PCI/MSI: Handle msi_populate_sysfs() errors correctly

Previously, when msi_populate_sysfs() failed, we saved the error return value as dev->msi_irq_groups, which leads to a page fault when free_msi_irqs() calls msi_destroy_sysfs(). To prevent this, leave dev->msi_irq_groups alone when msi_populate_sysfs() fails. Found by the Hulk Robot when injecting a memory allocation fault in msi_populate_sysfs(): BUG: unable to handle page fault for address: fffffffffffffff4 ... Call Trace: msi_destroy_sysfs+0x30/0xa0 free_msi_irqs+0x11d/0x1b0 Fixes: 2f170814 ("genirq/msi: Move MSI sysfs handling from PCI to MSI core") Link: https://lore.kernel.org/r/20211012071556.939137-1-wanghai38@huawei.comReported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai38@huawei.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Barry Song <song.bao.hua@hisilicon.com>

PCI/MSI: Handle msi_populate_sysfs() errors correctly
Previously, when msi_populate_sysfs() failed, we saved the error return value as dev->msi_irq_groups, which leads to a page fault when free_msi_irqs() calls msi_destroy_sysfs(). To prevent this, leave dev->msi_irq_groups alone when msi_populate_sysfs() fails. Found by the Hulk Robot when injecting a memory allocation fault in msi_populate_sysfs(): BUG: unable to handle page fault for address: fffffffffffffff4 ... Call Trace: msi_destroy_sysfs+0x30/0xa0 free_msi_irqs+0x11d/0x1b0 Fixes: 2f170814 ("genirq/msi: Move MSI sysfs handling from PCI to MSI core") Link: https://lore.kernel.org/r/20211012071556.939137-1-wanghai38@huawei.comReported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai38@huawei.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Barry Song <song.bao.hua@hisilicon.com>
2b94b6b7 · Wang Hai · Bjorn Helgaas · e4e737bb · 2b94b6b7
Commit 2b94b6b7 authored Oct 12, 2021 by Wang Hai Committed by Bjorn Helgaas Oct 12, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 6 deletions

drivers/pci/msi.c drivers/pci/msi.c +12 -6

No files found.
--- a/drivers/pci/msi.c
+++ b/drivers/pci/msi.c
@@ -535,6 +535,7 @@ static int msi_verify_entries(struct pci_dev *dev)
 static int msi_capability_init(struct pci_dev *dev, int nvec,
 			       struct irq_affinity *affd)
 {
+	const struct attribute_group **groups;
 	struct msi_desc *entry;
 	int ret;
@@ -558,12 +559,14 @@ static int msi_capability_init(struct pci_dev *dev, int nvec,
 	if (ret)
 		goto err;
-	dev->msi_irq_groups = msi_populate_sysfs(&dev->dev);
+	groups = msi_populate_sysfs(&dev->dev);
-	if (IS_ERR(dev->msi_irq_groups)) {
+	if (IS_ERR(groups)) {
-		ret = PTR_ERR(dev->msi_irq_groups);
+		ret = PTR_ERR(groups);
 		goto err;
 	}
+	dev->msi_irq_groups = groups;
 	/* Set MSI enabled bits	*/
 	pci_intx_for_msi(dev, 0);
 	pci_msi_set_enable(dev, 1);
@@ -691,6 +694,7 @@ static void msix_mask_all(void __iomem *base, int tsize)
 static int msix_capability_init(struct pci_dev *dev, struct msix_entry *entries,
 				int nvec, struct irq_affinity *affd)
 {
+	const struct attribute_group **groups;
 	void __iomem *base;
 	int ret, tsize;
 	u16 control;
@@ -730,12 +734,14 @@ static int msix_capability_init(struct pci_dev *dev, struct msix_entry *entries,
 	msix_update_entries(dev, entries);
-	dev->msi_irq_groups = msi_populate_sysfs(&dev->dev);
+	groups = msi_populate_sysfs(&dev->dev);
-	if (IS_ERR(dev->msi_irq_groups)) {
+	if (IS_ERR(groups)) {
-		ret = PTR_ERR(dev->msi_irq_groups);
+		ret = PTR_ERR(groups);
 		goto out_free;
 	}
+	dev->msi_irq_groups = groups;
 	/* Set MSI-X enabled bits and unmask the function */
 	pci_intx_for_msi(dev, 0);
 	dev->msix_enabled = 1;