linux/drivers/pci/hotplug
Lukas Wunner 281e878eab PCI: pciehp: Fix use-after-free on unplug
When pciehp is unbound (e.g. on unplug of a Thunderbolt device), the
hotplug_slot struct is deregistered and thus freed before freeing the
IRQ.  The IRQ handler and the work items it schedules print the slot
name referenced from the freed structure in various informational and
debug log messages, each time resulting in a quadruple dereference of
freed pointers (hotplug_slot -> pci_slot -> kobject -> name).

At best the slot name is logged as "(null)", at worst kernel memory is
exposed in logs or the driver crashes:

  pciehp 0000:10:00.0:pcie204: Slot((null)): Card not present

An attacker may provoke the bug by unplugging multiple devices on a
Thunderbolt daisy chain at once.  Unplugging can also be simulated by
powering down slots via sysfs.  The bug is particularly easy to trigger
in poll mode.

It has been present since the driver's introduction in 2004:
https://git.kernel.org/tglx/history/c/c16b4b14d980

Fix by rearranging teardown such that the IRQ is freed first.  Run the
work items queued by the IRQ handler to completion before freeing the
hotplug_slot struct by draining the work queue from the ->release_slot
callback which is invoked by pci_hp_deregister().

Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org # v2.6.4
2018-07-23 17:04:10 -05:00
..
acpi_pcihp.c PCI: shpchp: Separate existence of SHPC and permission to use it 2018-06-26 15:38:28 -05:00
acpiphp_core.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
acpiphp_glue.c ACPI / hotplug / PCI: Drop unnecessary parentheses 2018-06-04 12:08:06 -05:00
acpiphp_ibm.c More ACPI updates for v4.16-rc1 2018-02-09 09:44:25 -08:00
acpiphp.h PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpci_hotplug_core.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpci_hotplug_pci.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpci_hotplug.h PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpcihp_generic.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpcihp_zt5550.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpcihp_zt5550.h PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpqphp_core.c Merge branch 'pci/spdx' into next 2018-02-01 11:40:07 -06:00
cpqphp_ctrl.c PCI: cpqphp: Fix possible NULL pointer dereference 2018-02-28 14:35:54 -06:00
cpqphp_nvram.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpqphp_nvram.h PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpqphp_pci.c Merge branch 'pci/spdx' into next 2018-02-01 11:40:07 -06:00
cpqphp_sysfs.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
cpqphp.h PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
ibmphp_core.c PCI: ibmphp: Fix use-before-set in get_max_bus_speed() 2018-04-20 12:49:24 -05:00
ibmphp_ebda.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
ibmphp_hpc.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
ibmphp_pci.c Merge branch 'pci/spdx' into next 2018-02-01 11:40:07 -06:00
ibmphp_res.c Merge branch 'pci/spdx' into next 2018-02-01 11:40:07 -06:00
ibmphp.h PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
Kconfig PCI: shpchp: Convert SHPC to be builtin only 2018-06-02 00:18:28 -05:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
pci_hotplug_core.c PCI: hotplug: Don't leak pci_slot on registration failure 2018-07-23 17:04:10 -05:00
pciehp_core.c PCI: pciehp: Fix use-after-free on unplug 2018-07-23 17:04:10 -05:00
pciehp_ctrl.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
pciehp_hpc.c PCI: pciehp: Fix use-after-free on unplug 2018-07-23 17:04:10 -05:00
pciehp_pci.c Merge branch 'pci/spdx' into next 2018-02-01 11:40:07 -06:00
pciehp.h PCI: pciehp: Fix use-after-free on unplug 2018-07-23 17:04:10 -05:00
pnv_php.c PCI: pnv_php: Add missing of_node_put() 2018-05-23 16:48:37 -05:00
rpadlpar_core.c pci-v4.16-changes 2018-02-06 09:59:40 -08:00
rpadlpar_sysfs.c pci-v4.16-changes 2018-02-06 09:59:40 -08:00
rpadlpar.h PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
rpaphp_core.c pci-v4.16-changes 2018-02-06 09:59:40 -08:00
rpaphp_pci.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
rpaphp_slot.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
rpaphp.h pci-v4.16-changes 2018-02-06 09:59:40 -08:00
s390_pci_hpc.c PCI: Add SPDX GPL-2.0+ to replace implicit GPL v2 or later statement 2018-01-29 18:23:07 -06:00
sgi_hotplug.c Merge branch 'pci/spdx' into next 2018-02-01 11:40:07 -06:00
shpchp_core.c PCI: shpchp: Separate existence of SHPC and permission to use it 2018-06-26 15:38:28 -05:00
shpchp_ctrl.c PCI: shpchp: Fix AMD POGO identification 2018-06-04 12:07:31 -05:00
shpchp_hpc.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
shpchp_pci.c Merge branch 'pci/spdx' into next 2018-02-01 11:40:07 -06:00
shpchp_sysfs.c PCI: Add SPDX GPL-2.0+ to replace GPL v2 or later boilerplate 2018-01-28 15:49:06 -06:00
shpchp.h PCI: shpchp: Add shpchp_is_native() 2018-06-04 12:08:06 -05:00