[1/1] Fix NULL pointer access in PowerPC MSI teardown code
Michael Ellerman
patch-notifications at ellerman.id.au
Sun Dec 2 22:02:04 AEDT 2018
On Wed, 2018-11-28 at 03:20:48 UTC, Radu Rendec wrote:
> The arch_teardown_msi_irqs() function assumes that controller ops
> pointers were already checked in arch_setup_msi_irqs(), but this
> assumption is wrong: arch_teardown_msi_irqs() can be called even when
> arch_setup_msi_irqs() returns an error (-ENOSYS).
>
> This can happen in the following scenario:
>
> * msi_capability_init() calls pci_msi_setup_msi_irqs()
> * pci_msi_setup_msi_irqs() returns -ENOSYS
> * msi_capability_init() notices the error and calls free_msi_irqs()
> * free_msi_irqs() calls pci_msi_teardown_msi_irqs()
>
> This is easier to see when CONFIG_PCI_MSI_IRQ_DOMAIN is not set and
> pci_msi_setup_msi_irqs() and pci_msi_teardown_msi_irqs() are just
> aliases to arch_setup_msi_irqs() and arch_teardown_msi_irqs().
>
> The call to free_msi_irqs() upon pci_msi_setup_msi_irqs() failure seems
> legit, as it does additional cleanup; e.g. list_del(&entry->list) and
> kfree(entry) inside free_msi_irqs() do happen (MSI descriptors are
> allocated before pci_msi_setup_msi_irqs() is called and need to be
> cleaned up if that fails).
>
> Signed-off-by: Radu Rendec <radu.rendec at gmail.com>
Applied to powerpc fixes, thanks.
https://git.kernel.org/powerpc/c/78e7b15e17ac175e7eed9e21c6f92d
cheers
More information about the Linuxppc-dev
mailing list