From patchwork Thu Aug  8 15:34:52 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
X-Patchwork-Id: 1144070
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 464C9m368lz9sMr;
	Fri,  9 Aug 2019 01:35:08 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1hvkRU-0004nJ-7e; Thu, 08 Aug 2019 15:35:04 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <marcelo.cerri@canonical.com>)
	id 1hvkRR-0004mV-LX
	for kernel-team@lists.ubuntu.com; Thu, 08 Aug 2019 15:35:01 +0000
Received: from mail-qk1-f198.google.com ([209.85.222.198])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <marcelo.cerri@canonical.com>)
	id 1hvkRR-0002Be-3b
	for kernel-team@lists.ubuntu.com; Thu, 08 Aug 2019 15:35:01 +0000
Received: by mail-qk1-f198.google.com with SMTP id d203so4574767qke.4
	for <kernel-team@lists.ubuntu.com>;
	Thu, 08 Aug 2019 08:35:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=pYlYRCCrwNH4QA2T8TM+hlPRind2HggAi6e/sjZzx1U=;
	b=LG13P9AcU3BeYR11LAQA3Q85hHgLlrQlsv2zSrIngy7TvEzOTRJY3xeC9nsP5gL0iO
	vUD5A4MhXO0AOlmFHAtFaaNcLSAujuySX7R+4zhUkYqF2UfGQzk5nY3uR9olPd9pAB+q
	7A7XgPMRVqjX0IZM7K0Wo3svriwuH4vJ/8l9kCNaVgT5+023QNBhtYGwoboX/XaWX6z9
	BJdv3aPmIjBgtmnRJM0wjwA6EKB1T6Jt91carswE2DnQZb0dH2UrqlNW+ItNVa/Am/CO
	X6Y4JcPSzfCnU/5GERx3wnK6GEeOm1bR2OxvFibaBDAFxTIfoS3hC9U3jMAvH4kuXmeh
	uxXQ==
X-Gm-Message-State: APjAAAVcVpMtEPUy44+H2vK5kcjmVTO50iDR+uL/Tj1Mapd8reVr+kQk
	FkEMN/ul5HlvwL//r1ANSRIUupPQimLgu6FvU4llorbvCjNhrTEQlY+/QgZVNt7HuSusc1Xgoom
	3IwwfVirZDUpMstNygFNMri6hodRg2HRA30ouvqQ9
X-Received: by 2002:a37:ad0f:: with SMTP id
	f15mr13750099qkm.68.1565278499890;
	Thu, 08 Aug 2019 08:34:59 -0700 (PDT)
X-Google-Smtp-Source: 
 APXvYqzrJsJ/kffci6oHjYwAMBJy7NKQ85Gxv9AxENDAfQ5DXHPHnDJUKCe+So8IbLTAjAQpwKSGoQ==
X-Received: by 2002:a37:ad0f:: with SMTP id
	f15mr13750073qkm.68.1565278499627;
	Thu, 08 Aug 2019 08:34:59 -0700 (PDT)
Received: from gallifrey.routerd55abc.com
	([2804:14c:4e3:5580:544c:b692:4c6f:1e31])
	by smtp.gmail.com with ESMTPSA id
	l5sm41244404qte.9.2019.08.08.08.34.57
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Thu, 08 Aug 2019 08:34:58 -0700 (PDT)
From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [d/azure][PATCH 1/2] PCI: hv: Fix a use-after-free bug in
	hv_eject_device_work()
Date: Thu,  8 Aug 2019 12:34:52 -0300
Message-Id: <20190808153453.19957-2-marcelo.cerri@canonical.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190808153453.19957-1-marcelo.cerri@canonical.com>
References: <20190808153453.19957-1-marcelo.cerri@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Dexuan Cui <decui@microsoft.com>

BugLink: https://bugs.launchpad.net/bugs/1837661

Fix a use-after-free in hv_eject_device_work().

Fixes: 05f151a73ec2 ("PCI: hv: Fix a memory leak in hv_eject_device_work()")
Signed-off-by: Dexuan Cui <decui@microsoft.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Cc: stable@vger.kernel.org
(cherry picked from commit 4df591b20b80cb77920953812d894db259d85bd7)
Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
Acked-by: Sultan Alsawaf <sultan.alsawaf@canonical.com>
---
 drivers/pci/controller/pci-hyperv.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/pci/controller/pci-hyperv.c b/drivers/pci/controller/pci-hyperv.c
index 42af7f6a7c4c..ae91e708796f 100644
--- a/drivers/pci/controller/pci-hyperv.c
+++ b/drivers/pci/controller/pci-hyperv.c
@@ -1888,6 +1888,7 @@ static void hv_pci_devices_present(struct hv_pcibus_device *hbus,
 static void hv_eject_device_work(struct work_struct *work)
 {
 	struct pci_eject_response *ejct_pkt;
+	struct hv_pcibus_device *hbus;
 	struct hv_pci_dev *hpdev;
 	struct pci_dev *pdev;
 	unsigned long flags;
@@ -1898,6 +1899,7 @@ static void hv_eject_device_work(struct work_struct *work)
 	} ctxt;
 
 	hpdev = container_of(work, struct hv_pci_dev, wrk);
+	hbus = hpdev->hbus;
 
 	WARN_ON(hpdev->state != hv_pcichild_ejecting);
 
@@ -1908,8 +1910,7 @@ static void hv_eject_device_work(struct work_struct *work)
 	 * because hbus->pci_bus may not exist yet.
 	 */
 	wslot = wslot_to_devfn(hpdev->desc.win_slot.slot);
-	pdev = pci_get_domain_bus_and_slot(hpdev->hbus->sysdata.domain, 0,
-					   wslot);
+	pdev = pci_get_domain_bus_and_slot(hbus->sysdata.domain, 0, wslot);
 	if (pdev) {
 		pci_lock_rescan_remove();
 		pci_stop_and_remove_bus_device(pdev);
@@ -1917,9 +1918,9 @@ static void hv_eject_device_work(struct work_struct *work)
 		pci_unlock_rescan_remove();
 	}
 
-	spin_lock_irqsave(&hpdev->hbus->device_list_lock, flags);
+	spin_lock_irqsave(&hbus->device_list_lock, flags);
 	list_del(&hpdev->list_entry);
-	spin_unlock_irqrestore(&hpdev->hbus->device_list_lock, flags);
+	spin_unlock_irqrestore(&hbus->device_list_lock, flags);
 
 	if (hpdev->pci_slot)
 		pci_destroy_slot(hpdev->pci_slot);
@@ -1928,7 +1929,7 @@ static void hv_eject_device_work(struct work_struct *work)
 	ejct_pkt = (struct pci_eject_response *)&ctxt.pkt.message;
 	ejct_pkt->message_type.type = PCI_EJECTION_COMPLETE;
 	ejct_pkt->wslot.slot = hpdev->desc.win_slot.slot;
-	vmbus_sendpacket(hpdev->hbus->hdev->channel, ejct_pkt,
+	vmbus_sendpacket(hbus->hdev->channel, ejct_pkt,
 			 sizeof(*ejct_pkt), (unsigned long)&ctxt.pkt,
 			 VM_PKT_DATA_INBAND, 0);
 
@@ -1937,7 +1938,9 @@ static void hv_eject_device_work(struct work_struct *work)
 	/* For the two refs got in new_pcichild_device() */
 	put_pcichild(hpdev);
 	put_pcichild(hpdev);
-	put_hvpcibus(hpdev->hbus);
+	/* hpdev has been freed. Do not use it any more. */
+
+	put_hvpcibus(hbus);
 }
 
 /**