Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/drivers
History
Lukas Wunner bc2bb965ce PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal 
commit 11a1f4bc47362700fcbde717292158873fb847ed upstream.

Keith reports a use-after-free when a DPC event occurs concurrently to
hot-removal of the same portion of the hierarchy:

The dpc_handler() awaits readiness of the secondary bus below the
Downstream Port where the DPC event occurred.  To do so, it polls the
config space of the first child device on the secondary bus.  If that
child device is concurrently removed, accesses to its struct pci_dev
cause the kernel to oops.

That's because pci_bridge_wait_for_secondary_bus() neglects to hold a
reference on the child device.  Before v6.3, the function was only
called on resume from system sleep or on runtime resume.  Holding a
reference wasn't necessary back then because the pciehp IRQ thread
could never run concurrently.  (On resume from system sleep, IRQs are
not enabled until after the resume_noirq phase.  And runtime resume is
always awaited before a PCI device is removed.)

However starting with v6.3, pci_bridge_wait_for_secondary_bus() is also
called on a DPC event.  Commit 53b54ad074de ("PCI/DPC: Await readiness
of secondary bus after reset"), which introduced that, failed to
appreciate that pci_bridge_wait_for_secondary_bus() now needs to hold a
reference on the child device because dpc_handler() and pciehp may
indeed run concurrently.  The commit was backported to v5.10+ stable
kernels, so that's the oldest one affected.

Add the missing reference acquisition.

Abridged stack trace:

  BUG: unable to handle page fault for address: 00000000091400c0
  CPU: 15 PID: 2464 Comm: irq/53-pcie-dpc 6.9.0
  RIP: pci_bus_read_config_dword+0x17/0x50
  pci_dev_wait()
  pci_bridge_wait_for_secondary_bus()
  dpc_reset_link()
  pcie_do_recovery()
  dpc_handler()

