From: Marc Zyngier <maz@kernel.org>
To: Tong Zhang <ztong0001@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Jason Gunthorpe <jgg@ziepe.ca>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] genirq/msi: fix crash when handling Multi-MSI
Date: Mon, 17 Jan 2022 09:59:58 +0000 [thread overview]
Message-ID: <87ilui8yxt.wl-maz@kernel.org> (raw)
In-Reply-To: <20220117092759.1619771-1-ztong0001@gmail.com>
On Mon, 17 Jan 2022 09:27:59 +0000,
Tong Zhang <ztong0001@gmail.com> wrote:
>
> pci_msi_domain_check_cap() could return 1 when domain does not support
> multi MSI and user request multi MSI. This positive value will be used by
> __pci_enable_msi_range(). In previous refactor, this positive value is
> handled as error case which will cause kernel crash.
>
> [ 1.197953] BUG: KASAN: use-after-free in __pci_enable_msi_range+0x234/0x320
> [ 1.198327] Freed by task 1:
> [ 1.198327] kfree+0x8f/0x2b0
> [ 1.198327] msi_free_msi_descs_range+0xf5/0x130
> [ 1.198327] msi_domain_alloc_irqs_descs_locked+0x8d/0xa0
> [ 1.198327] __pci_enable_msi_range+0x1a4/0x320
> [ 1.198327] pci_alloc_irq_vectors_affinity+0x135/0x1a0
> [ 1.198327] pcie_port_device_register+0x4a1/0x5c0
> [ 1.198327] pcie_portdrv_probe+0x50/0x100
I'm sorry, but you'll have to be a bit clearer in your commit message,
because I cannot relate what you describe with the patch.
The real issue seems to be that a domain_alloc_irqs callback can
return a positive, non-zero value, and I don't think this is expected.
How about this instead? If I am barking up the wrong tree, please
provide a more accurate description of the problem you are seeing.
Thanks,
M.
diff --git a/kernel/irq/msi.c b/kernel/irq/msi.c
index 2bdfce5edafd..da8bb6135627 100644
--- a/kernel/irq/msi.c
+++ b/kernel/irq/msi.c
@@ -878,8 +878,10 @@ int __msi_domain_alloc_irqs(struct irq_domain *domain, struct device *dev,
virq = __irq_domain_alloc_irqs(domain, -1, desc->nvec_used,
dev_to_node(dev), &arg, false,
desc->affinity);
- if (virq < 0)
- return msi_handle_pci_fail(domain, desc, allocated);
+ if (virq < 0) {
+ ret = msi_handle_pci_fail(domain, desc, allocated);
+ return ret < 0 ? ret : 0;
+ }
for (i = 0; i < desc->nvec_used; i++) {
irq_set_msi_desc_off(virq, i, desc);
--
Without deviation from the norm, progress is not possible.
next prev parent reply other threads:[~2022-01-17 10:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-17 9:27 [PATCH v1] genirq/msi: fix crash when handling Multi-MSI Tong Zhang
2022-01-17 9:59 ` Marc Zyngier [this message]
2022-01-17 10:10 ` Tong Zhang
2022-01-17 11:36 ` Marc Zyngier
2022-01-18 14:39 ` Thomas Gleixner
2022-01-19 0:44 ` Thomas Gleixner
2022-01-19 17:54 ` [PATCH] PCI/MSI: Prevent UAF in error path Thomas Gleixner
2022-01-19 18:37 ` Bjorn Helgaas
2022-01-19 18:54 ` Tong Zhang
2022-01-21 1:18 ` [tip: irq/urgent] " tip-bot2 for Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ilui8yxt.wl-maz@kernel.org \
--to=maz@kernel.org \
--cc=jgg@ziepe.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=ztong0001@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.