superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers
History
Niklas Schnelle a2410d0c3d PCI: s390: Fix use-after-free of PCI resources with per-function hotplug 
[ Upstream commit ab90950985 ]

On s390 PCI functions may be hotplugged individually even when they
belong to a multi-function device. In particular on an SR-IOV device VFs
may be removed and later re-added.

In commit a50297cf82 ("s390/pci: separate zbus creation from
scanning") it was missed however that struct pci_bus and struct
zpci_bus's resource list retained a reference to the PCI functions MMIO
resources even though those resources are released and freed on
hot-unplug. These stale resources may subsequently be claimed when the
PCI function re-appears resulting in use-after-free.

One idea of fixing this use-after-free in s390 specific code that was
investigated was to simply keep resources around from the moment a PCI
function first appeared until the whole virtual PCI bus created for
a multi-function device disappears. The problem with this however is
that due to the requirement of artificial MMIO addreesses (address
cookies) extra logic is then needed to keep the address cookies
compatible on re-plug. At the same time the MMIO resources semantically
belong to the PCI function so tying their lifecycle to the function
seems more logical.

Instead a simpler approach is to remove the resources of an individually
hot-unplugged PCI function from the PCI bus's resource list while
keeping the resources of other PCI functions on the PCI bus untouched.

This is done by introducing pci_bus_remove_resource() to remove an
individual resource. Similarly the resource also needs to be removed
from the struct zpci_bus's resource list. It turns out however, that
there is really no need to add the MMIO resources to the struct
zpci_bus's resource list at all and instead we can simply use the
zpci_bar_struct's resource pointer directly.

