lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 27 Jun 2022 17:07:24 +0200
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     "Rafael J. Wysocki" <rafael@...nel.org>
Cc:     Bjorn Helgaas <helgaas@...nel.org>,
        Bjorn Helgaas <bhelgaas@...gle.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Len Brown <lenb@...nel.org>,
        Linux PCI <linux-pci@...r.kernel.org>,
        ACPI Devel Maling List <linux-acpi@...r.kernel.org>,
        whitehat002 <hackyzh002@...il.com>
Subject: Re: [PATCH] PCI/ACPI: do not reference a pci device after it has
 been released

On Thu, Apr 28, 2022 at 10:30:38PM +0200, Rafael J. Wysocki wrote:
> On Thu, Apr 28, 2022 at 10:15 PM Rafael J. Wysocki <rafael@...nel.org> wrote:
> >
> > On Thu, Apr 28, 2022 at 6:22 PM Greg Kroah-Hartman
> > <gregkh@...uxfoundation.org> wrote:
> > >
> > > On Thu, Apr 28, 2022 at 10:58:58AM -0500, Bjorn Helgaas wrote:
> > > > On Thu, Apr 28, 2022 at 04:28:53PM +0200, Greg Kroah-Hartman wrote:
> > > > > In acpi_get_pci_dev(), the debugging message for when a PCI bridge is
> > > > > not found uses a pointer to a pci device whose reference has just been
> > > > > dropped.  The chance that this really is a device that is now been
> > > > > removed from the system is almost impossible to happen, but to be safe,
> > > > > let's print out the debugging message based on the acpi root device
> > > > > which we do have a valid reference to at the moment.
> > > >
> > > > This code was added by 497fb54f578e ("ACPI / PCI: Fix NULL pointer
> > > > dereference in acpi_get_pci_dev() (rev. 2)").  Not sure if it's worth
> > > > a Fixes: tag.
> > >
> > > Can't hurt, I'll add it for the v2 based on this review.
> > >
> > > >
> > > > acpi_get_pci_dev() is used by only five callers, three of which are
> > > > video/backlight related.  I'm always skeptical of one-off interfaces
> > > > like this, but I don't know enough to propose any refactoring or other
> > > > alternatives.
> > > >
> > > > I'll leave this for Rafael, but if I were applying I would silently
> > > > touch up the subject to match convention:
> > > >
> > > >   PCI/ACPI: Do not reference PCI device after it has been released
> > >
> > > Much simpler, thanks.
> > >
> > > >
> > > > > Cc: Bjorn Helgaas <bhelgaas@...gle.com>
> > > > > Cc: "Rafael J. Wysocki" <rafael@...nel.org>
> > > > > Cc: Len Brown <lenb@...nel.org>
> > > > > Cc: linux-pci@...r.kernel.org
> > > > > Cc: linux-acpi@...r.kernel.org
> > > > > Reported-by: whitehat002 <hackyzh002@...il.com>
> > > > > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > > > > ---
> > > > >  drivers/acpi/pci_root.c | 3 ++-
> > > > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > > > >
> > > > > diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c
> > > > > index 6f9e75d14808..ecda378dbc09 100644
> > > > > --- a/drivers/acpi/pci_root.c
> > > > > +++ b/drivers/acpi/pci_root.c
> > > > > @@ -303,7 +303,8 @@ struct pci_dev *acpi_get_pci_dev(acpi_handle handle)
> > > > >              * case pdev->subordinate will be NULL for the parent.
> > > > >              */
> > > > >             if (!pbus) {
> > > > > -                   dev_dbg(&pdev->dev, "Not a PCI-to-PCI bridge\n");
> > > > > +                   dev_dbg(&root->device->dev,
> > > > > +                           "dev %d, function %d is not a PCI-to-PCI bridge\n", dev, fn);
> > > >
> > > > This should use "%02x.%d" to be consistent with the dev_set_name() in
> > > > pci_setup_device().
> > >
> > > Ah, missed that, will change it and send out a new version tomorrow.
> >
> > I would make the change below (modulo the gmail-induced wthite space
> > breakage), though.
> 
> That said ->
> 
> > ---
> >  drivers/acpi/pci_root.c |    5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > Index: linux-pm/drivers/acpi/pci_root.c
> > ===================================================================
> > --- linux-pm.orig/drivers/acpi/pci_root.c
> > +++ linux-pm/drivers/acpi/pci_root.c
> > @@ -295,8 +295,6 @@ struct pci_dev *acpi_get_pci_dev(acpi_ha
> >              break;
> >
> >          pbus = pdev->subordinate;
> > -        pci_dev_put(pdev);
> > -
> >          /*
> >           * This function may be called for a non-PCI device that has a
> >           * PCI parent (eg. a disk under a PCI SATA controller).  In that
> > @@ -304,9 +302,12 @@ struct pci_dev *acpi_get_pci_dev(acpi_ha
> >           */
> >          if (!pbus) {
> >              dev_dbg(&pdev->dev, "Not a PCI-to-PCI bridge\n");
> > +            pci_dev_put(pdev);
> >              pdev = NULL;
> >              break;
> >          }
> > +
> > +        pci_dev_put(pdev);
> 
> -> we are going to use pbus after this and it is pdev->subordinate
> which cannot survive without pdev AFAICS.
> 
> Are we not concerned about this case?

Good point.

whitehat002, any ideas?  You found this issue but it really looks like
it is not anything that can ever be hit, so how far do you want to go to
unwind it?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