[RFC][PATCH] x86/hpet: fix NULL pointer dereference in msi_domain_alloc

All of lore.kernel.org
 help / color / mirror / Atom feed

* [RFC][PATCH] x86/hpet: fix NULL pointer dereference in msi_domain_alloc_irqs()
@ 2015-05-11 11:36 Sergey Senozhatsky
  2015-05-12  4:14 ` Sergey Senozhatsky
  0 siblings, 1 reply; 4+ messages in thread
From: Sergey Senozhatsky @ 2015-05-11 11:36 UTC (permalink / raw)
  To: Thomas Gleixner
  Cc: Ingo Molnar, H. Peter Anvin, Jiang Liu, x86, linux-kernel,
	Sergey Senozhatsky, Sergey Senozhatsky

Fix the following oops:
 hpet_msi_get_hwirq+0x1f/0x27
 msi_domain_alloc+0x35/0xfe
 ? trace_hardirqs_on_caller+0x16c/0x188
 irq_domain_alloc_irqs_recursive+0x51/0x95
 __irq_domain_alloc_irqs+0x151/0x223
 hpet_assign_irq+0x5d/0x68
 hpet_msi_capability_lookup+0x121/0x1cb
 ? hpet_enable+0x2b4/0x2b4
 hpet_late_init+0x5f/0xf2
 ? hpet_enable+0x2b4/0x2b4
 do_one_initcall+0x184/0x199
 kernel_init_freeable+0x1af/0x237
 ? rest_init+0x13a/0x13a
 kernel_init+0xe/0xd4
 ret_from_fork+0x3f/0x70
 ? rest_init+0x13a/0x13a

since 3cb96f0c97330 (x86/hpet: Enhance HPET IRQ to support hierarchical
irqdomains') hpet_msi_capability_lookup() uses hpet_assign_irq(). the
latter discards `irq_alloc_info info' param and instead passes NULL to
__irq_domain_alloc_irqs() as `arg'. __irq_domain_alloc_irqs() invokes
irq_domain_alloc_irqs_recursive(), which msi_domain_alloc_irqs() and,
eventually, accesses `arg->hpet_index' in hpet_msi_get_hwirq().

directly call __irq_domain_alloc_irqs() in hpet_assign_irq() and pass
correct `arg' to fix the oops.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
---
 arch/x86/kernel/apic/msi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c
index 58fde66..440e0f9 100644
--- a/arch/x86/kernel/apic/msi.c
+++ b/arch/x86/kernel/apic/msi.c
@@ -351,6 +351,7 @@ int hpet_assign_irq(struct irq_domain *domain, struct hpet_dev *dev,
 	info.hpet_id = hpet_dev_id(domain);
 	info.hpet_index = dev_num;

-	return irq_domain_alloc_irqs(domain, 1, NUMA_NO_NODE, NULL);
+	return __irq_domain_alloc_irqs(domain, -1, 1, NUMA_NO_NODE,
+			&info, false);
 }
 #endif
-- 
2.4.0.53.g8440f74

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [RFC][PATCH] x86/hpet: fix NULL pointer dereference in msi_domain_alloc_irqs()
  2015-05-11 11:36 [RFC][PATCH] x86/hpet: fix NULL pointer dereference in msi_domain_alloc_irqs() Sergey Senozhatsky
@ 2015-05-12  4:14 ` Sergey Senozhatsky
  2015-05-13  6:02   ` Jiang Liu
  2015-05-13  7:54   ` [tip:x86/apic] x86/hpet: Pass proper pointer to irq_alloc_info tip-bot for Sergey Senozhatsky
  0 siblings, 2 replies; 4+ messages in thread
From: Sergey Senozhatsky @ 2015-05-12  4:14 UTC (permalink / raw)
  To: Thomas Gleixner
  Cc: Ingo Molnar, H. Peter Anvin, Jiang Liu, x86, linux-kernel,
	Sergey Senozhatsky, Sergey Senozhatsky

> directly call __irq_domain_alloc_irqs() in hpet_assign_irq() and pass
> correct `arg' to fix the oops.
> 

oh, what I was thinking about... it should be as simple as this.