Fixes: a50297cf82 ("s390/pci: separate zbus creation from scanning")
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://lore.kernel.org/r/20230306151014.60913-2-schnelle@linux.ibm.com
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-03-22 13:33:45 +01:00
..
accessibility tty: fix possible null-ptr-defer in spk_ttyio_release 2023-01-24 07:24:37 +01:00
acpi PCI/ACPI: Account for _S0W of the target bridge in acpi_pci_bridge_d3() 2023-03-11 13:55:33 +01:00
amba
android
ata ata: ahci: Revert "ata: ahci: Add Tiger Lake UP{3,4} AHCI controller" 2023-03-10 09:32:32 +01:00
atm
auxdisplay auxdisplay: hd44780: Fix potential memory leak in hd44780_remove() 2023-03-11 13:55:16 +01:00
base drivers: base: dd: fix memory leak with using debugfs_lookup() 2023-03-11 13:55:39 +01:00
bcma
block loop: loop_set_status_from_info() check before assignment 2023-03-11 13:55:30 +01:00
bluetooth Bluetooth: btusb: Add VID:PID 13d3:3529 for Realtek RTL8821CE 2023-03-10 09:33:53 +01:00
bus bus: mhi: ep: Change state_lock to mutex 2023-03-17 08:50:19 +01:00
cdrom
char tpm/eventlog: Don't abort tpm_read_log on faulty ACPI address 2023-03-17 08:50:30 +01:00
clk clk: HI655X: select REGMAP instead of depending on it 2023-03-22 13:33:40 +01:00
clocksource clocksource/drivers/riscv: Patch riscv_clock_next_event() jump before first use 2023-03-10 09:33:03 +01:00
comedi comedi: adv_pci1760: Fix PWM instruction handling 2023-01-24 07:24:35 +01:00
connector
counter
cpufreq cpufreq: davinci: Fix clk use after free 2023-03-10 09:33:01 +01:00
cpuidle cpuidle: add ARCH_SUSPEND_POSSIBLE dependencies 2023-03-10 09:34:22 +01:00
crypto crypto: qat - fix out-of-bounds read 2023-03-10 09:34:19 +01:00
cxl cxl/pmem: Fix nvdimm registration races 2023-03-10 09:34:20 +01:00
dax dax/kmem: Fix leak of memory-hotplug resources 2023-03-10 09:34:25 +01:00
dca
devfreq
dio
dma dmaengine: ptdma: check for null desc before calling pt_cmd_callback 2023-03-10 09:33:39 +01:00
dma-buf dma-buf: actually set signaling bit for private stub fences 2023-02-09 11:28:23 +01:00
edac EDAC/qcom: Do not pass llcc_driv_data as edac_device_ctl_info's pvt_info 2023-02-01 08:34:40 +01:00
eisa
extcon
firewire firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region 2023-02-09 11:27:59 +01:00
firmware firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3 2023-03-11 13:55:32 +01:00
fpga fpga: microchip-spi: rewrite status polling in a time measurable way 2023-03-10 09:33:34 +01:00
fsi use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
gnss
gpio gpio: vf610: connect GPIO label to dev name 2023-03-10 09:33:18 +01:00
gpu drm/meson: fix 1px pink line on GXM when scaling video overlay 2023-03-22 13:33:39 +01:00
greybus
hid HID: uhid: Over-ride the default maximum data buffer value with our own 2023-03-17 08:50:17 +01:00
hsi
hte
hv HV: hv_balloon: fix memory leak with using debugfs_lookup() 2023-02-09 11:28:21 +01:00
hwmon hwmon: (nct6775) Fix incorrect parenthesization in nct6775_write_fan_div() 2023-03-10 09:34:23 +01:00
hwspinlock
hwtracing hwtracing: hisi_ptt: Only add the supported devices to the filters list 2023-03-10 09:33:31 +01:00
i2c i2c: designware: fix i2c_dw_clk_rate() return size to be u32 2023-03-10 09:33:29 +01:00
i3c
idle cpuidle, intel_idle: Fix CPUIDLE_FLAG_IRQ_ENABLE *again* 2023-03-10 09:32:36 +01:00
iio iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word() 2023-03-11 13:55:35 +01:00
infiniband RDMA/cma: Distinguish between sockaddr_in and sockaddr_in6 by size 2023-03-11 13:55:40 +01:00
input Input: exc3000 - properly stop timer on shutdown 2023-03-17 08:50:19 +01:00
interconnect interconnect: qcom: msm8996: Fix regmap max_register values 2023-02-01 08:34:06 +01:00
iommu iommu: Attach device group to old domain in error path 2023-03-11 13:55:40 +01:00
ipack
irqchip irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts 2023-03-10 09:33:07 +01:00
isdn use less confusing names for iov_iter direction initializers 2023-02-09 11:28:04 +01:00
leds leds: simatic-ipc-leds-gpio: Make sure we have the GPIO providing driver 2023-03-10 09:33:26 +01:00
macintosh macintosh: windfarm: Use unsigned type for 1-bit bitfields 2023-03-17 08:50:31 +01:00
mailbox
mcb
md dm flakey: fix a bug with 32-bit highmem systems 2023-03-10 09:34:23 +01:00
media media: rc: gpio-ir-recv: add remove function 2023-03-17 08:50:32 +01:00
