lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250409115313.1.Ia319526ed4ef06bec3180378c9a008340cec9658@changeid>
Date: Wed,  9 Apr 2025 11:53:13 -0700
From: Brian Norris <briannorris@...omium.org>
To: Bartosz Golaszewski <brgl@...ev.pl>,
	Bjorn Helgaas <bhelgaas@...gle.com>
Cc: linux-kernel@...r.kernel.org,
	linux-pci@...r.kernel.org,
	Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>,
	Brian Norris <briannorris@...gle.com>,
	Konrad Dybcio <konradybcio@...nel.org>,
	Bartosz Golaszewski <bartosz.golaszewski@...aro.org>,
	Brian Norris <briannorris@...omium.org>
Subject: [PATCH] PCI/pwrctrl: Cancel outstanding rescan work when unregistering

From: Brian Norris <briannorris@...gle.com>

It's possible to trigger use-after-free here by:
(a) forcing rescan_work_func() to take a long time and
(b) utilizing a pwrctrl driver that may be unloaded for some reason.

I'm unlucky to trigger both of these in development. It's likely much
more difficult to hit this in practice.

Anyway, we should ensure our work is finished before we allow our data
structures to be cleaned up.

Fixes: 8f62819aaace ("PCI/pwrctl: Rescan bus on a separate thread")
Cc: Konrad Dybcio <konradybcio@...nel.org>
Cc: Bartosz Golaszewski <bartosz.golaszewski@...aro.org>
Signed-off-by: Brian Norris <briannorris@...gle.com>
Signed-off-by: Brian Norris <briannorris@...omium.org>
---

 drivers/pci/pwrctrl/core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/pci/pwrctrl/core.c b/drivers/pci/pwrctrl/core.c
index 9cc7e2b7f2b5..6bdbfed584d6 100644
--- a/drivers/pci/pwrctrl/core.c
+++ b/drivers/pci/pwrctrl/core.c
@@ -101,6 +101,8 @@ EXPORT_SYMBOL_GPL(pci_pwrctrl_device_set_ready);
  */
 void pci_pwrctrl_device_unset_ready(struct pci_pwrctrl *pwrctrl)
 {
+	cancel_work_sync(&pwrctrl->work);
+
 	/*
 	 * We don't have to delete the link here. Typically, this function
 	 * is only called when the power control device is being detached. If
-- 
2.49.0.604.gff1f9ca942-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