[v3] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe

Message ID	20231001035441.30408-1-dinghao.liu@zju.edu.cn (mailing list archive)
State	New, archived
Delegated to:	Krzysztof Wilczyński
Headers	show Return-Path: <linux-pci-owner@vger.kernel.org> From: Dinghao Liu <dinghao.liu@zju.edu.cn> To: dinghao.liu@zju.edu.cn Cc: Toan Le <toan@os.amperecomputing.com>, Lorenzo Pieralisi <lpieralisi@kernel.org>, =?utf-8?q?Krzysztof_Wilczy=C5=84?= =?utf-8?q?ski?= <kw@linux.com>, Rob Herring <robh@kernel.org>, Bjorn Helgaas <bhelgaas@google.com>, Tanmay Inamdar <tinamdar@apm.com>, Marc Zyngier <maz@kernel.org>, Duc Dang <dhdang@apm.com>, linux-pci@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] [v3] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe Date: Sun, 1 Oct 2023 11:54:40 +0800 Message-Id: <20231001035441.30408-1-dinghao.liu@zju.edu.cn> Precedence: bulk
Series	[v3] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe \| expand [v3] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe

Message ID

20231001035441.30408-1-dinghao.liu@zju.edu.cn (mailing list archive)

State

New, archived

Delegated to:

Krzysztof Wilczyński

Headers

From: Dinghao Liu <dinghao.liu@zju.edu.cn>
To: dinghao.liu@zju.edu.cn
Cc: Toan Le <toan@os.amperecomputing.com>,
 Lorenzo Pieralisi <lpieralisi@kernel.org>, =?utf-8?q?Krzysztof_Wilczy=C5=84?=
	=?utf-8?q?ski?= <kw@linux.com>, Rob Herring <robh@kernel.org>,
 Bjorn Helgaas <bhelgaas@google.com>, Tanmay Inamdar <tinamdar@apm.com>,
 Marc Zyngier <maz@kernel.org>, Duc Dang <dhdang@apm.com>,
 linux-pci@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
 linux-kernel@vger.kernel.org
Subject: [PATCH] [v3] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe
Date: Sun,  1 Oct 2023 11:54:40 +0800
Message-Id: <20231001035441.30408-1-dinghao.liu@zju.edu.cn>
Precedence: bulk

Series

[v3] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe | expand

Commit Message

Dinghao Liu Oct. 1, 2023, 3:54 a.m. UTC

xgene_allocate_domains() will call irq_domain_remove() to free
msi->inner_domain on failure. However, its caller, xgene_msi_probe(),
will also call irq_domain_remove() through xgene_msi_remove() on the
same failure, which may lead to a use-after-free. Remove the first
irq_domain_remove() and let xgene_free_domains() cleanup domains.

Fixes: dcd19de36775 ("PCI: xgene: Add APM X-Gene v1 PCIe MSI/MSIX termination driver")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
---

Changelog:

v2: -Remove irq_domain_remove() instead of nulling msi_domain.

v3: -Add 'v3' tag in the title.
---
 drivers/pci/controller/pci-xgene-msi.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/pci/controller/pci-xgene-msi.c b/drivers/pci/controller/pci-xgene-msi.c
index 3ce38dfd0d29..0f9b9394399d 100644
--- a/drivers/pci/controller/pci-xgene-msi.c
+++ b/drivers/pci/controller/pci-xgene-msi.c
@@ -251,10 +251,8 @@  static int xgene_allocate_domains(struct xgene_msi *msi)
 						    &xgene_msi_domain_info,
 						    msi->inner_domain);
 
-	if (!msi->msi_domain) {
-		irq_domain_remove(msi->inner_domain);
+	if (!msi->msi_domain)
 		return -ENOMEM;
-	}
 
 	return 0;
 }

[v3] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe

Commit Message

Patch