memory memory: renesas-rpc-if: Move resource acquisition to .probe() 2023-03-11 13:55:17 +01:00
memstick
message
mfd mfd: arizona: Use pm_runtime_resume_and_get() to prevent refcnt leak 2023-03-11 13:55:32 +01:00
misc misc: vmw_balloon: fix memory leak with using debugfs_lookup() 2023-03-11 13:55:39 +01:00
mmc mmc: mmc_spi: fix error handling in mmc_spi_probe() 2023-02-22 12:59:48 +01:00
most
mtd ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed 2023-03-11 13:55:21 +01:00
mux
net i40e: Fix kernel crash during reboot when adapter is in recovery mode 2023-03-22 13:33:44 +01:00
nfc nfc: pn533: initialize struct pn533_out_arg properly 2023-03-22 13:33:44 +01:00
ntb
nubus
nvdimm cxl/pmem: Fix nvdimm registration races 2023-03-10 09:34:20 +01:00
nvme nvme-fabrics: show well known discovery name 2023-03-11 13:55:31 +01:00
nvmem nvmem: core: fix return value 2023-02-09 11:28:25 +01:00
of of: reserved_mem: Have kmemleak ignore dynamically allocated reserved mem 2023-02-22 12:59:46 +01:00
opp OPP: fix error checking in opp_migrate_dentry() 2023-03-10 09:33:01 +01:00
parisc
parport
pci PCI: s390: Fix use-after-free of PCI resources with per-function hotplug 2023-03-22 13:33:45 +01:00
pcmcia
peci
perf Partially revert "perf/arm-cmn: Optimise DTC counter accesses" 2023-02-01 08:34:49 +01:00
phy phy: rockchip-typec: Fix unsigned comparison with less than zero 2023-03-11 13:55:40 +01:00
pinctrl pinctrl: at91: use devm_kasprintf() to avoid potential leaks 2023-03-10 09:33:59 +01:00
platform platform: x86: MLX_PLATFORM: select REGMAP instead of depending on it 2023-03-17 08:50:27 +01:00
pnp
power power: supply: remove faulty cooling logic 2023-03-10 09:33:36 +01:00
powercap powercap: fix possible name leak in powercap_register_zone() 2023-03-10 09:32:56 +01:00
pps
ps3
ptp ptp: vclock: use mutex to fix "sleep on atomic" bug 2023-03-11 13:55:25 +01:00
pwm pwm: stm32-lp: fix the check on arr and cmp registers update 2023-03-11 13:55:17 +01:00
rapidio
ras
regulator regulator: core: Use ktime_get_boottime() to determine how long a regulator was off 2023-03-10 09:34:25 +01:00
remoteproc remoteproc/mtk_scp: Move clk ops outside send_lock 2023-03-10 09:34:26 +01:00
reset reset: uniphier-glue: Fix possible null-ptr-deref 2023-02-01 08:34:05 +01:00
rpmsg rpmsg: glink: Release driver_override 2023-03-10 09:33:45 +01:00
rtc rtc: allow rtc_read_alarm without read_alarm callback 2023-03-11 13:55:30 +01:00
s390 s390: vfio-ap: tighten the NIB validity check 2023-03-10 09:33:02 +01:00
sbus
scsi scsi: core: Fix a procfs host directory removal regression 2023-03-22 13:33:43 +01:00
sh
siox
slimbus
soc soc: qcom: stats: Populate all subsystem debugfs files 2023-03-11 13:55:22 +01:00
soundwire soundwire: cadence: Drain the RX FIFO after an IO timeout 2023-03-11 13:55:40 +01:00
spi spi: intel: Check number of chip selects after reading the descriptor 2023-03-17 08:50:20 +01:00
spmi
ssb
staging staging: rtl8723bs: Pass correct parameters to cfg80211_get_bss() 2023-03-17 08:50:16 +01:00
target scsi: target: core: Fix warning on RT kernels 2023-02-09 11:28:12 +01:00
tc
tee
thermal thermal: intel: BXT_PMIC: select REGMAP instead of depending on it 2023-03-11 13:55:32 +01:00
thunderbolt thunderbolt: Do not call PM runtime functions in tb_retimer_scan() 2023-01-24 07:24:37 +01:00
tty tty: pcn_uart: fix memory leak with using debugfs_lookup() 2023-03-11 13:55:39 +01:00
ufs scsi: ufs: core: Fix device management cmd timeout flow 2023-03-10 09:34:00 +01:00
uio
usb usb: gadget: uvc: fix missing mutex_unlock() if kstrtou8() fails 2023-03-11 13:55:44 +01:00
vdpa vdpa_sim: set last_used_idx as last_avail_idx in vdpasim_queue_ready 2023-03-22 13:33:44 +01:00
vfio vfio/type1: restore locked_vm 2023-03-10 09:34:32 +01:00
vhost vhost-vdpa: free iommu domain after last use during cleanup 2023-03-22 13:33:44 +01:00
video fbdev: chipsfb: Fix error codes in chipsfb_pci_init() 2023-03-22 13:33:39 +01:00
virt virt/sev-guest: Return -EIO if certificate buffer is not large enough 2023-03-10 09:34:14 +01:00
virtio virtio_pci: modify ENOENT to EINVAL 2023-01-24 07:24:31 +01:00
vlynq
w1 w1: fix WARNING after calling w1_process() 2023-02-01 08:34:26 +01:00
watchdog watchdog: sbsa_wdog: Make sure the timeout programming is within the limits 2023-03-11 13:55:24 +01:00
xen xen/grant-dma-iommu: Implement a dummy probe_device() callback 2023-03-10 09:33:02 +01:00
zorro
Kconfig
Makefile