[PATCH] PCI: xilinx: Fix NULL pointer dereference

[PATCH] PCI: xilinx: Fix NULL pointer dereference

[Nam Cao]

Commit f29861aa301c5 ("PCI: xilinx: Switch to
msi_create_parent_irq_domain()") changed xilinx_pcie::msi_domain from child
devices' interrupt domain into Xilinx AXI bridge's interrupt domain.

However, xilinx_pcie_intr_handler() wasn't changed and still reads Xilinx
AXI bridge's interrupt domain from xilinx_pcie::msi_domain->parent. This
pointer is NULL now.

Update xilinx_pcie_intr_handler() to read the correct interrupt domain
pointer.

Fixes: f29861aa301c5 ("PCI: xilinx: Switch to msi_create_parent_irq_domain()")
Signed-off-by: Nam Cao <namcao@linutronix.de>
---
 drivers/pci/controller/pcie-xilinx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pci/controller/pcie-xilinx.c b/drivers/pci/controller/pcie-xilinx.c
index f121836c3cf4..937ea6ae1ac4 100644
--- a/drivers/pci/controller/pcie-xilinx.c
+++ b/drivers/pci/controller/pcie-xilinx.c
@@ -400,7 +400,7 @@ static irqreturn_t xilinx_pcie_intr_handler(int irq, void *data)
 		if (val & XILINX_PCIE_RPIFR1_MSI_INTR) {
 			val = pcie_read(pcie, XILINX_PCIE_REG_RPIFR2) &
 				XILINX_PCIE_RPIFR2_MSG_DATA;
-			domain = pcie->msi_domain->parent;
+			domain = pcie->msi_domain;
 		} else {
 			val = (val & XILINX_PCIE_RPIFR1_INTR_MASK) >>
 				XILINX_PCIE_RPIFR1_INTR_SHIFT;
-- 
2.39.5

Re: [PATCH] PCI: xilinx: Fix NULL pointer dereference

[Bjorn Helgaas]

On Mon, Aug 11, 2025 at 07:41:44AM +0200, Nam Cao wrote:
> Commit f29861aa301c5 ("PCI: xilinx: Switch to
> msi_create_parent_irq_domain()") changed xilinx_pcie::msi_domain from child
> devices' interrupt domain into Xilinx AXI bridge's interrupt domain.
> 
> However, xilinx_pcie_intr_handler() wasn't changed and still reads Xilinx
> AXI bridge's interrupt domain from xilinx_pcie::msi_domain->parent. This
> pointer is NULL now.
> 
> Update xilinx_pcie_intr_handler() to read the correct interrupt domain
> pointer.
> 
> Fixes: f29861aa301c5 ("PCI: xilinx: Switch to msi_create_parent_irq_domain()")

Since this appeared in v6.17-rc1, I suppose this should be merged for
v6.17, right?  I provisionally put this on pci/for-linus for now.

What does this look like to a user?  I assume a NULL pointer
dereference in xilinx_pcie_intr_handler()?  Do you have a dmesg
snippet from hitting it?  It would be nice to include a couple lines
of that in the commit log to help users find this fix.

> Signed-off-by: Nam Cao <namcao@linutronix.de>
> ---
>  drivers/pci/controller/pcie-xilinx.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/pci/controller/pcie-xilinx.c b/drivers/pci/controller/pcie-xilinx.c
> index f121836c3cf4..937ea6ae1ac4 100644
> --- a/drivers/pci/controller/pcie-xilinx.c
> +++ b/drivers/pci/controller/pcie-xilinx.c
> @@ -400,7 +400,7 @@ static irqreturn_t xilinx_pcie_intr_handler(int irq, void *data)
>  		if (val & XILINX_PCIE_RPIFR1_MSI_INTR) {
>  			val = pcie_read(pcie, XILINX_PCIE_REG_RPIFR2) &
>  				XILINX_PCIE_RPIFR2_MSG_DATA;
> -			domain = pcie->msi_domain->parent;
> +			domain = pcie->msi_domain;
>  		} else {
>  			val = (val & XILINX_PCIE_RPIFR1_INTR_MASK) >>
>  				XILINX_PCIE_RPIFR1_INTR_SHIFT;
> -- 
> 2.39.5
> 

Re: [PATCH] PCI: xilinx: Fix NULL pointer dereference

[Nam Cao]

On Mon, Aug 11, 2025 at 05:29:37PM -0500, Bjorn Helgaas wrote:
> On Mon, Aug 11, 2025 at 07:41:44AM +0200, Nam Cao wrote:
> > Commit f29861aa301c5 ("PCI: xilinx: Switch to
> > msi_create_parent_irq_domain()") changed xilinx_pcie::msi_domain from child
> > devices' interrupt domain into Xilinx AXI bridge's interrupt domain.
> > 
> > However, xilinx_pcie_intr_handler() wasn't changed and still reads Xilinx
> > AXI bridge's interrupt domain from xilinx_pcie::msi_domain->parent. This
> > pointer is NULL now.
> > 
> > Update xilinx_pcie_intr_handler() to read the correct interrupt domain
> > pointer.
> > 
> > Fixes: f29861aa301c5 ("PCI: xilinx: Switch to msi_create_parent_irq_domain()")
> 
> Since this appeared in v6.17-rc1, I suppose this should be merged for
> v6.17, right?  I provisionally put this on pci/for-linus for now.

Yes please.

> What does this look like to a user?  I assume a NULL pointer
> dereference in xilinx_pcie_intr_handler()?  Do you have a dmesg
> snippet from hitting it?  It would be nice to include a couple lines
> of that in the commit log to help users find this fix.

Sorry I didn't clarify this, but this has not been tested with hardware.

Claudiu pointed out this problem with another driver [1], so I audited all
the other drivers that I touched and noticed that this one has the same
problem.

Nam

https://lore.kernel.org/linux-pci/20250809144447.3939284-1-claudiu.beznea.uj@bp.renesas.com/ [1]