powerpc/eeh: Avoid use after free in eeh_handle_special_event()

eeh_handle_special_event() is called when an EEH event is detected but can't be narrowed down to a specific PE. This function looks through every PE to find one in an erroneous state, then calls the regular event handler eeh_handle_normal_event() once it knows which PE has an error. However, if eeh_handle_normal_event() found that the PE cannot possibly be recovered, it will free it, rendering the passed PE stale. This leads to a use after free in eeh_handle_special_event() as it attempts to clear the "recovering" state on the PE after eeh_handle_normal_event() returns. Thus, make sure the PE is valid when attempting to clear state in eeh_handle_special_event(). Fixes: 8a6b1bc70dbb ("powerpc/eeh: EEH core to handle special event") Cc: stable@vger.kernel.org # v3.11+ Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Russell Currey <ruscur@russell.cc> Reviewed-by: Gavin Shan <gwshan@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
author: Russell Currey <ruscur@russell.cc> 2017-04-19 03:39:26 -0400
committer: Michael Ellerman <mpe@ellerman.id.au> 2017-05-02 08:41:43 -0400
commit: daeba2956f32f91f3493788ff6ee02fb1b2f02fa (patch)
tree: 8c87a0fdeb9e2078a24846ea41c0a242daf0c26a
parent: a715626a8e904e7226915d1bc4885317ea9da141 (diff)
1 files changed, 15 insertions, 4 deletions
diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c
index b94887165a10..e50d1470714f 100644
--- a/arch/powerpc/kernel/eeh_driver.c
+++ b/arch/powerpc/kernel/eeh_driver.c
@@ -724,7 +724,7 @@ static int eeh_reset_device(struct eeh_pe *pe, struct pci_bus *bus,
 */
 #define MAX_WAIT_FOR_RECOVERY 300
-static void eeh_handle_normal_event(struct eeh_pe *pe)
+static bool eeh_handle_normal_event(struct eeh_pe *pe)
 {
        struct pci_bus *frozen_bus;
        struct eeh_dev *edev, *tmp;
@@ -736,7 +736,7 @@ static void eeh_handle_normal_event(struct eeh_pe *pe)
        if (!frozen_bus) {
                pr_err("%s: Cannot find PCI bus for PHB#%x-PE#%x\n",
                        __func__, pe->phb->global_number, pe->addr);
-                return;
+                return false;
        }
        eeh_pe_update_time_stamp(pe);
@@ -870,7 +870,7 @@ static void eeh_handle_normal_event(struct eeh_pe *pe)
        pr_info("EEH: Notify device driver to resume\n");
        eeh_pe_dev_traverse(pe, eeh_report_resume, NULL);
-        return;
+        return false;
 excess_failures:
        /*
@@ -915,8 +915,12 @@ perm_error:
                        pci_lock_rescan_remove();
                        pci_hp_remove_devices(frozen_bus);
                        pci_unlock_rescan_remove();
+                        /* The passed PE should no longer be used */
+                        return true;
                }
        }
+        return false;
 }
 static void eeh_handle_special_event(void)
@@ -982,7 +986,14 @@ static void eeh_handle_special_event(void)
                 */
                if (rc == EEH_NEXT_ERR_FROZEN_PE ||
                    rc == EEH_NEXT_ERR_FENCED_PHB) {
-                        eeh_handle_normal_event(pe);
+                        /*
+                         * eeh_handle_normal_event() can make the PE stale if it
+                         * determines that the PE cannot possibly be recovered.
+                         * Don't modify the PE state if that's the case.
+                         */
+                        if (eeh_handle_normal_event(pe))
+                                continue;
                        eeh_pe_state_clear(pe, EEH_PE_RECOVERING);
                } else {
                        pci_lock_rescan_remove();
author	Russell Currey <ruscur@russell.cc>	2017-04-19 03:39:26 -0400
committer	Michael Ellerman <mpe@ellerman.id.au>	2017-05-02 08:41:43 -0400
commit	daeba2956f32f91f3493788ff6ee02fb1b2f02fa (patch)
tree	8c87a0fdeb9e2078a24846ea41c0a242daf0c26a
parent	a715626a8e904e7226915d1bc4885317ea9da141 (diff)