Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1628726lqa;
        Mon, 29 Apr 2024 14:17:11 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUpyl/SfNqrbJaRoxPCSJYTQsJgtPMe/8UHBKoe8bp8gLXFBar0ekAzQxgzJmcNcrVUYqdNzTYrVST/JQMtIMv+eKcA+fX3H9lvgpYP7A==
X-Google-Smtp-Source: AGHT+IG4zaJJchGF0Fu9Qz0/FI5xIIoyfSgUzu+upulsN2hko2uTSwyRWkKVfhsVjlI3g4zA6OGu
X-Received: by 2002:a17:903:228c:b0:1eb:7162:82c7 with SMTP id b12-20020a170903228c00b001eb716282c7mr1108972plh.18.1714425431525;
        Mon, 29 Apr 2024 14:17:11 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714425431; cv=pass;
        d=google.com; s=arc-20160816;
        b=KTPMrs0NewsP2foQ9NU5bsMhxRA21+uywipZDFc2Jo/X3G50p0VmlRMTDURqsJLvBd
         4+iP/CTeGh9HTxdVVa1MEk0Ur5xsJWULOmPyLeaHS1qQDnZeo+aKiaiieZvC9GVJQ0jw
         LyrjGYS+m3kcoQQyUx25OUcL8FL8l6VNZtt3RcjTRh54v3yGZDIMMdwmj8RYyP3N7xie
         xh/jA1uDH1MCaRE3eAxzS/b3/0PxBgAkNxmi9uKvvLm5R4ie9xdNgcMrfXMcqgHAy6ve
         1Qn3arQy6rzi16+wFJzW5xJOF12myW1pELKsY4RkzODLejhaBFRvszpInOxcVvphmnKv
         yDGg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :message-id:date:references:in-reply-to:subject:cc:to:dkim-signature
         :dkim-signature:from;
        bh=fTxwFLVccxj2TMlIRUP97VQiicQibR0IBgIQhq6q02k=;
        fh=qMi8i9tWFLer8k/VuXMKxhtk65Z4ZiFxfkJjN0elggY=;
        b=BKSYq1ckT7sRwCfvylCM+ZaAWFVWV4P1nxXMeliAos3+yD55i3ilJSRT7k+8cWohnM
         vRdf41GtNiTlte3DrXi7yRSLzxbnN98MneXzz4XeuQPSLIWTION7k3J3o8GzxHCv5n51
         ud6NoTBBZF2+IAs2A7oYuWOr3DK5oRQnMGOBGbC/rB39mQjS8QRxEItDaD83eTBXYEzo
         YmKvNho5ja93tBNa1CCuwwC8suPV89PaRiaLReCp3alxtVC+I5X5adGcTMy/2gvJ5okf
         fd8bEbncjvR4ApLsARyG1fvmeWNi9Pr5rXO6ZUziRPFoHSCKAnZk96PzzVO9UGco0rsa
         r6Mg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@linutronix.de header.s=2020 header.b=Fc5TQjoQ;
       dkim=neutral (no key) header.i=@linutronix.de header.s=2020e;
       arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de);
       spf=pass (google.com: domain of linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de
Return-Path: <linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id t12-20020a17090340cc00b001ec2607893csi437475pld.399.2024.04.29.14.17.10
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 29 Apr 2024 14:17:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linutronix.de header.s=2020 header.b=Fc5TQjoQ;
       dkim=neutral (no key) header.i=@linutronix.de header.s=2020e;
       arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de);
       spf=pass (google.com: domain of linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 9B746B23561
	for <linux.lists.archive@gmail.com>; Mon, 29 Apr 2024 21:08:08 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id C1923178CEE;
	Mon, 29 Apr 2024 21:04:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="Fc5TQjoQ";
	dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="qKZlLs+g"
Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A99A178CC5;
	Mon, 29 Apr 2024 21:04:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714424685; cv=none; b=cWq0VMhQ5Oo00tcQKlo2PsMUtvE1URnDYUbJJOFDUbWimHX+DXftCRTgf0qPGJsoU7ewQJt4/7z4inNlHooUjhcGA3MmI0+PGB0pVWbBbFL+2LgJr2cGubzyrmlTlVakonUtAtT+fjNKv9eRmr2uYFK6UDsx1OsxeIHoKwtCECQ=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714424685; c=relaxed/simple;
	bh=RJU+rqzbC2GGAl4tdD5o6ueZMzfbxZmF8XAZfOL96T8=;
	h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID:
	 MIME-Version:Content-Type; b=iPx6dvO7PNH57uqxNWBNe7aSlSchD5YsKctGn3gEKKH0p+n//85xENIZpXETJnVWdwSOF0bovqHXvmgmohG4E4VFKl8+lbZQb28C3f1YbxQ5pgA2tbcs+1UDEPHsnKTgpipxaQE3Te55p7mgWPCQagPnz7ln3ZY0qGvB3HPuIgY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=Fc5TQjoQ; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=qKZlLs+g; arc=none smtp.client-ip=193.142.43.55
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de
From: Thomas Gleixner <tglx@linutronix.de>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de;
	s=2020; t=1714424681;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=fTxwFLVccxj2TMlIRUP97VQiicQibR0IBgIQhq6q02k=;
	b=Fc5TQjoQViZhw1EV1ApD2hD4We9rVGUJ+kTDcHsZrBT2bAPodN3X7vJ7jpMPon2JFfznkx
	KyftyqF46wOw4kjWPxu3BbeP99YKx7xSySTJ3iSuanmUZSQHIoVnKZVPJS8snSkJujCcrx
	sX/74UYcXZacHk+V2S0s6jrchU3ecfh4mgO3MPktzpD6d64HyaAVRD2cqdVG1rSoC+LBTb
	YMvaBFWTMQIWia1idgTNzIYRoTBBjF1/H1bncgQw4/UOog9GQbAbhHEKOniphP4V5IPJHY
	Yk26lbR0/JvzmOb86lWAnV5YPSyh8Nk7k2BiTe8baP4cK1ptG18MWbcL6Yxc0w==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de;
	s=2020e; t=1714424681;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=fTxwFLVccxj2TMlIRUP97VQiicQibR0IBgIQhq6q02k=;
	b=qKZlLs+gbIvDn89xz6XtsUzOqd4E7crbcHbGIgxjLJjbG0KLGY3sJcLJsDvpNcMwpImEqm
	P2ZKjBiz6L0vZpDQ==
To: Mostafa Saleh <smostafa@google.com>, bhelgaas@google.com,
 linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: ilpo.jarvinen@linux.intel.com, kernel-team@android.com, Mostafa Saleh
 <smostafa@google.com>
Subject: Re: [PATCH] PCI/MSI: Fix UAF in msi_capability_init
In-Reply-To: <20240429034112.140594-1-smostafa@google.com>
References: <20240429034112.140594-1-smostafa@google.com>
Date: Mon, 29 Apr 2024 23:04:39 +0200
Message-ID: <87zftbswwo.ffs@tglx>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain

