Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp1102506rdh;
        Mon, 25 Sep 2023 03:26:51 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHw8nryY/XdY1afdtSaHWLm+SUfg6497Pyb8z+62YyZ7TBFsRWCTUeve4DnfhZoOWVtwF6i
X-Received: by 2002:a05:6870:f613:b0:1b4:60b3:98bc with SMTP id ek19-20020a056870f61300b001b460b398bcmr7255866oab.2.1695637611077;
        Mon, 25 Sep 2023 03:26:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695637611; cv=none;
        d=google.com; s=arc-20160816;
        b=t4pclL9U+jmoiIVYbi9AnLh5a49VakQCeZ39ZVUbCTexK4bYjViPWg/3AVOBgYg1mI
         dPPkug+rmwotwk2mX4rEeSF4969OdvpN/CN2TzJK5DHg5p+TipnsImniYi4dbuahJIFH
         aS32ZGB0CadNpMfNZ3eT6n2TfdFi7IGCw7VoFo9ezRK33jd6jsmYMRzvNWXMMndu0Nyg
         UdJk+tJkb5fOU3kFUq5xfe5sn/SbCxe66/ptUlqp2TPdZyj4pVKvjcKn8thGLC8Gn2tE
         R3slZSj6KqQDnXydaH/uCNciPuIU88zXXMlcG+WVO2KOtqzEZ1nW2yBXglMt/RJ+RL+L
         KneQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:in-reply-to
         :subject:cc:to:from:message-id:date:dkim-signature;
        bh=sHeQSDWJSZECmJ60em3X2sfj+xS5sJOurGH9XOCj/dQ=;
        fh=hQXJS9bcVe4tZAAVoxb03nrbiL3hISC7p8AxMlpPHuA=;
        b=jMWlRjeAG6mcVXQS234g9Yk2LjMD7i396fHKQb2Y2WdEmGWclTwKk2zlfA7iYhLumx
         DzK6MdMY0PL7OsI/SaDQvF8jqfy3C63bGl310rOguVJTodAfRohcZSSQahOlpigFFfG+
         NrbWH4gRhOiwctwO8BoxX9WVPe3raad8juq0xn63PrnqIFWcHVUQOhwTk9z31tCZTIZb
         tHokRhD84Eghwhvk6O7LwSJD760i13KM9x9aqSrsrNR5Da8JNsDXzFED6GIIFjQzCCF2
         Kc7wTFSjNPtW8kAfv+5BLEuSwmQ1ll+wS5L65DJDMdJs3yx74x5Fs6e0ZIP0hpnOihIJ
         63Nw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=k+upIy2X;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7])
        by mx.google.com with ESMTPS id e26-20020a63545a000000b005704f061aecsi9923465pgm.279.2023.09.25.03.26.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 Sep 2023 03:26:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=k+upIy2X;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by snail.vger.email (Postfix) with ESMTP id 57B1A80728D4;
	Mon, 25 Sep 2023 02:41:18 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229503AbjIYJlG (ORCPT <rfc822;bhurt1@gmail.com> + 99 others);
        Mon, 25 Sep 2023 05:41:06 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40238 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230173AbjIYJlE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 25 Sep 2023 05:41:04 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 540EF115;
        Mon, 25 Sep 2023 02:40:56 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E281CC433C7;
        Mon, 25 Sep 2023 09:40:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1695634856;
        bh=9Y5s5dKINe7oEtHzTXF73tYS8713PuiQMueQX6bZOPA=;
        h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
        b=k+upIy2X5ZwP6S4r1bv0vjtzxBdaUJkdI/m/NRTBqTYMsm1p37QYLUR3Ov9YMIGv6
         4rzfXLPFxGcoEiy/XLmY7DzKYVsyFdM2hqUA20A69TSiXWgg536Qyw2e7uX7BrhM7C
         11slhaTiUEf8vKfQi03MvF9NX494e2fev+QTTLtnL/oGqLOwfziW0LMHkNjE3QwfIO
         OjsefkJOZkL0dC6tKwozgZGIdXi8hmsjH3+gelIK+a1PZ2dpnrOkWTUoblimPYhNhA
         ch2cl0XoK8eUnZtZ+9NOVL2iTgfbB124TgZ/FQSqb6mED/cRfXrqn52zQyhvnnAqBI
         TJ4xBrz8BC8EQ==
Received: from [148.252.128.169] (helo=wait-a-minute.misterjones.org)
        by disco-boy.misterjones.org with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.95)
        (envelope-from <maz@kernel.org>)
        id 1qki5F-00Fuof-9b;
        Mon, 25 Sep 2023 10:40:53 +0100
Date:   Mon, 25 Sep 2023 10:40:48 +0100
Message-ID: <87o7hqmvz3.wl-maz@kernel.org>
From:   Marc Zyngier <maz@kernel.org>
To:     Dinghao Liu <dinghao.liu@zju.edu.cn>
Cc:     Toan Le <toan@os.amperecomputing.com>,
        Lorenzo Pieralisi <lpieralisi@kernel.org>,
        Krzysztof =?UTF-8?B?V2lsY3p5xYRza2k=?= <kw@linux.com>,
        Rob Herring <robh@kernel.org>,
        Bjorn Helgaas <bhelgaas@google.com>, Duc Dang <dhdang@apm.com>,
        Tanmay Inamdar <tinamdar@apm.com>, linux-pci@vger.kernel.org,
        linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] PCI: xgene-msi: Fix a potential UAF in xgene_msi_probe
In-Reply-To: <20230925062133.14170-1-dinghao.liu@zju.edu.cn>
References: <20230925062133.14170-1-dinghao.liu@zju.edu.cn>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/28.2
 (x86_64-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 148.252.128.169
X-SA-Exim-Rcpt-To: dinghao.liu@zju.edu.cn, toan@os.amperecomputing.com, lpieralisi@kernel.org, kw@linux.com, robh@kernel.org, bhelgaas@google.com, dhdang@apm.com, tinamdar@apm.com, linux-pci@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
X-SA-Exim-Mail-From: maz@kernel.org
X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Mon, 25 Sep 2023 02:41:18 -0700 (PDT)

