[PATCH 0/1] Fix NULL pointer access in PowerPC MSI teardown code
Michael Ellerman
mpe at ellerman.id.au
Wed Nov 28 22:00:30 AEDT 2018
Hi Radu,
Radu Rendec <radu.rendec at gmail.com> writes:
> Hi everyone,
>
> It seems there's an unchecked access to a NULL pointer (to a function)
> in the PowerPC MSI teardown code. I found this on kernel 4.9, but the
> code looks identical in the latest 4.20-rc. I don't see any reason why
> this wouldn't happen on recent kernels too.
>
> The PowerPC architecture specific MSI setup and teardown functions are
> in arch/powerpc/kernel/msi.c:
>
> * arch_setup_msi_irqs() checks pointers for both the setup_msi_irqs
> and teardown_msi_irqs ops and returns -ENOSYS if either one is NULL.
>
> * arch_teardown_msi_irqs() calls on the teardown_msi_irqs op pointer
> without checking it and assumes the function is never called unless
> arch_setup_msi_irqs() returns successfully.
>
> The assumption in arch_teardown_msi_irqs() is wrong and results in a
> function call on a NULL pointer. An example of how this can happen is
> included in the actual patch header. In my case, it happens when the PCI
> hardware is configured during kernel start-up, because my controller
> doesn't support MSI and the ops are NULL.
What hardware are you on?
> I'm proposing the attached patch to fix the problem. It basically just
> checks the pointer before the function call.
Yeah that patch looks good to me.
I suspect this bug was introduced in:
6b2fd7efeb88 ("PCI/MSI/PPC: Remove arch_msi_check_device()")
Previously we had that check routine which would run before any of the
MSI setup had been done, and so if there were no MSI ops then we bailed
out early and didn't call teardown.
I guess since then (2014) we haven't tested an MSI capable device on a
system that isn't MSI capable?
cheers
More information about the Linuxppc-dev
mailing list