8<-----8<-----

>From 8be2eb548cefc788c87b05da22176b7360c6aca9 Mon Sep 17 00:00:00 2001
From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Date: Mon, 11 May 2015 18:56:49 +0900
Subject: [PATCH] x86/hpet: fix NULL pointer deference in
 msi_domain_alloc_irqs()

Fix the following oops:
 hpet_msi_get_hwirq+0x1f/0x27
 msi_domain_alloc+0x35/0xfe
 ? trace_hardirqs_on_caller+0x16c/0x188
 irq_domain_alloc_irqs_recursive+0x51/0x95
 __irq_domain_alloc_irqs+0x151/0x223
 hpet_assign_irq+0x5d/0x68
 hpet_msi_capability_lookup+0x121/0x1cb
 ? hpet_enable+0x2b4/0x2b4
 hpet_late_init+0x5f/0xf2
 ? hpet_enable+0x2b4/0x2b4
 do_one_initcall+0x184/0x199
 kernel_init_freeable+0x1af/0x237
 ? rest_init+0x13a/0x13a
 kernel_init+0xe/0xd4
 ret_from_fork+0x3f/0x70
 ? rest_init+0x13a/0x13a

since 3cb96f0c9733 ('x86/hpet: Enhance HPET IRQ to support hierarchical
irqdomains') hpet_msi_capability_lookup() uses hpet_assign_irq(). the
latter discards `irq_alloc_info info' param and instead passes NULL to
__irq_domain_alloc_irqs() as `arg'. __irq_domain_alloc_irqs() invokes
irq_domain_alloc_irqs_recursive(), which msi_domain_alloc_irqs() and,
eventually, accesses `arg->hpet_index' in hpet_msi_get_hwirq().

pass a correct `irq_alloc_info info' pointer to irq_domain_alloc_irqs()
in hpet_assign_irq() to fix the oops.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
---
 arch/x86/kernel/apic/msi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c
index 58fde66..ef516af 100644
--- a/arch/x86/kernel/apic/msi.c
+++ b/arch/x86/kernel/apic/msi.c
@@ -351,6 +351,6 @@ int hpet_assign_irq(struct irq_domain *domain, struct hpet_dev *dev,
 	info.hpet_id = hpet_dev_id(domain);
 	info.hpet_index = dev_num;

-	return irq_domain_alloc_irqs(domain, 1, NUMA_NO_NODE, NULL);
+	return irq_domain_alloc_irqs(domain, 1, NUMA_NO_NODE, &info);
 }
 #endif
-- 
2.4.0.rc3.3.g6eb1401

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [RFC][PATCH] x86/hpet: fix NULL pointer dereference in msi_domain_alloc_irqs()
  2015-05-12  4:14 ` Sergey Senozhatsky
@ 2015-05-13  6:02   ` Jiang Liu
  2015-05-13  7:54   ` [tip:x86/apic] x86/hpet: Pass proper pointer to irq_alloc_info tip-bot for Sergey Senozhatsky
  1 sibling, 0 replies; 4+ messages in thread
From: Jiang Liu @ 2015-05-13  6:02 UTC (permalink / raw)
  To: Sergey Senozhatsky, Thomas Gleixner
  Cc: Ingo Molnar, H. Peter Anvin, x86, linux-kernel, Sergey Senozhatsky

On 2015/5/12 12:14, Sergey Senozhatsky wrote:
>> directly call __irq_domain_alloc_irqs() in hpet_assign_irq() and pass
>> correct `arg' to fix the oops.
>>
> 
> oh, what I was thinking about... it should be as simple as this.
> 
> 8<-----8<-----
> 
> From 8be2eb548cefc788c87b05da22176b7360c6aca9 Mon Sep 17 00:00:00 2001
> From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
> Date: Mon, 11 May 2015 18:56:49 +0900
> Subject: [PATCH] x86/hpet: fix NULL pointer deference in
>  msi_domain_alloc_irqs()
> 
> Fix the following oops:
>  hpet_msi_get_hwirq+0x1f/0x27
>  msi_domain_alloc+0x35/0xfe
>  ? trace_hardirqs_on_caller+0x16c/0x188
>  irq_domain_alloc_irqs_recursive+0x51/0x95
>  __irq_domain_alloc_irqs+0x151/0x223
>  hpet_assign_irq+0x5d/0x68
>  hpet_msi_capability_lookup+0x121/0x1cb
>  ? hpet_enable+0x2b4/0x2b4
>  hpet_late_init+0x5f/0xf2
>  ? hpet_enable+0x2b4/0x2b4
>  do_one_initcall+0x184/0x199
>  kernel_init_freeable+0x1af/0x237
>  ? rest_init+0x13a/0x13a
>  kernel_init+0xe/0xd4
>  ret_from_fork+0x3f/0x70
>  ? rest_init+0x13a/0x13a
> 
> since 3cb96f0c9733 ('x86/hpet: Enhance HPET IRQ to support hierarchical
> irqdomains') hpet_msi_capability_lookup() uses hpet_assign_irq(). the
> latter discards `irq_alloc_info info' param and instead passes NULL to
> __irq_domain_alloc_irqs() as `arg'. __irq_domain_alloc_irqs() invokes
> irq_domain_alloc_irqs_recursive(), which msi_domain_alloc_irqs() and,
> eventually, accesses `arg->hpet_index' in hpet_msi_get_hwirq().
> 
> pass a correct `irq_alloc_info info' pointer to irq_domain_alloc_irqs()
> in hpet_assign_irq() to fix the oops.
> 
> Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
> ---
>  arch/x86/kernel/apic/msi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c
> index 58fde66..ef516af 100644
> --- a/arch/x86/kernel/apic/msi.c
> +++ b/arch/x86/kernel/apic/msi.c
> @@ -351,6 +351,6 @@ int hpet_assign_irq(struct irq_domain *domain, struct hpet_dev *dev,
>  	info.hpet_id = hpet_dev_id(domain);
>  	info.hpet_index = dev_num;
>  
> -	return irq_domain_alloc_irqs(domain, 1, NUMA_NO_NODE, NULL);
> +	return irq_domain_alloc_irqs(domain, 1, NUMA_NO_NODE, &info);
>  }
>  #endif
Hi Sergey,
	My fault, I have prepared 'info' without actually passing it to
irq_domain_alloc_irqs().
	Thanks for fixing it.
	Reviewed-by: Jiang Liu <jiang.liu@linux.intel.com>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [tip:x86/apic] x86/hpet: Pass proper pointer to irq_alloc_info
  2015-05-12  4:14 ` Sergey Senozhatsky
  2015-05-13  6:02   ` Jiang Liu
@ 2015-05-13  7:54   ` tip-bot for Sergey Senozhatsky
  1 sibling, 0 replies; 4+ messages in thread
From: tip-bot for Sergey Senozhatsky @ 2015-05-13  7:54 UTC (permalink / raw)
  To: linux-tip-commits
  Cc: sergey.senozhatsky.work, jiang.liu, mingo, hpa, linux-kernel,
	tglx, sergey.senozhatsky

