superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/include
History
Niklas Schnelle a2410d0c3d PCI: s390: Fix use-after-free of PCI resources with per-function hotplug 
[ Upstream commit ab90950985 ]

On s390 PCI functions may be hotplugged individually even when they
belong to a multi-function device. In particular on an SR-IOV device VFs
may be removed and later re-added.

In commit a50297cf82 ("s390/pci: separate zbus creation from
scanning") it was missed however that struct pci_bus and struct
zpci_bus's resource list retained a reference to the PCI functions MMIO
resources even though those resources are released and freed on
hot-unplug. These stale resources may subsequently be claimed when the
PCI function re-appears resulting in use-after-free.

One idea of fixing this use-after-free in s390 specific code that was
investigated was to simply keep resources around from the moment a PCI
function first appeared until the whole virtual PCI bus created for
a multi-function device disappears. The problem with this however is
that due to the requirement of artificial MMIO addreesses (address
cookies) extra logic is then needed to keep the address cookies
compatible on re-plug. At the same time the MMIO resources semantically
belong to the PCI function so tying their lifecycle to the function
seems more logical.

Instead a simpler approach is to remove the resources of an individually
hot-unplugged PCI function from the PCI bus's resource list while
keeping the resources of other PCI functions on the PCI bus untouched.

This is done by introducing pci_bus_remove_resource() to remove an
individual resource. Similarly the resource also needs to be removed
from the struct zpci_bus's resource list. It turns out however, that
there is really no need to add the MMIO resources to the struct
zpci_bus's resource list at all and instead we can simply use the
zpci_bar_struct's resource pointer directly.

Fixes: a50297cf82 ("s390/pci: separate zbus creation from scanning")
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://lore.kernel.org/r/20230306151014.60913-2-schnelle@linux.ibm.com
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-03-22 13:33:45 +01:00
..
acpi PCI/ACPI: Account for _S0W of the target bridge in acpi_pci_bridge_d3() 2023-03-11 13:55:33 +01:00
asm-generic arch: fix broken BuildID for arm64 and riscv 2023-02-25 11:25:42 +01:00
clocksource
crypto
drm drm/msm/gem: Prevent blocking within shrinker loop 2023-03-22 13:33:39 +01:00
dt-bindings dt-bindings: clocks: imx8mp: Add ID for usb suspend clock 2022-12-31 13:33:09 +01:00
keys
kunit kunit: fix kunit_test_init_section_suites(...) 2023-02-09 11:28:08 +01:00
kvm
linux PCI: s390: Fix use-after-free of PCI resources with per-function hotplug 2023-03-22 13:33:45 +01:00
math-emu
media media: uvcvideo: Add GUID for BGRA/X 8:8:8:8 2023-03-11 13:55:35 +01:00
memory memory: renesas-rpc-if: Split-off private data from struct rpcif 2023-03-11 13:55:17 +01:00
misc
net netfilter: tproxy: fix deadlock due to missing BH disable 2023-03-17 08:50:25 +01:00
pcmcia
ras
rdma
rv
scsi scsi: core: Add BLIST_NO_VPD_SIZE for some VDASD 2023-03-22 13:33:43 +01:00
soc ARM: at91: pm: avoid soft resetting AC DLL 2022-11-01 12:25:19 +02:00
sound ASoC: soc-dapm.h: fixup warning struct snd_pcm_substream not declared 2023-03-10 09:33:23 +01:00
target
trace fd: dlm: trace send/recv of dlm message and rcom 2023-03-17 08:50:18 +01:00
uapi usb: uvc: Enumerate valid values for color matching 2023-03-11 13:55:38 +01:00
ufs scsi: ufs: exynos: Fix DMA alignment for PAGE_SIZE != 4096 2023-03-10 09:33:15 +01:00
vdso
video
xen xen/virtio: enable grant based virtio on x86 2022-10-10 14:31:26 +02:00