Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp1628726lqa; Mon, 29 Apr 2024 14:17:11 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUpyl/SfNqrbJaRoxPCSJYTQsJgtPMe/8UHBKoe8bp8gLXFBar0ekAzQxgzJmcNcrVUYqdNzTYrVST/JQMtIMv+eKcA+fX3H9lvgpYP7A== X-Google-Smtp-Source: AGHT+IG4zaJJchGF0Fu9Qz0/FI5xIIoyfSgUzu+upulsN2hko2uTSwyRWkKVfhsVjlI3g4zA6OGu X-Received: by 2002:a17:903:228c:b0:1eb:7162:82c7 with SMTP id b12-20020a170903228c00b001eb716282c7mr1108972plh.18.1714425431525; Mon, 29 Apr 2024 14:17:11 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714425431; cv=pass; d=google.com; s=arc-20160816; b=KTPMrs0NewsP2foQ9NU5bsMhxRA21+uywipZDFc2Jo/X3G50p0VmlRMTDURqsJLvBd 4+iP/CTeGh9HTxdVVa1MEk0Ur5xsJWULOmPyLeaHS1qQDnZeo+aKiaiieZvC9GVJQ0jw LyrjGYS+m3kcoQQyUx25OUcL8FL8l6VNZtt3RcjTRh54v3yGZDIMMdwmj8RYyP3N7xie xh/jA1uDH1MCaRE3eAxzS/b3/0PxBgAkNxmi9uKvvLm5R4ie9xdNgcMrfXMcqgHAy6ve 1Qn3arQy6rzi16+wFJzW5xJOF12myW1pELKsY4RkzODLejhaBFRvszpInOxcVvphmnKv yDGg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:date:references:in-reply-to:subject:cc:to:dkim-signature :dkim-signature:from; bh=fTxwFLVccxj2TMlIRUP97VQiicQibR0IBgIQhq6q02k=; fh=qMi8i9tWFLer8k/VuXMKxhtk65Z4ZiFxfkJjN0elggY=; b=BKSYq1ckT7sRwCfvylCM+ZaAWFVWV4P1nxXMeliAos3+yD55i3ilJSRT7k+8cWohnM vRdf41GtNiTlte3DrXi7yRSLzxbnN98MneXzz4XeuQPSLIWTION7k3J3o8GzxHCv5n51 ud6NoTBBZF2+IAs2A7oYuWOr3DK5oRQnMGOBGbC/rB39mQjS8QRxEItDaD83eTBXYEzo YmKvNho5ja93tBNa1CCuwwC8suPV89PaRiaLReCp3alxtVC+I5X5adGcTMy/2gvJ5okf fd8bEbncjvR4ApLsARyG1fvmeWNi9Pr5rXO6ZUziRPFoHSCKAnZk96PzzVO9UGco0rsa r6Mg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=Fc5TQjoQ; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id t12-20020a17090340cc00b001ec2607893csi437475pld.399.2024.04.29.14.17.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Apr 2024 14:17:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=Fc5TQjoQ; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-163057-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 9B746B23561 for ; Mon, 29 Apr 2024 21:08:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C1923178CEE; Mon, 29 Apr 2024 21:04:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="Fc5TQjoQ"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="qKZlLs+g" Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A99A178CC5; Mon, 29 Apr 2024 21:04:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714424685; cv=none; b=cWq0VMhQ5Oo00tcQKlo2PsMUtvE1URnDYUbJJOFDUbWimHX+DXftCRTgf0qPGJsoU7ewQJt4/7z4inNlHooUjhcGA3MmI0+PGB0pVWbBbFL+2LgJr2cGubzyrmlTlVakonUtAtT+fjNKv9eRmr2uYFK6UDsx1OsxeIHoKwtCECQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714424685; c=relaxed/simple; bh=RJU+rqzbC2GGAl4tdD5o6ueZMzfbxZmF8XAZfOL96T8=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=iPx6dvO7PNH57uqxNWBNe7aSlSchD5YsKctGn3gEKKH0p+n//85xENIZpXETJnVWdwSOF0bovqHXvmgmohG4E4VFKl8+lbZQb28C3f1YbxQ5pgA2tbcs+1UDEPHsnKTgpipxaQE3Te55p7mgWPCQagPnz7ln3ZY0qGvB3HPuIgY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=Fc5TQjoQ; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=qKZlLs+g; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1714424681; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=fTxwFLVccxj2TMlIRUP97VQiicQibR0IBgIQhq6q02k=; b=Fc5TQjoQViZhw1EV1ApD2hD4We9rVGUJ+kTDcHsZrBT2bAPodN3X7vJ7jpMPon2JFfznkx