linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Radu Rendec <radu.rendec@gmail.com>,
	Michael Ellerman <mpe@ellerman.id.au>
Subject: [PATCH 4.19 31/44] powerpc/msi: Fix NULL pointer access in teardown code
Date: Tue, 18 Dec 2018 17:39:43 +0100	[thread overview]
Message-ID: <20181218163931.095810312@linuxfoundation.org> (raw)
In-Reply-To: <20181218163927.119623235@linuxfoundation.org>

4.19-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Radu Rendec <radu.rendec@gmail.com>

commit 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa upstream.

The arch_teardown_msi_irqs() function assumes that controller ops
pointers were already checked in arch_setup_msi_irqs(), but this
assumption is wrong: arch_teardown_msi_irqs() can be called even when
arch_setup_msi_irqs() returns an error (-ENOSYS).

This can happen in the following scenario:
  - msi_capability_init() calls pci_msi_setup_msi_irqs()
  - pci_msi_setup_msi_irqs() returns -ENOSYS
  - msi_capability_init() notices the error and calls free_msi_irqs()
  - free_msi_irqs() calls pci_msi_teardown_msi_irqs()

This is easier to see when CONFIG_PCI_MSI_IRQ_DOMAIN is not set and
pci_msi_setup_msi_irqs() and pci_msi_teardown_msi_irqs() are just
aliases to arch_setup_msi_irqs() and arch_teardown_msi_irqs().

The call to free_msi_irqs() upon pci_msi_setup_msi_irqs() failure
seems legit, as it does additional cleanup; e.g.
list_del(&entry->list) and kfree(entry) inside free_msi_irqs() do
happen (MSI descriptors are allocated before pci_msi_setup_msi_irqs()
is called and need to be cleaned up if that fails).

Fixes: 6b2fd7efeb88 ("PCI/MSI/PPC: Remove arch_msi_check_device()")
Cc: stable@vger.kernel.org # v3.18+
Signed-off-by: Radu Rendec <radu.rendec@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/msi.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kernel/msi.c
+++ b/arch/powerpc/kernel/msi.c
@@ -34,5 +34,10 @@ void arch_teardown_msi_irqs(struct pci_d
 {
 	struct pci_controller *phb = pci_bus_to_host(dev->bus);
 
-	phb->controller_ops.teardown_msi_irqs(dev);
+	/*
+	 * We can be called even when arch_setup_msi_irqs() returns -ENOSYS,
+	 * so check the pointer again.
+	 */
+	if (phb->controller_ops.teardown_msi_irqs)
+		phb->controller_ops.teardown_msi_irqs(dev);
 }



  parent reply	other threads:[~2018-12-18 16:41 UTC|newest]

Thread overview: 53+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-18 16:39 [PATCH 4.19 00/44] 4.19.11-stable review Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 01/44] sched/pelt: Fix warning and clean up IRQ PELT config Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 02/44] scsi: raid_attrs: fix unused variable warning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 03/44] staging: olpc_dcon: add a missing dependency Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 04/44] slimbus: ngd: mark PM functions as __maybe_unused Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 05/44] i2c: aspeed: fix build warning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 06/44] ARM: dts: qcom-apq8064-arrow-sd-600eval fix graph_endpoint warning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 07/44] drm/msm: fix address space warning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 08/44] pinctrl: sunxi: a83t: Fix IRQ offset typo for PH11 Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 09/44] aio: fix spectre gadget in lookup_ioctx Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 10/44] scripts/spdxcheck.py: always open files in binary mode Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 11/44] fs/iomap.c: get/put the page in iomap_page_create/release() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 12/44] userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 13/44] arm64: dma-mapping: Fix FORCE_CONTIGUOUS buffer clearing Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 14/44] block/bio: Do not zero user pages Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 15/44] ovl: fix decode of dir file handle with multi lower layers Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 16/44] ovl: fix missing override creds in link of a metacopy upper Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 17/44] MMC: OMAP: fix broken MMC on OMAP15XX/OMAP5910/OMAP310 Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 18/44] mmc: core: use mrq->sbc when sending CMD23 for RPMB Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 19/44] mmc: sdhci-omap: Fix DCRC error handling during tuning Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 20/44] mmc: sdhci: fix the timeout check window for clock and reset Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 21/44] fuse: continue to send FUSE_RELEASEDIR when FUSE_OPEN returns ENOSYS Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 22/44] ARM: mmp/mmp2: fix cpu_is_mmp2() on mmp2-dt Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 23/44] ARM: dts: bcm2837: Fix polarity of wifi reset GPIOs Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 24/44] dm thin: send event about thin-pool state change _after_ making it Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 25/44] dm cache metadata: verify cache has blocks in blocks_are_clean_separate_dirty() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 26/44] dm: call blk_queue_split() to impose device limits on bios Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 27/44] tracing: Fix memory leak in create_filter() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 28/44] tracing: Fix memory leak in set_trigger_filter() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 29/44] tracing: Fix memory leak of instance function hash filters Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 30/44] media: vb2: dont call __vb2_queue_cancel if vb2_start_streaming failed Greg Kroah-Hartman
2018-12-18 16:39 ` Greg Kroah-Hartman [this message]
2018-12-18 16:39 ` [PATCH 4.19 32/44] powerpc: Look for "stdout-path" when setting up legacy consoles Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 33/44] drm/nouveau/kms: Fix memory leak in nv50_mstm_del() Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 34/44] drm/nouveau/kms/nv50-: also flush fb writes when rewinding push buffer Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 35/44] Revert "drm/rockchip: Allow driver to be shutdown on reboot/kexec" Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 36/44] drm/i915/gvt: Fix tiled memory decoding bug on BDW Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 37/44] drm/i915/execlists: Apply a full mb before execution for Braswell Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 38/44] drm/amdgpu/powerplay: Apply avfs cks-off voltages on VI Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 39/44] drm/amdkfd: add new vega10 pci ids Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 40/44] drm/amdgpu: add some additional " Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 41/44] drm/amdgpu: update smu firmware images for VI variants (v2) Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 42/44] drm/amdgpu: update SMC firmware image for polaris10 variants Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 43/44] dm zoned: Fix target BIO completion handling Greg Kroah-Hartman
2018-12-18 16:39 ` [PATCH 4.19 44/44] x86/build: Fix compiler support check for CONFIG_RETPOLINE Greg Kroah-Hartman
2018-12-18 20:26 ` [PATCH 4.19 00/44] 4.19.11-stable review shuah
2018-12-19 13:19   ` Greg Kroah-Hartman
2018-12-18 21:10 ` Dan Rue
2018-12-19 13:19   ` Greg Kroah-Hartman
2018-12-19 15:01 ` Harsh Shandilya
2018-12-19 15:14   ` Greg Kroah-Hartman
2018-12-19 17:23 ` Guenter Roeck
2018-12-19 18:37   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181218163931.095810312@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mpe@ellerman.id.au \
    --cc=radu.rendec@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).