[PATCH 0/1] Fix NULL pointer access in PowerPC MSI teardown code

[Radu Rendec]

Hi everyone,

It seems there's an unchecked access to a NULL pointer (to a function)
in the PowerPC MSI teardown code. I found this on kernel 4.9, but the
code looks identical in the latest 4.20-rc. I don't see any reason why
this wouldn't happen on recent kernels too.

The PowerPC architecture specific MSI setup and teardown functions are
in arch/powerpc/kernel/msi.c:

  * arch_setup_msi_irqs() checks pointers for both the setup_msi_irqs
    and teardown_msi_irqs ops and returns -ENOSYS if either one is NULL.

  * arch_teardown_msi_irqs() calls on the teardown_msi_irqs op pointer
    without checking it and assumes the function is never called unless
    arch_setup_msi_irqs() returns successfully.

The assumption in arch_teardown_msi_irqs() is wrong and results in a
function call on a NULL pointer. An example of how this can happen is
included in the actual patch header. In my case, it happens when the PCI
hardware is configured during kernel start-up, because my controller
doesn't support MSI and the ops are NULL.

I'm proposing the attached patch to fix the problem. It basically just
checks the pointer before the function call.

The patch is against v4.20-rc4, but I only actually tested it on
v4.9.115. On the other hand, the patch is trivial and I did check that
the NULL pointer dereference scenario is still valid on v4.20-rc4.

Best regards,
Radu Rendec


Radu Rendec (1):
  Fix NULL pointer access in PowerPC MSI teardown code

 arch/powerpc/kernel/msi.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

-- 
2.17.2