CVE-2024-41096

In the Linux kernel, the following vulnerability has been resolved:

PCI/MSI: Fix UAF in msicapabilityinit

KFENCE reports the following UAF:

BUG: KFENCE: use-after-free read in _pcienablemsirange+0x2c0/0x488

Use-after-free read at 0x0000000024629571 (in kfence-#12): __pcienablemsirange+0x2c0/0x488 pciallocirqvectorsaffinity+0xec/0x14c pciallocirqvectors+0x18/0x28

kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128

allocated by task 81 on cpu 7 at 10.808142s: __kmemcachealloc_node+0x1f0/0x2bc kmalloctrace+0x44/0x138 msiallocdesc+0x3c/0x9c msidomaininsertmsidesc+0x30/0x78 msisetupmsidesc+0x13c/0x184 __pcienablemsirange+0x258/0x488 pciallocirqvectorsaffinity+0xec/0x14c pciallocirqvectors+0x18/0x28

freed by task 81 on cpu 7 at 10.811436s: msidomainfreedescs+0xd4/0x10c msidomainfreelocked.part.0+0xc0/0x1d8 msidomainallocirqsalllocked+0xb4/0xbc pcimsisetupmsi_irqs+0x30/0x4c __pcienablemsirange+0x2a8/0x488 pciallocirqvectorsaffinity+0xec/0x14c pciallocirqvectors+0x18/0x28

Descriptor allocation done in: _pcienablemsirange msicapabilityinit msisetupmsidesc msiinsertmsidesc msidomaininsertmsidesc msiallocdesc ...

Freed in case of failure in __msidomainalloc_locked() __pcienablemsi_range msicapabilityinit pcimsisetupmsiirqs msidomainallocirqsalllocked msidomainalloclocked __msidomainalloclocked => fails msidomainfreelocked ...

That failure propagates back to pcimsisetupmsiirqs() in msicapabilityinit() which accesses the descriptor for unmasking in the error exit path.

Cure it by copying the descriptor and using the copy for the error exit path unmask operation.

[ tglx: Massaged change log ]