Unverified Commit 4acc902e authored Nov 07, 2024 by Zijun Hu Committed by Krzysztof Wilczyński Nov 18, 2024

PCI: endpoint: Fix PCI domain ID release in pci_epc_destroy()



pci_epc_destroy() invokes pci_bus_release_domain_nr() to release the PCI
domain ID, but there are two issues:

  - 'epc->dev' is passed to pci_bus_release_domain_nr() which was already
    freed by device_unregister(), leading to a use-after-free issue.

  - Domain ID corresponds to the EPC device parent, so passing 'epc->dev'
    is also wrong.

Fix these issues by passing 'epc->dev.parent' to
pci_bus_release_domain_nr() and also do it before device_unregister().

Fixes: 0328947c ("PCI: endpoint: Assign PCI domain number for endpoint controllers")
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20241107-epc_rfc-v2-1-da5b6a99a66f@quicinc.com


[mani: reworded subject and description]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Cc: stable@vger.kernel.org

parent 5089b3d8

drivers/pci/endpoint/pci-epc-core.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -923,11 +923,10 @@ EXPORT_SYMBOL_GPL(pci_epc_bus_master_enable_notify);
		void pci_epc_destroy(struct pci_epc *epc)
		{
		pci_ep_cfs_remove_epc_group(epc->group);
		device_unregister(&epc->dev);

		#ifdef CONFIG_PCI_DOMAINS_GENERIC
		pci_bus_release_domain_nr(&epc->dev, epc->domain_nr);
		pci_bus_release_domain_nr(epc->dev.parent, epc->domain_nr);
		#endif
		device_unregister(&epc->dev);
		}
		EXPORT_SYMBOL_GPL(pci_epc_destroy);