proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2025-12-05 09:26:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
d5f78f50ff
mirror_ubuntu-kernels/arch/s390/pci
History
Niklas Schnelle 2a671f77ee s390/pci: fix use after free of zpci_dev 
The struct pci_dev uses reference counting but zPCI assumed erroneously
that the last reference would always be the local reference after
calling pci_stop_and_remove_bus_device(). This is usually the case but
not how reference counting works and thus inherently fragile.

In fact one case where this causes a NULL pointer dereference when on an
SRIOV device the function 0 was hot unplugged before another function of
the same multi-function device. In this case the second function's
pdev->sriov->dev reference keeps the struct pci_dev of function 0 alive
even after the unplug. This bug was previously hidden by the fact that
we were leaking the struct pci_dev which in turn means that it always
outlived the struct zpci_dev. This was fixed in commit 0b13525c20
("s390/pci: fix leak of PCI device structure") exposing the broken
behavior.

Fix this by accounting for the long living reference a struct pci_dev
has to its underlying struct zpci_dev via the zbus->function[] array and
only release that in pcibios_release_device() ensuring that the struct
pci_dev is not left with a dangling reference. This is a minimal fix in
the future it would probably better to use fine grained reference
counting for struct zpci_dev.

Fixes: 05bc1be6db ("s390/pci: create zPCI bus")
Cc: stable@vger.kernel.org
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
2021-08-18 10:12:42 +02:00
..
Makefile s390/pci: consolidate SR-IOV specific code 2020-09-14 11:38:34 +02:00
pci_bus.c s390/pci: separate zbus registration from scanning 2021-04-12 12:46:42 +02:00
pci_bus.h s390/pci: fix use after free of zpci_dev 2021-08-18 10:12:42 +02:00
pci_clp.c s390/pci: refactor zpci_create_device() 2021-02-09 15:57:04 +01:00
pci_debug.c locking/atomic, s390/pci: Remove redundant casts 2019-06-03 12:32:57 +02:00
pci_dma.c dma-mapping: split <linux/dma-mapping.h> 2020-10-06 07:07:03 +02:00
pci_event.c s390/pci: handle stale deconfiguration events 2021-04-30 17:17:00 +02:00
pci_insn.c s390/pci: use register pair instead of register asm 2021-06-18 16:41:23 +02:00
pci_iov.c s390/pci: add missing pci_iov.h include 2020-09-16 14:08:47 +02:00
pci_iov.h s390/pci: consolidate SR-IOV specific code 2020-09-14 11:38:34 +02:00
pci_irq.c s390/pci: add zpci_set_irq()/zpci_clear_irq() 2021-06-28 11:18:28 +02:00
pci_mmio.c s390/pci: use register pair instead of register asm 2021-06-18 16:41:23 +02:00
pci_sysfs.c s390/pci: expose a PCI device's UID as its index 2021-04-20 14:48:27 +02:00
pci.c s390/pci: fix use after free of zpci_dev 2021-08-18 10:12:42 +02:00