diff mbox series

[RFC,1/2] PCI: endpoint: Fix API pci_epc_destroy() releasing domain_nr ID faults

Message ID 20241102-epc_rfc-v1-1-5026322df5bc@quicinc.com (mailing list archive)
State Superseded
Delegated to: Krzysztof WilczyƄski
Headers show
Series PCI: endpoint: fix bugs for both API pci_epc_destroy() and pci_epc_remove_epf() | expand

Commit Message

Zijun Hu Nov. 2, 2024, 2:26 p.m. UTC
From: Zijun Hu <quic_zijuhu@quicinc.com>

pci_epc_destroy() invokes pci_bus_release_domain_nr() to release domain_nr
ID, but the invocation has below 2 faults:

- The later accesses device @epc->dev which has been kfree()ed by previous
  device_unregister(), namely, it is a UAF issue.

- The later frees the domain_nr ID into @epc->dev, but the ID is actually
  allocated from @epc->dev.parent, so it will destroy domain_nr IDA.

Fix by freeing the ID to @epc->dev.parent before unregistering @epc->dev.

Fixes: 0328947c5032 ("PCI: endpoint: Assign PCI domain number for endpoint controllers")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
---
 drivers/pci/endpoint/pci-epc-core.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c
index 17f007109255..bcc9bc3d6df5 100644
--- a/drivers/pci/endpoint/pci-epc-core.c
+++ b/drivers/pci/endpoint/pci-epc-core.c
@@ -837,11 +837,10 @@  EXPORT_SYMBOL_GPL(pci_epc_bus_master_enable_notify);
 void pci_epc_destroy(struct pci_epc *epc)
 {
 	pci_ep_cfs_remove_epc_group(epc->group);
-	device_unregister(&epc->dev);
-
 #ifdef CONFIG_PCI_DOMAINS_GENERIC
-	pci_bus_release_domain_nr(&epc->dev, epc->domain_nr);
+	pci_bus_release_domain_nr(epc->dev.parent, epc->domain_nr);
 #endif
+	device_unregister(&epc->dev);
 }
 EXPORT_SYMBOL_GPL(pci_epc_destroy);