linux-hardened/drivers
Sebastian Andrzej Siewior 4ae2182b1e PCI/AER: Flush workqueue on device remove to avoid use-after-free
A Root Port's AER structure (rpc) contains a queue of events.  aer_irq()
enqueues AER status information and schedules aer_isr() to dequeue and
process it.  When we remove a device, aer_remove() waits for the queue to
be empty, then frees the rpc struct.

But aer_isr() references the rpc struct after dequeueing and possibly
emptying the queue, which can cause a use-after-free error as in the
following scenario with two threads, aer_isr() on the left and a
concurrent aer_remove() on the right:

  Thread A                      Thread B
  --------                      --------
  aer_irq():
    rpc->prod_idx++
                                aer_remove():
                                  wait_event(rpc->prod_idx == rpc->cons_idx)
                                  # now blocked until queue becomes empty
  aer_isr():                      # ...
    rpc->cons_idx++               # unblocked because queue is now empty
    ...                           kfree(rpc)
    mutex_unlock(&rpc->rpc_mutex)

To prevent this problem, use flush_work() to wait until the last scheduled
instance of aer_isr() has completed before freeing the rpc struct in
aer_remove().

I reproduced this use-after-free by flashing a device FPGA and
re-enumerating the bus to find the new device.  With SLUB debug, this
crashes with 0x6b bytes (POISON_FREE, the use-after-free magic number) in
GPR25:

  pcieport 0000:00:00.0: AER: Multiple Corrected error received: id=0000
  Unable to handle kernel paging request for data at address 0x27ef9e3e
  Workqueue: events aer_isr
  GPR24: dd6aa000 6b6b6b6b 605f8378 605f8360 d99b12c0 604fc674 606b1704 d99b12c0
  NIP [602f5328] pci_walk_bus+0xd4/0x104

