From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752341AbbEMGCk (ORCPT ); Wed, 13 May 2015 02:02:40 -0400 Received: from mga11.intel.com ([192.55.52.93]:12076 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751190AbbEMGCj (ORCPT ); Wed, 13 May 2015 02:02:39 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.13,419,1427785200"; d="scan'208";a="570538319" Message-ID: <5552E8F6.8020902@linux.intel.com> Date: Wed, 13 May 2015 14:02:30 +0800 From: Jiang Liu Organization: Intel User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Sergey Senozhatsky , Thomas Gleixner CC: Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, linux-kernel@vger.kernel.org, Sergey Senozhatsky Subject: Re: [RFC][PATCH] x86/hpet: fix NULL pointer dereference in msi_domain_alloc_irqs() References: <1431344168-1872-1-git-send-email-sergey.senozhatsky@gmail.com> <20150512041444.GA1094@swordfish> In-Reply-To: <20150512041444.GA1094@swordfish> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2015/5/12 12:14, Sergey Senozhatsky wrote: >> directly call __irq_domain_alloc_irqs() in hpet_assign_irq() and pass >> correct `arg' to fix the oops. >> > > oh, what I was thinking about... it should be as simple as this. > > 8<-----8<----- > > From 8be2eb548cefc788c87b05da22176b7360c6aca9 Mon Sep 17 00:00:00 2001 > From: Sergey Senozhatsky > Date: Mon, 11 May 2015 18:56:49 +0900 > Subject: [PATCH] x86/hpet: fix NULL pointer deference in > msi_domain_alloc_irqs() > > Fix the following oops: > hpet_msi_get_hwirq+0x1f/0x27 > msi_domain_alloc+0x35/0xfe > ? trace_hardirqs_on_caller+0x16c/0x188 > irq_domain_alloc_irqs_recursive+0x51/0x95 > __irq_domain_alloc_irqs+0x151/0x223 > hpet_assign_irq+0x5d/0x68 > hpet_msi_capability_lookup+0x121/0x1cb > ? hpet_enable+0x2b4/0x2b4 > hpet_late_init+0x5f/0xf2 > ? hpet_enable+0x2b4/0x2b4 > do_one_initcall+0x184/0x199 > kernel_init_freeable+0x1af/0x237 > ? rest_init+0x13a/0x13a > kernel_init+0xe/0xd4 > ret_from_fork+0x3f/0x70 > ? rest_init+0x13a/0x13a > > since 3cb96f0c9733 ('x86/hpet: Enhance HPET IRQ to support hierarchical > irqdomains') hpet_msi_capability_lookup() uses hpet_assign_irq(). the > latter discards `irq_alloc_info info' param and instead passes NULL to > __irq_domain_alloc_irqs() as `arg'. __irq_domain_alloc_irqs() invokes > irq_domain_alloc_irqs_recursive(), which msi_domain_alloc_irqs() and, > eventually, accesses `arg->hpet_index' in hpet_msi_get_hwirq(). > > pass a correct `irq_alloc_info info' pointer to irq_domain_alloc_irqs() > in hpet_assign_irq() to fix the oops. > > Signed-off-by: Sergey Senozhatsky > --- > arch/x86/kernel/apic/msi.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c > index 58fde66..ef516af 100644 > --- a/arch/x86/kernel/apic/msi.c > +++ b/arch/x86/kernel/apic/msi.c > @@ -351,6 +351,6 @@ int hpet_assign_irq(struct irq_domain *domain, struct hpet_dev *dev, > info.hpet_id = hpet_dev_id(domain); > info.hpet_index = dev_num; > > - return irq_domain_alloc_irqs(domain, 1, NUMA_NO_NODE, NULL); > + return irq_domain_alloc_irqs(domain, 1, NUMA_NO_NODE, &info); > } > #endif Hi Sergey, My fault, I have prepared 'info' without actually passing it to irq_domain_alloc_irqs(). Thanks for fixing it. Reviewed-by: Jiang Liu