x86/apic/vector: Handle legacy irq data correctly

The backport of upstream commit 45d55e7b ("x86/apic/vector: Fix off by one in error path") missed to fixup the legacy interrupt data which is not longer available upstream. Handle legacy irq data correctly by clearing the legacy storage to prevent use after free. Fixes: 7fd13353 ("x86/apic/vector: Fix off by one in error path") - 4.4.y Fixes: c557481a ("x86/apic/vector: Fix off by one in error path") - 4.9.y Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

x86/apic/vector: Handle legacy irq data correctly
The backport of upstream commit 45d55e7b ("x86/apic/vector: Fix off by one in error path") missed to fixup the legacy interrupt data which is not longer available upstream. Handle legacy irq data correctly by clearing the legacy storage to prevent use after free. Fixes: 7fd13353 ("x86/apic/vector: Fix off by one in error path") - 4.4.y Fixes: c557481a ("x86/apic/vector: Fix off by one in error path") - 4.9.y Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
6bde0940 · Thomas Gleixner · Greg Kroah-Hartman · c86bfc7b · 6bde0940
Commit 6bde0940 authored Mar 07, 2018 by Thomas Gleixner Committed by Greg Kroah-Hartman Mar 11, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 7 deletions

arch/x86/kernel/apic/vector.c arch/x86/kernel/apic/vector.c +7 -7

No files found.
--- a/arch/x86/kernel/apic/vector.c
+++ b/arch/x86/kernel/apic/vector.c
@@ -91,8 +91,12 @@ static struct apic_chip_data *alloc_apic_chip_data(int node)
 	return NULL;
 }
-static void free_apic_chip_data(struct apic_chip_data *data)
+static void free_apic_chip_data(unsigned int virq, struct apic_chip_data *data)
 {
+#ifdef	CONFIG_X86_IO_APIC
+	if (virq  < nr_legacy_irqs())
+		legacy_irq_data[virq] = NULL;
+#endif
 	if (data) {
 		free_cpumask_var(data->domain);
 		free_cpumask_var(data->old_domain);
@@ -316,11 +320,7 @@ static void x86_vector_free_irqs(struct irq_domain *domain,
 			apic_data = irq_data->chip_data;
 			irq_domain_reset_irq_data(irq_data);
 			raw_spin_unlock_irqrestore(&vector_lock, flags);
-			free_apic_chip_data(apic_data);
+			free_apic_chip_data(virq + i, apic_data);
-#ifdef	CONFIG_X86_IO_APIC
-			if (virq + i < nr_legacy_irqs())
-				legacy_irq_data[virq + i] = NULL;
-#endif
 		}
 	}
 }
@@ -361,7 +361,7 @@ static int x86_vector_alloc_irqs(struct irq_domain *domain, unsigned int virq,
 		err = assign_irq_vector_policy(virq + i, node, data, info);
 		if (err) {
 			irq_data->chip_data = NULL;
-			free_apic_chip_data(data);
+			free_apic_chip_data(virq + i, data);
 			goto error;
 		}
 	}