Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp411979rwr; Thu, 4 May 2023 22:08:18 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6pkRtB0k7I7w0GvYBJVZ8cNlICnaG+ZjY2KZp6mtr5d53BJepTUqQiIhb+Gf6ovXBqGCeV X-Received: by 2002:a17:902:db0f:b0:1aa:e0e4:eca with SMTP id m15-20020a170902db0f00b001aae0e40ecamr270748plx.18.1683263297678; Thu, 04 May 2023 22:08:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683263297; cv=none; d=google.com; s=arc-20160816; b=ALwi8409qDMyK7h5QLf5ODsMccKE9Hz5lTTFahPCYNtQ/zgPz6Bu6vfjO8dCQRJrIu JkmfwgOE+T5TNLgvMuuvpq/+8DTV2kW50vHu09A7KDxJQQm3w4mZdLiNPUFOJr+rzmwX ftDKye4CafODxpKPJAVCFebKSvZKgRXJxMFqaUT5w+Z0BgF+jQ8ZdS5FEdd4CWLDvBXF YH7ssijLPDvKQCaP8kZNbXxazYQtiZ/pI3mQEj9im94wS4pbetFepohRB2XPs2D32Hq3 P+Xm7UDCWemOrD+D2C4kPxlBCttxcjEAYJGZT4WlKQpYieGQer4AHhV5tdOsBMM5bFul rC0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=Hvb89s+LwdzLzBEEuUmBecB8LrOBGamhxDTmSFECyRU=; b=ynf5NxdsZs9GKrk3D6WBPa69at9NArYLgbSpbhfKFDZYmAzAGPzP181SDQnxN4+Mkf vl/tFDBEKGWYSSQQKYH8WWzvvNJk8zYOXezQ+Kwsed04B6Bqn8SxdhXjVSpJ/sC4pk6y Rw3daj37u0N/5HUaGyrQ/gHIN30MrH/ZGZCvGHR2Zk/KUGQUprWbmsNBLfd+XQ50cxmE RA+d4EzaItqyuw1lWvXnSyqwA6prHybQ749OyRB912EqLeikuuWWJKpY2Ga3G/lJVdb7 bpwrpth5Edfi6JZQ+UG6NjWtl2Tv9TOZEN3GcK4T8VhPI1TEakHsra5aFSlGAFOx30BQ l/fQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a13-20020a170902eccd00b001a242dbbd27si884113plh.513.2023.05.04.22.08.04; Thu, 04 May 2023 22:08:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sangfor.com.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230131AbjEEEk6 (ORCPT + 99 others); Fri, 5 May 2023 00:40:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42476 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229606AbjEEEkx (ORCPT ); Fri, 5 May 2023 00:40:53 -0400 Received: from mail-m127104.qiye.163.com (mail-m127104.qiye.163.com [115.236.127.104]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B77961BC; Thu, 4 May 2023 21:40:43 -0700 (PDT) Received: from [0.0.0.0] (unknown [172.96.223.238]) by mail-m127104.qiye.163.com (Hmail) with ESMTPA id C4EA7A402F3; Fri, 5 May 2023 12:40:34 +0800 (CST) Message-ID: <0d2f0f66-02a6-0cdd-4d96-f11f09ff71aa@sangfor.com.cn> Date: Fri, 5 May 2023 12:40:31 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 Subject: Re: [PATCH] PCI/ASPM: fix UAF by disable ASPM for link when child function is removed Content-Language: en-US To: Sathyanarayanan Kuppuswamy , bhelgaas@google.com Cc: vidyas@nvidia.com, david.e.box@linux.intel.com, kai.heng.feng@canonical.com, michael.a.bottini@linux.intel.com, rajatja@google.com, qinzongquan@sangfor.com.cn, linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org References: <20230504123418.4438-1-dinghui@sangfor.com.cn> <2f32591a-77d8-f620-46bf-825074ba24c2@linux.intel.com> From: Ding Hui In-Reply-To: <2f32591a-77d8-f620-46bf-825074ba24c2@linux.intel.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFITzdXWS1ZQUlXWQ8JGhUIEh9ZQVkaQ04dVklKSEgeSk8fHx0eGFUTARMWGhIXJBQOD1 lXWRgSC1lBWUpMSVVCTVVJSUhVSUhDWVdZFhoPEhUdFFlBWU9LSFVKSktISkNVSktLVUtZBg++ X-HM-Tid: 0a87ea364addb282kuuuc4ea7a402f3 X-HM-MType: 1 X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6OjY6GDo*Mz0PFT0qHE86FlEU GQwwFA9VSlVKTUNISU1KTU9LSUNIVTMWGhIXVR8SFRwTDhI7CBoVHB0UCVUYFBZVGBVFWVdZEgtZ QVlKTElVQk1VSUlIVUlIQ1lXWQgBWUFOSUhNNwY+ X-Spam-Status: No, score=-6.