Home Home > GIT Browse > SLE12-SP4-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Suchanek <msuchanek@suse.de>2019-06-10 19:03:59 +0200
committerMichal Suchanek <msuchanek@suse.de>2019-06-10 19:04:05 +0200
commit4da32851165817ec39d636df9e085ea0586083ee (patch)
tree27b77f35acabb8c22cff8dec284eb341be029a5f
parent4862a16157004184c11c294a64e4c8c977a06ca0 (diff)
powerpc/msi: Fix NULL pointer access in teardown code
(bsc#1065729).
-rw-r--r--patches.arch/powerpc-msi-Fix-NULL-pointer-access-in-teardown-code.patch58
-rw-r--r--series.conf1
2 files changed, 59 insertions, 0 deletions
diff --git a/patches.arch/powerpc-msi-Fix-NULL-pointer-access-in-teardown-code.patch b/patches.arch/powerpc-msi-Fix-NULL-pointer-access-in-teardown-code.patch
new file mode 100644
index 0000000000..d7e962770e
--- /dev/null
+++ b/patches.arch/powerpc-msi-Fix-NULL-pointer-access-in-teardown-code.patch
@@ -0,0 +1,58 @@
+From 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa Mon Sep 17 00:00:00 2001
+From: Radu Rendec <radu.rendec@gmail.com>
+Date: Tue, 27 Nov 2018 22:20:48 -0500
+Subject: [PATCH] powerpc/msi: Fix NULL pointer access in teardown code
+
+References: bsc#1065729
+Patch-mainline: v4.20-rc7
+Git-commit: 78e7b15e17ac175e7eed9e21c6f92d03d3b0a6fa
+
+The arch_teardown_msi_irqs() function assumes that controller ops
+pointers were already checked in arch_setup_msi_irqs(), but this
+assumption is wrong: arch_teardown_msi_irqs() can be called even when
+arch_setup_msi_irqs() returns an error (-ENOSYS).
+
+This can happen in the following scenario:
+ - msi_capability_init() calls pci_msi_setup_msi_irqs()
+ - pci_msi_setup_msi_irqs() returns -ENOSYS
+ - msi_capability_init() notices the error and calls free_msi_irqs()
+ - free_msi_irqs() calls pci_msi_teardown_msi_irqs()
+
+This is easier to see when CONFIG_PCI_MSI_IRQ_DOMAIN is not set and
+pci_msi_setup_msi_irqs() and pci_msi_teardown_msi_irqs() are just
+aliases to arch_setup_msi_irqs() and arch_teardown_msi_irqs().
+
+The call to free_msi_irqs() upon pci_msi_setup_msi_irqs() failure
+seems legit, as it does additional cleanup; e.g.
+list_del(&entry->list) and kfree(entry) inside free_msi_irqs() do
+happen (MSI descriptors are allocated before pci_msi_setup_msi_irqs()
+is called and need to be cleaned up if that fails).
+
+Fixes: 6b2fd7efeb88 ("PCI/MSI/PPC: Remove arch_msi_check_device()")
+Cc: stable@vger.kernel.org # v3.18+
+Signed-off-by: Radu Rendec <radu.rendec@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Michal Suchanek <msuchanek@suse.de>
+---
+ arch/powerpc/kernel/msi.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/msi.c b/arch/powerpc/kernel/msi.c
+index dab616a33b8d..f2197654be07 100644
+--- a/arch/powerpc/kernel/msi.c
++++ b/arch/powerpc/kernel/msi.c
+@@ -34,5 +34,10 @@ void arch_teardown_msi_irqs(struct pci_dev *dev)
+ {
+ struct pci_controller *phb = pci_bus_to_host(dev->bus);
+
+- phb->controller_ops.teardown_msi_irqs(dev);
++ /*
++ * We can be called even when arch_setup_msi_irqs() returns -ENOSYS,
++ * so check the pointer again.
++ */
++ if (phb->controller_ops.teardown_msi_irqs)
++ phb->controller_ops.teardown_msi_irqs(dev);
+ }
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 5fbae3ec46..b957c73fc2 100644
--- a/series.conf
+++ b/series.conf
@@ -20437,6 +20437,7 @@
patches.drm/0001-drm-nouveau-kms-Fix-memory-leak-in-nv50_mstm_del.patch
patches.drivers/pinctrl-meson-fix-pull-enable-register-calculation.patch
patches.drivers/pinctrl-sunxi-a83t-Fix-IRQ-offset-typo-for-PH11.patch
+ patches.arch/powerpc-msi-Fix-NULL-pointer-access-in-teardown-code.patch
patches.arch/powerpc-boot-Fix-build-failures-with-j-1.patch
patches.fixes/0011-arm64-dma-mapping-Fix-FORCE_CONTIGUOUS-buffer-cleari.patch
patches.fixes/aio-fix-spectre-gadget-in-lookup_ioctx.patch