Fixes: 53b54ad074de ("PCI/DPC: Await readiness of secondary bus after reset")
Closes: https://lore.kernel.org/r/20240612181625.3604512-3-kbusch@meta.com/
Link: https://lore.kernel.org/linux-pci/8e4bcd4116fd94f592f2bf2749f168099c480ddf.1718707743.git.lukas@wunner.de
Reported-by: Keith Busch <kbusch@kernel.org>
Tested-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-11-23 23:20:30 +01:00
..
accessibility speakup: Fix sizeof() vs ARRAY_SIZE() bug 2024-11-19 12:26:51 +01:00
acpi ACPI: SBS: manage alarm sysfs attribute through psy core 2024-11-23 23:20:23 +01:00
amba
android binder: fix hang of unregistered readers 2024-11-23 23:20:14 +01:00
ata ata: libata-core: Fix double free on error 2024-11-19 14:19:34 +01:00
atm atm: idt77252: fix a memleak in open_card_ubr0 2024-11-18 12:13:24 +01:00
auxdisplay
base driver core: Fix uevent_show() vs driver detach race 2024-11-23 23:20:28 +01:00
battery drivers: battery_v2: sec_battery: export {CURRENT/VOLTAGE}_MAX to sysfs 2024-11-17 17:43:14 +01:00
bcma
block rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings 2024-11-23 23:20:16 +01:00
bluetooth Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591 2024-11-23 23:20:16 +01:00
bts
bus bus: tegra-aconnect: Update dependency to ARCH_TEGRA 2024-11-19 08:44:45 +01:00
cdrom
char hwrng: amd - Convert PCIBIOS_* return codes to errnos 2024-11-23 23:20:14 +01:00
clk clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use 2024-11-23 23:20:14 +01:00
clocksource clocksource/drivers/sh_cmt: Address race condition for clock events 2024-11-23 23:20:23 +01:00
connector
counter counter: ti-eqep: enable clock at probe 2024-11-19 14:19:33 +01:00
cpufreq cpufreq: exit() callback is optional 2024-11-19 12:26:54 +01:00
cpuidle cpuidle: menu: Take negative "sleep length" values into account 2024-11-19 18:01:28 +01:00
crypto crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak 2024-11-19 12:27:18 +01:00
dax
dca
devfreq PM / devfreq: Fix buffer overflow in trans_stat_show 2024-11-19 11:32:38 +01:00
dio
dma dmaengine: ioatdma: Fix missing kmem_cache_destroy() 2024-11-19 14:19:09 +01:00
dma-buf dma-buf/sync_file: Speed up ioctl by omitting debug names 2024-11-19 17:53:23 +01:00
edac EDAC, i10nm: make skx_common.o a separate module 2024-11-23 23:19:56 +01:00
eisa
extcon extcon: max8997: select IRQ_DOMAIN instead of depending on it 2024-11-19 12:27:04 +01:00
fingerprint
firewire firewire: nosy: ensure user_length is taken into account when fetching packet contents 2024-11-19 11:32:46 +01:00
firmware firmware: turris-mox-rwtm: Initialize completion before mailbox 2024-11-23 23:20:06 +01:00
fpga fpga: region: add owner module and take its refcount 2024-11-19 12:27:04 +01:00
fsi
gnss
gpio gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1) 2024-11-19 14:19:33 +01:00
gpu drm/mgag200: Set DDC timeout in milliseconds 2024-11-23 23:20:30 +01:00
greybus greybus: Fix use-after-free bug in gb_interface_release due to race condition. 2024-11-19 14:19:05 +01:00
gud
hid HID: wacom: Modify pen IDs 2024-11-23 23:20:20 +01:00
hsi
hv Drivers: hv: vmbus: Drop error message when 'No request id available' 2024-11-18 23:19:53 +01:00
hwmon hwmon: (max6697) Fix swapped temp{1,8} critical alarms 2024-11-23 23:19:57 +01:00
hwspinlock
hwtracing coresight: Fix ref leak when of_coresight_parse_endpoint() fails 2024-11-23 23:20:10 +01:00
i2c i2c: smbus: Send alert notifications to all devices if source not found 2024-11-23 23:20:26 +01:00
i3c i3c: master: cdns: Update maximum prescaler value for i2c clock 2024-11-18 12:13:19 +01:00
ide
idle
ifconn
iio iio: chemical: bme680: Fix sensor data read operation 2024-11-19 14:19:33 +01:00
infiniband RDMA/iwcm: Fix a use-after-free related to destroying CM IDs 2024-11-23 23:20:15 +01:00
input Input: elan_i2c - do not leave interrupt disabled on suspend failure 2024-11-23 23:20:10 +01:00
interconnect interconnect: Treat xlate() returning NULL node as an error 2024-11-18 12:12:00 +01:00
iommu iommu: pcie: Fix incorrect kmemleak_ignore() usage 2024-11-19 17:53:28 +01:00
ipack
irqchip irqchip/xilinx: Fix shift out of bounds 2024-11-23 23:20:29 +01:00
isdn mISDN: Fix a use after free in hfcmulti_tx() 2024-11-23 23:20:17 +01:00
kperfmon Kperfmon: add xyunbound version 2024-06-15 16:28:49 -03:00
kq/mesh
leds leds: ss4200: Convert PCIBIOS_* return codes to errnos 2024-11-23 23:20:13 +01:00
lightnvm
macintosh macintosh/therm_windtunnel: fix module unload. 2024-11-23 23:20:11 +01:00
mailbox mailbox: imx: fix suspend failue 2024-11-19 11:32:20 +01:00
mcb mcb: fix error handling for different scenarios when parsing 2024-11-18 11:43:25 +01:00
md md/raid5: avoid BUG_ON() while continue reshape after reassembling 2024-11-23 23:20:23 +01:00
