r/20240624203729.1094506-1-smostafa@google.com
> 
> diff --git a/drivers/pci/msi/msi.c b/drivers/pci/msi/msi.c
> index c5625dd9bf49..3a45879d85db 100644
> --- a/drivers/pci/msi/msi.c
> +++ b/drivers/pci/msi/msi.c
> @@ -352,7 +352,7 @@ static int msi_capability_init(struct pci_dev *dev, int nvec,
>  			       struct irq_affinity *affd)
>  {
>  	struct irq_affinity_desc *masks = NULL;
> -	struct msi_desc *entry;
> +	struct msi_desc *entry, desc;
>  	int ret;
>  
>  	/* Reject multi-MSI early on irq domain enabled architectures */
> @@ -377,6 +377,12 @@ static int msi_capability_init(struct pci_dev *dev, int nvec,
>  	/* All MSIs are unmasked by default; mask them all */
>  	entry = msi_first_desc(&dev->dev, MSI_DESC_ALL);
>  	pci_msi_mask(entry, msi_multi_mask(entry));
> +	/*
> +	 * Copy the MSI descriptor for the error path because
> +	 * pci_msi_setup_msi_irqs() will free it for the hierarchical
> +	 * interrupt domain case.
> +	 */
> +	memcpy(&desc, entry, sizeof(desc));
>  
>  	/* Configure MSI capability structure */
>  	ret = pci_msi_setup_msi_irqs(dev, nvec, PCI_CAP_ID_MSI);
> @@ -396,7 +402,7 @@ static int msi_capability_init(struct pci_dev *dev, int nvec,
>  	goto unlock;
>  
>  err:
> -	pci_msi_unmask(entry, msi_multi_mask(entry));
> +	pci_msi_unmask(&desc, msi_multi_mask(&desc));
>  	pci_free_msi_irqs(dev);
>  fail:
>  	dev->msi_enabled = 0;
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-07-01 16:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-01 14:22 FAILED: patch "[PATCH] PCI/MSI: Fix UAF in msi_capability_init" failed to apply to 6.1-stable tree gregkh
2024-07-01 16:28 ` Mostafa Saleh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).