Revision 647e82dbf85124697be59a4b4cf00c0d38177dcb authored by Andy Shevchenko on 01 September 2022, 11:34:06 UTC, committed by Hans de Goede on 01 September 2022, 15:51:34 UTC
We have to copy only selected fields from the original resource.
Because a PCI device will be removed immediately after getting
its resources, we may not use any allocated data, hence we may
not copy any pointers.
Consider the following scenario:
1/ a caller of p2sb_bar() gets the resource;
2/ the resource has been copied by platform_device_add_data()
in order to create a platform device;
3/ the platform device creation will call for the device driver's
->probe() as soon as a match found;
4/ the ->probe() takes given resources (see 2/) and tries to
access one of its field, i.e. 'name', in the
__devm_ioremap_resource() to create a pretty looking output;
5/ but the 'name' is a dangling pointer because p2sb_bar()
removed a PCI device, which 'name' had been copied to
the caller's memory.
6/ UAF (Use-After-Free) as a result.
Kudos to Mika for the initial analisys of the issue.
Fixes: 9745fb07474f ("platform/x86/intel: Add Primary to Sideband (P2SB) bridge support")
Reported-by: kernel test robot <oliver.sang@intel.com>
Suggested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://lore.kernel.org/linux-i2c/YvPCbnKqDiL2XEKp@xsang-OptiPlex-9020/
Link: https://lore.kernel.org/linux-i2c/YtjAswDKfiuDfWYs@xsang-OptiPlex-9020/
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20220901113406.65876-1-andriy.shevchenko@linux.intel.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
1 parent 5542dfc
mce_amd.h
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef _EDAC_MCE_AMD_H
#define _EDAC_MCE_AMD_H
#include <linux/notifier.h>
#include <asm/mce.h>
#define EC(x) ((x) & 0xffff)
#define LOW_SYNDROME(x) (((x) >> 15) & 0xff)
#define HIGH_SYNDROME(x) (((x) >> 24) & 0xff)
#define TLB_ERROR(x) (((x) & 0xFFF0) == 0x0010)
#define MEM_ERROR(x) (((x) & 0xFF00) == 0x0100)
#define BUS_ERROR(x) (((x) & 0xF800) == 0x0800)
#define INT_ERROR(x) (((x) & 0xF4FF) == 0x0400)
#define TT(x) (((x) >> 2) & 0x3)
#define TT_MSG(x) tt_msgs[TT(x)]
#define II(x) (((x) >> 2) & 0x3)
#define II_MSG(x) ii_msgs[II(x)]
#define LL(x) ((x) & 0x3)
#define LL_MSG(x) ll_msgs[LL(x)]
#define TO(x) (((x) >> 8) & 0x1)
#define TO_MSG(x) to_msgs[TO(x)]
#define PP(x) (((x) >> 9) & 0x3)
#define PP_MSG(x) pp_msgs[PP(x)]
#define UU(x) (((x) >> 8) & 0x3)
#define UU_MSG(x) uu_msgs[UU(x)]
#define R4(x) (((x) >> 4) & 0xf)
#define R4_MSG(x) ((R4(x) < 9) ? rrrr_msgs[R4(x)] : "Wrong R4!")
extern const char * const pp_msgs[];
enum tt_ids {
TT_INSTR = 0,
TT_DATA,
TT_GEN,
TT_RESV,
};
enum ll_ids {
LL_RESV = 0,
LL_L1,
LL_L2,
LL_LG,
};
enum ii_ids {
II_MEM = 0,
II_RESV,
II_IO,
II_GEN,
};
enum rrrr_ids {
R4_GEN = 0,
R4_RD,
R4_WR,
R4_DRD,
R4_DWR,
R4_IRD,
R4_PREF,
R4_EVICT,
R4_SNOOP,
};
/*
* per-family decoder ops
*/
struct amd_decoder_ops {
bool (*mc0_mce)(u16, u8);
bool (*mc1_mce)(u16, u8);
bool (*mc2_mce)(u16, u8);
};
void amd_register_ecc_decoder(void (*f)(int, struct mce *));
void amd_unregister_ecc_decoder(void (*f)(int, struct mce *));
#endif /* _EDAC_MCE_AMD_H */
Computing file changes ...
