s390/pci: fix use after free of zpci_dev

niklas88 · Vasily Gorbik · commit 2a671f77ee49 · 2021-08-18T10:12:42.000+02:00
The struct pci_dev uses reference counting but zPCI assumed erroneously that the last reference would always be the local reference after calling pci_stop_and_remove_bus_device(). This is usually the case but not how reference counting works and thus inherently fragile. In fact one case where this causes a NULL pointer dereference when on an SRIOV device the function 0 was hot unplugged before another function of the same multi-function device. In this case the second function's pdev->sriov->dev reference keeps the struct pci_dev of function 0 alive even after the unplug. This bug was previously hidden by the fact that we were leaking the struct pci_dev which in turn means that it always outlived the struct zpci_dev. This was fixed in commit 0b13525 ("s390/pci: fix leak of PCI device structure") exposing the broken behavior. Fix this by accounting for the long living reference a struct pci_dev has to its underlying struct zpci_dev via the zbus->function[] array and only release that in pcibios_release_device() ensuring that the struct pci_dev is not left with a dangling reference. This is a minimal fix in the future it would probably better to use fine grained reference counting for struct zpci_dev. Fixes: 05bc1be ("s390/pci: create zPCI bus") Cc: stable@vger.kernel.org Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com> Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
diff --git a/arch/s390/pci/pci.c b/arch/s390/pci/pci.c
@@ -560,9 +560,12 @@ static void zpci_cleanup_bus_resources(struct zpci_dev *zdev)
 
 int pcibios_add_device(struct pci_dev *pdev)
 {
+	struct zpci_dev *zdev = to_zpci(pdev);
 	struct resource *res;
 	int i;
 
+	/* The pdev has a reference to the zdev via its bus */
+	zpci_zdev_get(zdev);
 	if (pdev->is_physfn)
 		pdev->no_vf_scan = 1;
 
@@ -582,7 +585,10 @@ int pcibios_add_device(struct pci_dev *pdev)
 
 void pcibios_release_device(struct pci_dev *pdev)
 {
+	struct zpci_dev *zdev = to_zpci(pdev);
+
 	zpci_unmap_resources(pdev);
+	zpci_zdev_put(zdev);
 }
 
 int pcibios_enable_device(struct pci_dev *pdev, int mask)
diff --git a/arch/s390/pci/pci_bus.h b/arch/s390/pci/pci_bus.h
@@ -22,6 +22,11 @@ static inline void zpci_zdev_put(struct zpci_dev *zdev)
 	kref_put(&zdev->kref, zpci_release_device);
 }
 
+static inline void zpci_zdev_get(struct zpci_dev *zdev)
+{
+	kref_get(&zdev->kref);
+}
+
 int zpci_alloc_domain(int domain);
 void zpci_free_domain(int domain);
 int zpci_setup_bus_resources(struct zpci_dev *zdev,

Original file line number	Diff line number	Diff line change
`@@ -560,9 +560,12 @@ static void zpci_cleanup_bus_resources(struct zpci_dev *zdev)`
`560`	`560`
`561`	`561`	`int pcibios_add_device(struct pci_dev *pdev)`
`562`	`562`	`{`
	`563`	`+ struct zpci_dev *zdev = to_zpci(pdev);`
`563`	`564`	`struct resource *res;`
`564`	`565`	`int i;`
`565`	`566`
	`567`	`+ /* The pdev has a reference to the zdev via its bus */`
	`568`	`+ zpci_zdev_get(zdev);`
`566`	`569`	`if (pdev->is_physfn)`
`567`	`570`	`pdev->no_vf_scan = 1;`
`568`	`571`
`@@ -582,7 +585,10 @@ int pcibios_add_device(struct pci_dev *pdev)`
`582`	`585`
`583`	`586`	`void pcibios_release_device(struct pci_dev *pdev)`
`584`	`587`	`{`
	`588`	`+ struct zpci_dev *zdev = to_zpci(pdev);`
	`589`	`+`
`585`	`590`	`zpci_unmap_resources(pdev);`
	`591`	`+ zpci_zdev_put(zdev);`
`586`	`592`	`}`
`587`	`593`
`588`	`594`	`int pcibios_enable_device(struct pci_dev *pdev, int mask)`