On Mon, Apr 29 2024 at 03:41, Mostafa Saleh wrote:
>  err:
> -	pci_msi_unmask(entry, msi_multi_mask(entry));
> +	/* Re-read the descriptor as it might have been freed */
> +	entry = msi_first_desc(&dev->dev, MSI_DESC_ALL);
> +	if (entry)
> +		pci_msi_unmask(entry, msi_multi_mask(entry));

What unmasks the entry in the NULL case?

The mask has to be undone. So you need something like the uncompiled
below.

Thanks,

        tglx
---

--- a/drivers/pci/msi/msi.c
+++ b/drivers/pci/msi/msi.c
@@ -349,7 +349,7 @@ static int msi_capability_init(struct pc
 			       struct irq_affinity *affd)
 {
 	struct irq_affinity_desc *masks = NULL;
-	struct msi_desc *entry;
+	struct msi_desc *entry, desc;
 	int ret;
 
 	/* Reject multi-MSI early on irq domain enabled architectures */
@@ -374,6 +374,12 @@ static int msi_capability_init(struct pc
 	/* All MSIs are unmasked by default; mask them all */
 	entry = msi_first_desc(&dev->dev, MSI_DESC_ALL);
 	pci_msi_mask(entry, msi_multi_mask(entry));
+	/*
+	 * Copy the MSI descriptor for the error path because
+	 * pci_msi_setup_msi_irqs() will free it for the hierarchical
+	 * interrupt domain case.
+	 */
+	memcpy(&desc, entry, sizeof(desc));
 
 	/* Configure MSI capability structure */
 	ret = pci_msi_setup_msi_irqs(dev, nvec, PCI_CAP_ID_MSI);
@@ -393,7 +399,7 @@ static int msi_capability_init(struct pc
 	goto unlock;
 
 err:
-	pci_msi_unmask(entry, msi_multi_mask(entry));
+	pci_msi_unmask(&desc, msi_multi_mask(&desc));
 	pci_free_msi_irqs(dev);
 fail:
 	dev->msi_enabled = 0;