Commit-ID:  4a00c95dcdba45c9592af2e908c0816fd54f5544
Gitweb:     http://git.kernel.org/tip/4a00c95dcdba45c9592af2e908c0816fd54f5544
Author:     Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
AuthorDate: Mon, 11 May 2015 18:56:49 +0900
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Wed, 13 May 2015 09:50:24 +0200

x86/hpet: Pass proper pointer to irq_alloc_info

Fix the following oops:
 hpet_msi_get_hwirq+0x1f/0x27
 msi_domain_alloc+0x35/0xfe
 ? trace_hardirqs_on_caller+0x16c/0x188
 irq_domain_alloc_irqs_recursive+0x51/0x95
 __irq_domain_alloc_irqs+0x151/0x223
 hpet_assign_irq+0x5d/0x68
 hpet_msi_capability_lookup+0x121/0x1cb
 ? hpet_enable+0x2b4/0x2b4
 hpet_late_init+0x5f/0xf2
 ? hpet_enable+0x2b4/0x2b4
 do_one_initcall+0x184/0x199
 kernel_init_freeable+0x1af/0x237
 ? rest_init+0x13a/0x13a
 kernel_init+0xe/0xd4
 ret_from_fork+0x3f/0x70
 ? rest_init+0x13a/0x13a

Since 3cb96f0c9733 ('x86/hpet: Enhance HPET IRQ to support
hierarchical irqdomains') hpet_msi_capability_lookup() uses
hpet_assign_irq(). The latter initializes irq_alloc_info on stack, but
passes a NULL pointer to irq_domain_alloc_irqs(), which causes a NULL
pointer dereference later in hpet_msi_get_hwirq().

Pass the pointer to the irq_alloc_info irq_domain_alloc_irqs().

Fixes: 3cb96f0c9733 'x86/hpet: Enhance HPET IRQ to support hierarchical irqdomains'
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Reviewed-by: Jiang Liu <jiang.liu@linux.intel.com>
Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Link: http://lkml.kernel.org/r/20150512041444.GA1094@swordfish
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
 arch/x86/kernel/apic/msi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c
index 58fde66..ef516af 100644
--- a/arch/x86/kernel/apic/msi.c
+++ b/arch/x86/kernel/apic/msi.c
@@ -351,6 +351,6 @@ int hpet_assign_irq(struct irq_domain *domain, struct hpet_dev *dev,
 	info.hpet_id = hpet_dev_id(domain);
 	info.hpet_index = dev_num;

-	return irq_domain_alloc_irqs(domain, 1, NUMA_NO_NODE, NULL);
+	return irq_domain_alloc_irqs(domain, 1, NUMA_NO_NODE, &info);
 }
 #endif

^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-05-13  7:54 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-11 11:36 [RFC][PATCH] x86/hpet: fix NULL pointer dereference in msi_domain_alloc_irqs() Sergey Senozhatsky
2015-05-12  4:14 ` Sergey Senozhatsky
2015-05-13  6:02   ` Jiang Liu
2015-05-13  7:54   ` [tip:x86/apic] x86/hpet: Pass proper pointer to irq_alloc_info tip-bot for Sergey Senozhatsky

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.