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2023/5/5 10:51, Sathyanarayanan Kuppuswamy wrote: > Hi, > > On 5/4/23 5:34 AM, Ding Hui wrote: > > Maybe you can use the following title? > > "PCI/ASPM: Fix UAF by disabling ASPM for link when child function is removed > Thanks, I'll fix it in next patch. >> If the Function 0 of a Multi-Function device is software removed, >> a freed downstream pointer will be left in struct pcie_link_state, >> and then when pcie_config_aspm_link() be invoked from any path, >> we will trigger use-after-free. >> >> Based on the PCIe spec about ASPM Control (PCIe r6.0, sec 7.5.3.7), > > As per PCIe spec r6.0, sec 7.5.3.7, it is recommended > Thanks, I'll fix it in next patch. >> for Multi-Function Devices (including ARI Devices), it is recommended >> that software program the same value in all Functions. For ARI >> Devices, ASPM Control is determined solely by the setting in Function 0. >> >> So we can just disable ASPM of the whole component if any child >> function is removed, the downstream pointer will be avoided from >> use-after-free, that will also avoid other potential corner cases. >> >> Fixes: b5a0a9b59c81 ("PCI/ASPM: Read and set up L1 substate capabilities") >> Debugged-by: Zongquan Qin > > Any bugzilla link with error log and reproduction steps? Yes, I should link previous https://lore.kernel.org/lkml/20230429132604.31853-1-dinghui@sangfor.com.cn/ Since Bjorn think the ALL details is not necessary, so I'll add the reproducer and compact result in next patch. > >> Suggestion-by: Bjorn Helgaas > > Suggested-by? Sorry, I'll fix it in next patch. > >> Signed-off-by: Ding Hui >> --- >> drivers/pci/pcie/aspm.c | 15 +++++++-------- >> 1 file changed, 7 insertions(+), 8 deletions(-) >> >> diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c >> index 66d7514ca111..1bf8306141aa 100644 >> --- a/drivers/pci/pcie/aspm.c >> +++ b/drivers/pci/pcie/aspm.c >> @@ -1010,18 +1010,17 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) >> >> down_read(&pci_bus_sem); >> mutex_lock(&aspm_lock); >> - /* >> - * All PCIe functions are in one slot, remove one function will remove >> - * the whole slot, so just wait until we are the last function left. >> - */ >> - if (!list_empty(&parent->subordinate->devices)) >> - goto out; >> >> link = parent->link_state; >> root = link->root; >> parent_link = link->parent; >> >> - /* All functions are removed, so just disable ASPM for the link */ >> + /* >> + * Any function is removed (including software removing), just >> + * disable ASPM for the link, in case we can not configure the same >> + * setting for all functions. > > How about following? > > /* > * For any function removed, disable ASPM for the link. See PCIe r6.0, > * sec 7.7.3.7 for details. > */ > Thanks, it's better. >> + * See PCIe r6.0, sec 7.5.3.7. >> + */ >> pcie_config_aspm_link(link, 0); >> list_del(&link->sibling); >> /* Clock PM is for endpoint device */ >> @@ -1032,7 +1031,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev) >> pcie_update_aspm_capable(root); >> pcie_config_aspm_path(parent_link); >> } >> -out: >> + >> mutex_unlock(&aspm_lock); >> up_read(&pci_bus_sem); >> } > -- Thanks, - Ding Hui