From: Zijun Hu <quic_zijuhu@xxxxxxxxxxx> pci_epc_destroy() invokes pci_bus_release_domain_nr() to release domain_nr ID, but the invocation has below 2 faults: - The later accesses device @epc->dev which has been kfree()ed by previous device_unregister(), namely, it is a UAF issue. - The later frees the domain_nr ID into @epc->dev, but the ID is actually allocated from @epc->dev.parent, so it will destroy domain_nr IDA. Fix by freeing the ID to @epc->dev.parent before unregistering @epc->dev. The file(s) affected are shown below since they indirectly use the API. drivers/pci/controller/cadence/pcie-cadence-ep.c drivers/pci/controller/dwc/pcie-designware-ep.c drivers/pci/controller/pcie-rockchip-ep.c drivers/pci/controller/pcie-rcar-ep.c Fixes: 0328947c5032 ("PCI: endpoint: Assign PCI domain number for endpoint controllers") Cc: Lorenzo Pieralisi <lpieralisi@xxxxxxxxxx> Cc: Jingoo Han <jingoohan1@xxxxxxxxx> Cc: Marek Vasut <marek.vasut+renesas@xxxxxxxxx> Cc: Yoshihiro Shimoda <yoshihiro.shimoda.uh@xxxxxxxxxxx> Cc: Shawn Lin <shawn.lin@xxxxxxxxxxxxxx> Cc: Heiko Stuebner <heiko@xxxxxxxxx> Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx> --- drivers/pci/endpoint/pci-epc-core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c index 17f007109255..bcc9bc3d6df5 100644 --- a/drivers/pci/endpoint/pci-epc-core.c +++ b/drivers/pci/endpoint/pci-epc-core.c @@ -837,11 +837,10 @@ EXPORT_SYMBOL_GPL(pci_epc_bus_master_enable_notify); void pci_epc_destroy(struct pci_epc *epc) { pci_ep_cfs_remove_epc_group(epc->group); - device_unregister(&epc->dev); - #ifdef CONFIG_PCI_DOMAINS_GENERIC - pci_bus_release_domain_nr(&epc->dev, epc->domain_nr); + pci_bus_release_domain_nr(epc->dev.parent, epc->domain_nr); #endif + device_unregister(&epc->dev); } EXPORT_SYMBOL_GPL(pci_epc_destroy); -- 2.34.1