On Mon, 25 Sep 2023 07:21:32 +0100,
Dinghao Liu <dinghao.liu@zju.edu.cn> wrote:
> 
> xgene_allocate_domains() will call irq_domain_remove() to free
> msi->inner_domain on failure. However, its caller, xgene_msi_probe(),
> will also call irq_domain_remove() through xgene_msi_remove() on the
> same failure, which may lead to a use-after-free. Set the freed pointer
> to NULL to fix this issue.
> 
> Fixes: dcd19de36775 ("PCI: xgene: Add APM X-Gene v1 PCIe MSI/MSIX termination driver")
> Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
> ---
>  drivers/pci/controller/pci-xgene-msi.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/pci/controller/pci-xgene-msi.c b/drivers/pci/controller/pci-xgene-msi.c
> index 3ce38dfd0d29..c0192c5ff0f3 100644
> --- a/drivers/pci/controller/pci-xgene-msi.c
> +++ b/drivers/pci/controller/pci-xgene-msi.c
> @@ -253,6 +253,7 @@ static int xgene_allocate_domains(struct xgene_msi *msi)
>  
>  	if (!msi->msi_domain) {
>  		irq_domain_remove(msi->inner_domain);
> +		msi->inner_domain = NULL;
>  		return -ENOMEM;
>  	}

Why can't we just drop the irq_domain_remove() call here instead, and
simply rely on xgene_msi_remove() to do the right thing? Something
like the untested patch below.

Thanks,

	M.

diff --git a/drivers/pci/controller/pci-xgene-msi.c b/drivers/pci/controller/pci-xgene-msi.c
index 0234e528b9a5..f98c9eb7bebf 100644
--- a/drivers/pci/controller/pci-xgene-msi.c
+++ b/drivers/pci/controller/pci-xgene-msi.c
@@ -251,10 +251,8 @@ static int xgene_allocate_domains(struct xgene_msi *msi)
 						    &xgene_msi_domain_info,
 						    msi->inner_domain);
 
-	if (!msi->msi_domain) {
-		irq_domain_remove(msi->inner_domain);
+	if (!msi->msi_domain)
 		return -ENOMEM;
-	}
 
 	return 0;
 }

-- 
Without deviation from the norm, progress is not possible.