media media: uvcvideo: Fix the bandwdith quirk on USB 3.x 2024-11-23 23:20:24 +01:00
memory
memstick
message
mfd mfd: omap-usb-tll: Use struct_size to allocate tll 2024-11-23 23:20:09 +01:00
misc uid_sys_stats: Remove dependency on the profiling subsystem 2024-11-19 17:53:52 +01:00
mmc mmc: Disable crc check 2024-11-19 17:47:04 +01:00
most
mtd ubi: eba: properly rollback inside self_check_eba 2024-11-23 23:20:14 +01:00
muic
mux
net net: fec: Stop PPS on driver remove 2024-11-23 23:20:22 +01:00
nfc NFC: trf7970a: disable all regulators on removal 2024-11-19 11:32:37 +01:00
ntb
nubus
nvdimm nd_btt: Make BTT lanes preemptible 2024-11-18 11:43:03 +01:00
nvme nvme-pci: add missing condition check for existence of mapped data 2024-11-23 23:20:18 +01:00
nvmem nvmem: meson-efuse: Fix return value of nvmem callbacks 2024-11-19 14:19:45 +01:00
of of: dynamic: Synchronize of_changeset_destroy() with the devlink removals 2024-11-19 09:23:10 +01:00
opp OPP: debugfs: Fix warning around icc_get_name() 2024-11-19 08:44:49 +01:00
oprofile
parisc
parport dev/parport: fix the array out-of-bounds risk 2024-11-23 23:20:14 +01:00
pci PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal 2024-11-23 23:20:30 +01:00
pcmcia pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() 2024-11-18 11:43:06 +01:00
perf perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 2024-11-08 11:24:52 +01:00
phy phy: tegra: xusb: Add API to retrieve the port number of phy 2024-11-19 09:22:34 +01:00
pinctrl pinctrl: freescale: mxs: Fix refcount of child 2024-11-23 23:20:11 +01:00
platform platform/chrome: cros_ec_proto: Lock device when updating MKBP version 2024-11-23 23:20:20 +01:00
pnp PNP: ACPI: fix fortify warning 2024-11-18 12:13:09 +01:00
power power: supply: axp288_charger: Round constant_charge_voltage writes down 2024-11-23 23:20:29 +01:00
powercap
pps
ps3
ptp ptp: Fix error message on failed pin verification 2024-11-19 14:19:01 +01:00
pwm pwm: stm32: Always do lazy disabling 2024-11-23 23:19:56 +01:00
rapidio
ras
regulator regulator: core: Fix modpost error "regulator_get_regmap" undefined 2024-11-19 14:19:09 +01:00
remoteproc remoteproc: imx_rproc: Skip over memory region when node value is NULL 2024-11-23 23:20:20 +01:00
reset reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning 2024-11-18 12:12:16 +01:00
rpmsg rpmsg: virtio: Free driver_override when rpmsg_remove() 2024-11-18 12:12:56 +01:00
rtc rtc: isl1208: Fix return value of nvmem callbacks 2024-11-23 23:20:15 +01:00
s390 s390/sclp: Prevent release of buffer in I/O 2024-11-23 23:20:24 +01:00
samsung Fix clang 16 errors treewide 2024-06-15 16:28:48 -03:00
sbus
scsi scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES 2024-11-23 23:20:28 +01:00
sensorhub treewide: fix build errors 2024-06-15 16:21:17 -03:00
sensors
sfi
sh
siox
slimbus slimbus: core: Remove usage of the deprecated ida_simple_xx() API 2024-11-19 09:22:34 +01:00
soc drivers: soc: xilinx: check return status of get_api_version() 2024-11-23 23:20:19 +01:00
soundwire soundwire: cadence: fix invalid PDI offset 2024-11-19 12:27:00 +01:00
spi spi: spi-fsl-lpspi: Fix scldiv calculation 2024-11-23 23:20:27 +01:00
spmi
spu_verify
ssb
staging drivers: staging: Import Xiaomi's binder prio driver 2024-11-19 17:46:55 +01:00
sti
target target/file: allocate the bvec array as part of struct target_core_file_cmd 2024-11-19 17:42:15 +01:00
tc
tee tee: optee: Fix kernel panic caused by incorrect error handling 2024-11-19 09:22:39 +01:00
thermal thermal: core: prevent potential string overflow 2024-11-18 11:42:50 +01:00
thunderbolt thunderbolt: Fix wake configurations after device unplug 2024-11-19 11:32:22 +01:00
tty serial: core: check uartclk for zero to avoid divide by zero 2024-11-23 23:20:29 +01:00
uh
uio uio: Fix use-after-free in uio_open 2024-11-18 12:12:19 +01:00
usb usb: gadget: u_serial: Set start_delayed during suspend 2024-11-23 23:20:28 +01:00
vdpa
vfio vfio/fsl-mc: Block calling interrupt handler without trigger 2024-11-19 09:22:45 +01:00
vhost vhost: Add smp_rmb() in vhost_vq_avail_empty() 2024-11-19 11:32:20 +01:00
vibrator
video Optimized Console FrameBuffer for upto 70% increase in Performance 2024-11-19 17:30:21 +01:00
virt
virtio virtio: delete vq in vp_find_vqs_msix() when request_irq() fails 2024-11-19 12:27:09 +01:00
vision
vision3
visorbus
vlynq
vme
w1
watchdog watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin 2024-11-19 12:27:18 +01:00
xen xen/events: close evtchn after mapping cleanup 2024-11-19 09:22:39 +01:00
zorro
Kconfig Added KernelSU 2024-11-19 22:44:48 +01:00
Kconfig.variant1
kernelsu Added KernelSU 2024-11-19 22:44:48 +01:00
Makefile Added KernelSU 2024-11-19 22:44:48 +01:00
Makefile.variant1