From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Radu Rendec <radu.rendec@gmail.com>,
Michael Ellerman <mpe@ellerman.id.au>
Subject: [PATCH 4.19 31/44] powerpc/msi: Fix NULL pointer access in teardown code
Date: Tue, 18 Dec 2018 17:39:43 +0100 [thread overview]
Message-ID: <20181218163931.095810312@linuxfoundation.org> (raw)
In-Reply-To: <20181218163927.119623235@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Radu Rendec <radu.rendec@gmail.com>
commit 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa upstream.
The arch_teardown_msi_irqs() function assumes that controller ops
pointers were already checked in arch_setup_msi_irqs(), but this
assumption is wrong: arch_teardown_msi_irqs() can be called even when
arch_setup_msi_irqs() returns an error (-ENOSYS).
This can happen in the following scenario:
- msi_capability_init() calls pci_msi_setup_msi_irqs()
- pci_msi_setup_msi_irqs() returns -ENOSYS
- msi_capability_init() notices the error and calls free_msi_irqs()
- free_msi_irqs() calls pci_msi_teardown_msi_irqs()
This is easier to see when CONFIG_PCI_MSI_IRQ_DOMAIN is not set and
pci_msi_setup_msi_irqs() and pci_msi_teardown_msi_irqs() are just
aliases to arch_setup_msi_irqs() and arch_teardown_msi_irqs().
The call to free_msi_irqs() upon pci_msi_setup_msi_irqs() failure
seems legit, as it does additional cleanup; e.g.
list_del(&entry->list) and kfree(entry) inside free_msi_irqs() do
happen (MSI descriptors are allocated before pci_msi_setup_msi_irqs()
is called and need to be cleaned up if that fails).
Fixes: 6b2fd7efeb88 ("PCI/MSI/PPC: Remove arch_msi_check_device()")
Cc: stable@vger.kernel.org # v3.18+
Signed-off-by: Radu Rendec <radu.rendec@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/msi.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/powerpc/kernel/msi.c
+++ b/arch/powerpc/kernel/msi.c
@@ -34,5 +34,10 @@ void arch_teardown_msi_irqs(struct pci_d
{
struct pci_controller *phb = pci_bus_to_host(dev->bus);
- phb->controller_ops.teardown_msi_irqs(dev);
+ /*
+ * We can be called even when arch_setup_msi_irqs() returns -ENOSYS,
+ * so check the pointer again.
+ */
+ if (phb->controller_ops.teardown_msi_irqs)
+ phb->controller_ops.teardown_msi_irqs(dev);
}
next prev parent reply other threads:[~2018-12-18 16:41 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-18 16:39 [PATCH 4.19 00/44] 4.19.11-stable review Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 01/44] sched/pelt: Fix warning and clean up IRQ PELT config Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 02/44] scsi: raid_attrs: fix unused variable warning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 03/44] staging: olpc_dcon: add a missing dependency Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 04/44] slimbus: ngd: mark PM functions as __maybe_unused Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 05/44] i2c: aspeed: fix build warning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 06/44] ARM: dts: qcom-apq8064-arrow-sd-600eval fix graph_endpoint warning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 07/44] drm/msm: fix address space warning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 08/44] pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 09/44] aio: fix spectre gadget in lookup_ioctx Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 10/44] scripts/spdxcheck.py: always open files in binary mode Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 11/44] fs/iomap.c: get/put the page in iomap_page_create/release() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 12/44] userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 13/44] arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 14/44] block/bio: Do not zero user pages Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 15/44] ovl: fix decode of dir file handle with multi lower layers Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 16/44] ovl: fix missing override creds in link of a metacopy upper Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 17/44] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 18/44] mmc: core: use mrq->sbc when sending CMD23 for RPMB Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 19/44] mmc: sdhci-omap: Fix DCRC error handling during tuning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 20/44] mmc: sdhci: fix the timeout check window for clock and reset Greg Kroah-Hartman
2018-12-18 16:39 ` Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 21/44] fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 22/44] ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 23/44] ARM: dts: bcm2837: Fix polarity of wifi reset GPIOs Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 24/44] dm thin: send event about thin-pool state change _after_ making it Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 25/44] dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 26/44] dm: call blk_queue_split() to impose device limits on bios Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 27/44] tracing: Fix memory leak in create_filter() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 28/44] tracing: Fix memory leak in set_trigger_filter() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 29/44] tracing: Fix memory leak of instance function hash filters Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 30/44] media: vb2: dont call __vb2_queue_cancel if vb2_start_streaming failed Greg Kroah-Hartman
2018-12-18 16:39 ` Greg Kroah-Hartman [this message]
2018-12-18 16:39 ` [PATCH 4.19 32/44] powerpc: Look for "stdout-path" when setting up legacy consoles Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 33/44] drm/nouveau/kms: Fix memory leak in nv50_mstm_del() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 34/44] drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 35/44] Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 36/44] drm/i915/gvt: Fix tiled memory decoding bug on BDW Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 37/44] drm/i915/execlists: Apply a full mb before execution for Braswell Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 38/44] drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 39/44] drm/amdkfd: add new vega10 pci ids Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 40/44] drm/amdgpu: add some additional " Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 41/44] drm/amdgpu: update smu firmware images for VI variants (v2) Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 42/44] drm/amdgpu: update SMC firmware image for polaris10 variants Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 43/44] dm zoned: Fix target BIO completion handling Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 44/44] x86/build: Fix compiler support check for CONFIG_RETPOLINE Greg Kroah-Hartman
2018-12-18 20:26 ` [PATCH 4.19 00/44] 4.19.11-stable review shuah
2018-12-19 13:19 ` Greg Kroah-Hartman
2018-12-18 21:10 ` Dan Rue
2018-12-19 13:19 ` Greg Kroah-Hartman
2018-12-19 15:01 ` Harsh Shandilya
2018-12-19 15:14 ` Greg Kroah-Hartman
2018-12-19 17:23 ` Guenter Roeck
2018-12-19 18:37 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181218163931.095810312@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=radu.rendec@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.