CVE-2024-41096

In the Linux kernel, the following vulnerability has been resolved:

PCI/MSI: Fix UAF in msicapabilityinit

KFENCE reports the following UAF:

BUG: KFENCE: use-after-free read in _pcienablemsirange+0x2c0/0x488

Use-after-free read at 0x0000000024629571 (in kfence-#12): _pcienablemsirange+0x2c0/0x488 pciallocirqvectorsaffinity+0xec/0x14c pciallocirq_vectors+0x18/0x28

kfence-#12: 0x0000000008614900-0x00000000e06c228d, size=104, cache=kmalloc-128

allocated by task 81 on cpu 7 at 10.808142s: _kmemcacheallocnode+0x1f0/0x2bc kmalloctrace+0x44/0x138 msiallocdesc+0x3c/0x9c msidomaininsertmsidesc+0x30/0x78 msisetupmsidesc+0x13c/0x184 _pcienablemsirange+0x258/0x488 pciallocirqvectorsaffinity+0xec/0x14c pciallocirq_vectors+0x18/0x28

freed by task 81 on cpu 7 at 10.811436s: msidomainfreedescs+0xd4/0x10c msidomainfreelocked.part.0+0xc0/0x1d8 msidomainallocirqsalllocked+0xb4/0xbc pcimsisetupmsiirqs+0x30/0x4c _pcienablemsirange+0x2a8/0x488 pciallocirqvectorsaffinity+0xec/0x14c pciallocirqvectors+0x18/0x28

Descriptor allocation done in: _pcienablemsirange msicapabilityinit msisetupmsidesc msiinsertmsidesc msidomaininsertmsidesc msiallocdesc ...

Freed in case of failure in _msidomainalloclocked() _pcienablemsirange msicapabilityinit pcimsisetupmsiirqs msidomainallocirqsalllocked msidomainalloclocked _msidomainalloclocked => fails msidomainfree_locked ...

That failure propagates back to pcimsisetupmsiirqs() in msicapabilityinit() which accesses the descriptor for unmasking in the error exit path.

Cure it by copying the descriptor and using the copy for the error exit path unmask operation.

[ tglx: Massaged change log ]