• Niklas Schnelle's avatar
    PCI: s390: Fix use-after-free of PCI resources with per-function hotplug · ab909509
    Niklas Schnelle authored
    On s390 PCI functions may be hotplugged individually even when they
    belong to a multi-function device. In particular on an SR-IOV device VFs
    may be removed and later re-added.
    
    In commit a50297cf ("s390/pci: separate zbus creation from
    scanning") it was missed however that struct pci_bus and struct
    zpci_bus's resource list retained a reference to the PCI functions MMIO
    resources even though those resources are released and freed on
    hot-unplug. These stale resources may subsequently be claimed when the
    PCI function re-appears resulting in use-after-free.
    
    One idea of fixing this use-after-free in s390 specific code that was
    investigated was to simply keep resources around from the moment a PCI
    function first appeared until the whole virtual PCI bus created for
    a multi-function device disappears. The problem with this however is
    that due to the requirement of artificial MMIO addreesses (address
    cookies) extra logic is then needed to keep the address cookies
    compatible on re-plug. At the same time the MMIO resources semantically
    belong to the PCI function so tying their lifecycle to the function
    seems more logical.
    
    Instead a simpler approach is to remove the resources of an individually
    hot-unplugged PCI function from the PCI bus's resource list while
    keeping the resources of other PCI functions on the PCI bus untouched.
    
    This is done by introducing pci_bus_remove_resource() to remove an
    individual resource. Similarly the resource also needs to be removed
    from the struct zpci_bus's resource list. It turns out however, that
    there is really no need to add the MMIO resources to the struct
    zpci_bus's resource list at all and instead we can simply use the
    zpci_bar_struct's resource pointer directly.
    
    Fixes: a50297cf ("s390/pci: separate zbus creation from scanning")
    Signed-off-by: default avatarNiklas Schnelle <schnelle@linux.ibm.com>
    Reviewed-by: default avatarMatthew Rosato <mjrosato@linux.ibm.com>
    Acked-by: default avatarBjorn Helgaas <bhelgaas@google.com>
    Link: https://lore.kernel.org/r/20230306151014.60913-2-schnelle@linux.ibm.comSigned-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
    ab909509
pci_bus.c 8.79 KB