mirror of
https://github.com/torvalds/linux.git
synced 2025-01-01 07:42:07 +00:00
9885440b16
The PCI code has several paths where the struct pci_host_bridge is freed
directly. This is wrong because it contains a struct device which is
refcounted and should be freed using put_device(). This can result in
use-after-free errors. I think this problem has existed since 2012 with
commit 7b54366358
("PCI: add generic device into pci_host_bridge
struct"). It generally hasn't mattered as most host bridge drivers are
still built-in and can't unbind.
The problem is a struct device should never be freed directly once
device_initialize() is called and a ref is held, but that doesn't happen
until pci_register_host_bridge(). There's then a window between allocating
the host bridge and pci_register_host_bridge() where kfree should be used.
This is fragile and requires callers to do the right thing. To fix this, we
need to split device_register() into device_initialize() and device_add()
calls, so that the host bridge struct is always freed by using a
put_device().
devm_pci_alloc_host_bridge() is using devm_kzalloc() to allocate struct
pci_host_bridge which will be freed directly. Instead, we can use a custom
devres action to call put_device().
Link: https://lore.kernel.org/r/20200513223859.11295-2-robh@kernel.org
Reported-by: Anders Roxell <anders.roxell@linaro.org>
Tested-by: Anders Roxell <anders.roxell@linaro.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
166 lines
3.7 KiB
C
166 lines
3.7 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
#include <linux/pci.h>
|
|
#include <linux/module.h>
|
|
#include "pci.h"
|
|
|
|
static void pci_free_resources(struct pci_dev *dev)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < PCI_NUM_RESOURCES; i++) {
|
|
struct resource *res = dev->resource + i;
|
|
if (res->parent)
|
|
release_resource(res);
|
|
}
|
|
}
|
|
|
|
static void pci_stop_dev(struct pci_dev *dev)
|
|
{
|
|
pci_pme_active(dev, false);
|
|
|
|
if (pci_dev_is_added(dev)) {
|
|
device_release_driver(&dev->dev);
|
|
pci_proc_detach_device(dev);
|
|
pci_remove_sysfs_dev_files(dev);
|
|
|
|
pci_dev_assign_added(dev, false);
|
|
}
|
|
}
|
|
|
|
static void pci_destroy_dev(struct pci_dev *dev)
|
|
{
|
|
if (!dev->dev.kobj.parent)
|
|
return;
|
|
|
|
device_del(&dev->dev);
|
|
|
|
down_write(&pci_bus_sem);
|
|
list_del(&dev->bus_list);
|
|
up_write(&pci_bus_sem);
|
|
|
|
pcie_aspm_exit_link_state(dev);
|
|
pci_bridge_d3_update(dev);
|
|
pci_free_resources(dev);
|
|
put_device(&dev->dev);
|
|
}
|
|
|
|
void pci_remove_bus(struct pci_bus *bus)
|
|
{
|
|
pci_proc_detach_bus(bus);
|
|
|
|
down_write(&pci_bus_sem);
|
|
list_del(&bus->node);
|
|
pci_bus_release_busn_res(bus);
|
|
up_write(&pci_bus_sem);
|
|
pci_remove_legacy_files(bus);
|
|
|
|
if (bus->ops->remove_bus)
|
|
bus->ops->remove_bus(bus);
|
|
|
|
pcibios_remove_bus(bus);
|
|
device_unregister(&bus->dev);
|
|
}
|
|
EXPORT_SYMBOL(pci_remove_bus);
|
|
|
|
static void pci_stop_bus_device(struct pci_dev *dev)
|
|
{
|
|
struct pci_bus *bus = dev->subordinate;
|
|
struct pci_dev *child, *tmp;
|
|
|
|
/*
|
|
* Stopping an SR-IOV PF device removes all the associated VFs,
|
|
* which will update the bus->devices list and confuse the
|
|
* iterator. Therefore, iterate in reverse so we remove the VFs
|
|
* first, then the PF.
|
|
*/
|
|
if (bus) {
|
|
list_for_each_entry_safe_reverse(child, tmp,
|
|
&bus->devices, bus_list)
|
|
pci_stop_bus_device(child);
|
|
}
|
|
|
|
pci_stop_dev(dev);
|
|
}
|
|
|
|
static void pci_remove_bus_device(struct pci_dev *dev)
|
|
{
|
|
struct pci_bus *bus = dev->subordinate;
|
|
struct pci_dev *child, *tmp;
|
|
|
|
if (bus) {
|
|
list_for_each_entry_safe(child, tmp,
|
|
&bus->devices, bus_list)
|
|
pci_remove_bus_device(child);
|
|
|
|
pci_remove_bus(bus);
|
|
dev->subordinate = NULL;
|
|
}
|
|
|
|
pci_destroy_dev(dev);
|
|
}
|
|
|
|
/**
|
|
* pci_stop_and_remove_bus_device - remove a PCI device and any children
|
|
* @dev: the device to remove
|
|
*
|
|
* Remove a PCI device from the device lists, informing the drivers
|
|
* that the device has been removed. We also remove any subordinate
|
|
* buses and children in a depth-first manner.
|
|
*
|
|
* For each device we remove, delete the device structure from the
|
|
* device lists, remove the /proc entry, and notify userspace
|
|
* (/sbin/hotplug).
|
|
*/
|
|
void pci_stop_and_remove_bus_device(struct pci_dev *dev)
|
|
{
|
|
pci_stop_bus_device(dev);
|
|
pci_remove_bus_device(dev);
|
|
}
|
|
EXPORT_SYMBOL(pci_stop_and_remove_bus_device);
|
|
|
|
void pci_stop_and_remove_bus_device_locked(struct pci_dev *dev)
|
|
{
|
|
pci_lock_rescan_remove();
|
|
pci_stop_and_remove_bus_device(dev);
|
|
pci_unlock_rescan_remove();
|
|
}
|
|
EXPORT_SYMBOL_GPL(pci_stop_and_remove_bus_device_locked);
|
|
|
|
void pci_stop_root_bus(struct pci_bus *bus)
|
|
{
|
|
struct pci_dev *child, *tmp;
|
|
struct pci_host_bridge *host_bridge;
|
|
|
|
if (!pci_is_root_bus(bus))
|
|
return;
|
|
|
|
host_bridge = to_pci_host_bridge(bus->bridge);
|
|
list_for_each_entry_safe_reverse(child, tmp,
|
|
&bus->devices, bus_list)
|
|
pci_stop_bus_device(child);
|
|
|
|
/* stop the host bridge */
|
|
device_release_driver(&host_bridge->dev);
|
|
}
|
|
EXPORT_SYMBOL_GPL(pci_stop_root_bus);
|
|
|
|
void pci_remove_root_bus(struct pci_bus *bus)
|
|
{
|
|
struct pci_dev *child, *tmp;
|
|
struct pci_host_bridge *host_bridge;
|
|
|
|
if (!pci_is_root_bus(bus))
|
|
return;
|
|
|
|
host_bridge = to_pci_host_bridge(bus->bridge);
|
|
list_for_each_entry_safe(child, tmp,
|
|
&bus->devices, bus_list)
|
|
pci_remove_bus_device(child);
|
|
pci_remove_bus(bus);
|
|
host_bridge->bus = NULL;
|
|
|
|
/* remove the host bridge */
|
|
device_del(&host_bridge->dev);
|
|
}
|
|
EXPORT_SYMBOL_GPL(pci_remove_root_bus);
|