CVE-2022-49196

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries: Fix use after free in removephbdynamic()

In removephbdynamic() we use &phb->ioresource, after we've called deviceunregister(&hostbridge->dev). But the unregister may have freed phb, because pcibiosfreecontrollerdeferred() is the release function for the host_bridge.

If there are no outstanding references when we call device_unregister() then phb will be freed out from under us.

This has gone mainly unnoticed, but with slubdebug and pagepoison enabled it can lead to a crash:

PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: "drmgr" #0 [c0000000e4f075a0] crashkexec at c00000000027d7dc #1 [c0000000e4f075d0] oopsend at c000000000029608 #2 [c0000000e4f07650] __badpagefault at c0000000000904b4 #3 [c0000000e4f076c0] dobadslbfault at c00000000009a5a8 #4 [c0000000e4f076f0] dataaccessslbcommonvirt at c000000000008b30 Data SLB Access [380] exception frame: R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100 R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9 R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000 R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000 R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003 R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005 R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0 R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8 R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800 R30: c00000004d1d2400 R31: c00000004d1d2540 NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474 CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003 CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3 DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2 [NIP : releaseresource+56] [LR : releaseresource+48] #5 [c0000000e4f07a00] releaseresource at c000000000167258 (unreliable) #6 [c0000000e4f07a30] removephbdynamic at c000000000105648 #7 [c0000000e4f07ab0] dlparremoveslot at c0080000031a09e8 [rpadlpario] #8 [c0000000e4f07b50] removeslotstore at c0080000031a0b9c [rpadlpario] #9 [c0000000e4f07be0] kobjattrstore at c000000000817d8c #10 [c0000000e4f07c00] sysfskfwrite at c00000000063e504 #11 [c0000000e4f07c20] kernfsfopwriteiter at c00000000063d868 #12 [c0000000e4f07c70] newsyncwrite at c00000000054339c #13 [c0000000e4f07d10] vfswrite at c000000000546624 #14 [c0000000e4f07d60] ksyswrite at c0000000005469f4 #15 [c0000000e4f07db0] systemcallexception at c000000000030840 #16 [c0000000e4f07e10] systemcallvectoredcommon at c00000000000c168

To avoid it, we can take a reference to the host_bridge->dev until we're done using phb. Then when we drop the reference the phb will be freed.