[bhelgaas: changelog, stable tag]
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: stable@vger.kernel.org
2016-01-25 10:08:00 -06:00
..
accessibility
acpi tree wide: use kvfree() than conditional kfree()/vfree() 2016-01-22 17:02:18 -08:00
amba
android
ata Merge branch 'for-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata 2016-01-11 19:33:59 -08:00
atm
auxdisplay
base wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
bcma GPIO bulk updates for the v4.5 kernel cycle: 2016-01-17 12:32:01 -08:00
block Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2016-01-24 12:34:13 -08:00
bluetooth
bus ARM: SoC driver updates for v4.5 2016-01-20 18:42:30 -08:00
cdrom
char Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
clk ARM: DT updates for v4.5 2016-01-20 18:16:29 -08:00
clocksource ARM: SoC cleanups for v4.5 2016-01-20 17:55:20 -08:00
connector
cpufreq powerpc updates for 4.5 2016-01-15 13:18:47 -08:00
cpuidle More power management and ACPI updates for v4.5-rc1 2016-01-20 19:06:49 -08:00
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2016-01-22 11:58:43 -08:00
dca
devfreq PM / devfreq: Do not show statistics if it's not ready. 2016-01-13 17:30:33 +09:00
dio
dma dmaengine fixes for 4.5-rc1 2016-01-20 10:15:21 -08:00
dma-buf
edac
eisa
extcon
firewire
firmware UBSAN: run-time undefined behavior sanity checker 2016-01-20 17:09:18 -08:00
fmc
fpga
gpio ARM: SoC multiplatform code changes for v4.5 2016-01-20 18:03:56 -08:00
gpu tree wide: use kvfree() than conditional kfree()/vfree() 2016-01-22 17:02:18 -08:00
hid asm-generic changes for 4.5 2016-01-20 17:30:20 -08:00
hsi HSI: omap_ssi_port: fix handling of_get_named_gpio result 2016-01-07 16:07:54 +01:00
hv char/misc patches for 4.5-rc1 2016-01-13 10:23:36 -08:00
hwmon Merge git://www.linux-watchdog.org/linux-watchdog 2016-01-17 12:15:38 -08:00
hwspinlock
hwtracing
i2c Merge branch 'i2c/for-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2016-01-14 11:25:37 -08:00
ide drivers/ide: make ide-scan-pci.c driver explicitly non-modular 2016-01-18 14:12:33 -05:00
idle
iio Merge branch 'akpm' (patches from Andrew) 2016-01-21 12:32:08 -08:00
infiniband Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2016-01-22 17:20:30 -08:00
iommu IOMMU Updates for Linux v4.5 2016-01-19 09:35:06 -08:00
ipack
irqchip Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-01-24 12:50:56 -08:00
isdn Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-01-11 23:55:43 -05:00
leds GPIO bulk updates for the v4.5 kernel cycle: 2016-01-17 12:32:01 -08:00
lguest lguest: Map switcher text R/O 2016-01-12 12:17:28 +01:00
lightnvm lightnvm: introduce factory reset 2016-01-12 08:21:18 -07:00
macintosh
mailbox
mcb
md Merge branch 'for-4.5/drivers' of git://git.kernel.dk/linux-block 2016-01-21 18:19:38 -08:00
media dma-mapping: always provide the dma_map_ops based implementation 2016-01-20 17:09:18 -08:00
memory ARM: SoC driver updates for v4.5 2016-01-20 18:42:30 -08:00
memstick memstick: use sector_div instead of do_div 2016-01-20 17:09:18 -08:00
message
mfd GPIO bulk updates for the v4.5 kernel cycle: 2016-01-17 12:32:01 -08:00
misc Merge branch 'akpm' (patches from Andrew) 2016-01-21 12:32:08 -08:00
mmc MMC core: 2016-01-22 12:04:21 -08:00
mtd Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus 2016-01-24 12:50:56 -08:00
net Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
nfc
ntb NTB: Fix macro parameter conflict with field name 2016-01-21 19:53:10 -05:00
nubus
nvdimm mm, dax, pmem: introduce {get|put}_dev_pagemap() for dax-gup 2016-01-15 17:56:32 -08:00
nvme Merge branch 'for-4.5/nvme' of git://git.kernel.dk/linux-block 2016-01-21 19:58:02 -08:00
nvmem
of DeviceTree updates for 4.5: 2016-01-14 11:13:28 -08:00
oprofile wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
parisc parisc: convert to dma_map_ops 2016-01-20 17:09:18 -08:00
parport
pci PCI/AER: Flush workqueue on device remove to avoid use-after-free 2016-01-25 10:08:00 -06:00
pcmcia
perf
phy
pinctrl GPIO bulk updates for the v4.5 kernel cycle: 2016-01-17 12:32:01 -08:00
platform ideapad-laptop: Add Lenovo Yoga 700 to no_hw_rfkill dmi list 2016-01-24 10:15:01 -08:00
pnp
power power: bq27xxx_battery: Fix bq27541 AveragePower register address 2016-01-14 01:03:18 +01:00
powercap Merge branch 'powercap' 2016-01-12 01:12:40 +01:00
pps
ps3
ptp
pwm pwm: Mark all devices as "might sleep" 2016-01-21 15:04:59 +01:00
rapidio rapidio: use kobj_to_dev() 2016-01-20 17:09:18 -08:00
ras
regulator regulator: Update for v4.5 2016-01-15 12:14:47 -08:00
remoteproc virtio: make find_vqs() checkpatch.pl-friendly 2016-01-12 20:47:06 +02:00
reset
rpmsg virtio: make find_vqs() checkpatch.pl-friendly 2016-01-12 20:47:06 +02:00
rtc RTC for 4.5 2016-01-18 12:10:45 -08:00
s390 virtio: barrier rework+fixes 2016-01-18 16:44:24 -08:00
sbus
scsi Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
sfi
sh
sn
soc ARM: SoC support for Tegra platforms for v4.5 2016-01-22 17:30:52 -08:00
spi powerpc updates for 4.5 2016-01-15 13:18:47 -08:00
spmi
ssb
staging Initial roundup of 4.5 merge window patches 2016-01-23 18:45:06 -08:00
target Merge branch 'for-4.5/nvme' of git://git.kernel.dk/linux-block 2016-01-21 19:58:02 -08:00
tc
thermal Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux 2016-01-24 12:43:06 -08:00
thunderbolt
tty ARM: SoC driver updates for v4.5 2016-01-20 18:42:30 -08:00
uio
usb Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
uwb
vfio
vhost
video wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
virt
virtio virtio: make find_vqs() checkpatch.pl-friendly 2016-01-12 20:47:06 +02:00
vlynq
vme
w1
watchdog watchdog: asm9260: remove __init and __exit annotations 2016-01-11 22:48:05 +01:00
xen virtio: barrier rework+fixes 2016-01-18 16:44:24 -08:00
zorro
Kconfig
Makefile