From patchwork Tue Sep 26 02:59:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dinghao Liu X-Patchwork-Id: 13398611 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id AE74EE81813 for ; Tue, 26 Sep 2023 03:00:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:List-Subscribe:List-Help: List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:Subject:Cc:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=CTFbTTCr23/86AatMH+FXg/8EYhvez/yWKaGCt7AiNE=; b=JQB34hzMxuCmP5 5fSUrYSTOVc6k9kR6VP3Ses98GvO3PVCt5NznShaipQKpHUr1aGD9eat5GZsLsRgU9UIZWJX3CJZ2 ygsH8iN3ugURgBiw7nnJYBdFhiaCaQHEu5A0kcygniu4m+2+i6lR5QigQRAh0shuFhDtB7wJCtiE5 G+8XwjbzakjROGM8R266lDaoP70ZD6yQ70+A7tj9X0X/ZmiSOca5tbLZPzOMktS8O5O/LAEEI6H3u Q17kmZQGQqlaCArBbbSPtab1XsbxVMg791VYPZ9hiAXtXYoI0tF2fmu4107l0BIRCMh+faELYo435 6DmaSxIMt8rhk0dWWl4w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qkyIz-00FREF-0U; Tue, 26 Sep 2023 03:00:09 +0000 Received: from mail.zju.edu.cn ([61.164.42.155] helo=zju.edu.cn) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qkyIv-00FRDk-2U for linux-arm-kernel@lists.infradead.org; Tue, 26 Sep 2023 03:00:07 +0000 Received: from localhost.localdomain (unknown [10.192.76.118]) by mail-app4 (Coremail) with SMTP id cS_KCgC3vBQaSRJlfKruAA--.18544S4; Tue, 26 Sep 2023 10:59:43 +0800 (CST) From: Dinghao Liu To: dinghao.liu@zju.edu.cn Cc: Toan Le , Lorenzo Pieralisi , =?utf-8?q?Krzysztof_Wilczy=C5=84?= =?utf-8?q?ski?= , Rob Herring , Bjorn Helgaas , Duc Dang , Marc Zyngier , Tanmay Inamdar , linux-pci@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe Date: Tue, 26 Sep 2023 10:59:36 +0800 Message-Id: <20230926025936.7115-1-dinghao.liu@zju.edu.cn> X-Mailer: git-send-email 2.17.1 X-CM-TRANSID: cS_KCgC3vBQaSRJlfKruAA--.18544S4 X-Coremail-Antispam: 1UD129KBjvJXoW7JF13Cr4xXr15WF13Gr18uFg_yoW8Jr4rpF WxC343WFWft3yUXa1Igw18Wa4ava9rt3yDtwsxWrnrZrnxA34DuryjqFyrC34akFWrXF4j y3WxJ3W5uFs5JFDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvm1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVWxJr0_GcWl84ACjcxK6I8E 87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c 8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_Jr0_ Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwI xGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka0xkIwI1l42xK82IY c2Ij64vIr41l42xK82IY6x8ErcxFaVAv8VW8uw4UJr1UMxC20s026xCaFVCjc4AY6r1j6r 4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF 67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2I x0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2 z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnU UI43ZEXa7VUbXdbUUUUUU== X-CM-SenderInfo: qrrzjiaqtzq6lmxovvfxof0/1tbiAgEJBmUQRiAzPQAJsY X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230925_200006_177463_FE2365ED X-CRM114-Status: UNSURE ( 8.61 ) X-CRM114-Notice: Please train this message. X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org xgene_allocate_domains() will call irq_domain_remove() to free msi->inner_domain on failure. However, its caller, xgene_msi_probe(), will also call irq_domain_remove() through xgene_msi_remove() on the same failure, which may lead to a use-after-free. Remove the first irq_domain_remove() and let xgene_free_domains() cleanup domains. Fixes: dcd19de36775 ("PCI: xgene: Add APM X-Gene v1 PCIe MSI/MSIX termination driver") Signed-off-by: Dinghao Liu --- Changelog: v2: -Remove irq_domain_remove() instead of nulling msi_domain. --- drivers/pci/controller/pci-xgene-msi.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/pci/controller/pci-xgene-msi.c b/drivers/pci/controller/pci-xgene-msi.c index 3ce38dfd0d29..0f9b9394399d 100644 --- a/drivers/pci/controller/pci-xgene-msi.c +++ b/drivers/pci/controller/pci-xgene-msi.c @@ -251,10 +251,8 @@ static int xgene_allocate_domains(struct xgene_msi *msi) &xgene_msi_domain_info, msi->inner_domain); - if (!msi->msi_domain) { - irq_domain_remove(msi->inner_domain); + if (!msi->msi_domain) return -ENOMEM; - } return 0; }