KyftyqF46wOw4kjWPxu3BbeP99YKx7xSySTJ3iSuanmUZSQHIoVnKZVPJS8snSkJujCcrx sX/74UYcXZacHk+V2S0s6jrchU3ecfh4mgO3MPktzpD6d64HyaAVRD2cqdVG1rSoC+LBTb YMvaBFWTMQIWia1idgTNzIYRoTBBjF1/H1bncgQw4/UOog9GQbAbhHEKOniphP4V5IPJHY Yk26lbR0/JvzmOb86lWAnV5YPSyh8Nk7k2BiTe8baP4cK1ptG18MWbcL6Yxc0w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1714424681; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=fTxwFLVccxj2TMlIRUP97VQiicQibR0IBgIQhq6q02k=; b=qKZlLs+gbIvDn89xz6XtsUzOqd4E7crbcHbGIgxjLJjbG0KLGY3sJcLJsDvpNcMwpImEqm P2ZKjBiz6L0vZpDQ== To: Mostafa Saleh , bhelgaas@google.com, linux-pci@vger.kernel.org, linux-kernel@vger.kernel.org Cc: ilpo.jarvinen@linux.intel.com, kernel-team@android.com, Mostafa Saleh Subject: Re: [PATCH] PCI/MSI: Fix UAF in msi_capability_init In-Reply-To: <20240429034112.140594-1-smostafa@google.com> References: <20240429034112.140594-1-smostafa@google.com> Date: Mon, 29 Apr 2024 23:04:39 +0200 Message-ID: <87zftbswwo.ffs@tglx> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain On Mon, Apr 29 2024 at 03:41, Mostafa Saleh wrote: > err: > - pci_msi_unmask(entry, msi_multi_mask(entry)); > + /* Re-read the descriptor as it might have been freed */ > + entry = msi_first_desc(&dev->dev, MSI_DESC_ALL); > + if (entry) > + pci_msi_unmask(entry, msi_multi_mask(entry)); What unmasks the entry in the NULL case? The mask has to be undone. So you need something like the uncompiled below. Thanks, tglx --- --- a/drivers/pci/msi/msi.c +++ b/drivers/pci/msi/msi.c @@ -349,7 +349,7 @@ static int msi_capability_init(struct pc struct irq_affinity *affd) { struct irq_affinity_desc *masks = NULL; - struct msi_desc *entry; + struct msi_desc *entry, desc; int ret; /* Reject multi-MSI early on irq domain enabled architectures */ @@ -374,6 +374,12 @@ static int msi_capability_init(struct pc /* All MSIs are unmasked by default; mask them all */ entry = msi_first_desc(&dev->dev, MSI_DESC_ALL); pci_msi_mask(entry, msi_multi_mask(entry)); + /* + * Copy the MSI descriptor for the error path because + * pci_msi_setup_msi_irqs() will free it for the hierarchical + * interrupt domain case. + */ + memcpy(&desc, entry, sizeof(desc)); /* Configure MSI capability structure */ ret = pci_msi_setup_msi_irqs(dev, nvec, PCI_CAP_ID_MSI); @@ -393,7 +399,7 @@ static int msi_capability_init(struct pc goto unlock; err: - pci_msi_unmask(entry, msi_multi_mask(entry)); + pci_msi_unmask(&desc, msi_multi_mask(&desc)); pci_free_msi_irqs(dev); fail: dev->msi_enabled = 0;