Commit c0c489e5 authored by Thomas Gleixner's avatar Thomas Gleixner Committed by Greg Kroah-Hartman

irqdomain/treewide: Keep firmware node unconditionally allocated

[ Upstream commit e3beca48 ]

Quite some non OF/ACPI users of irqdomains allocate firmware nodes of type
IRQCHIP_FWNODE_NAMED or IRQCHIP_FWNODE_NAMED_ID and free them right after
creating the irqdomain. The only purpose of these FW nodes is to convey
name information. When this was introduced the core code did not store the
pointer to the node in the irqdomain. A recent change stored the firmware
node pointer in irqdomain for other reasons and missed to notice that the
usage sites which do the alloc_fwnode/create_domain/free_fwnode sequence
are broken by this. Storing a dangling pointer is dangerous itself, but in
case that the domain is destroyed later on this leads to a double free.

Remove the freeing of the firmware node after creating the irqdomain from
all affected call sites to cure this.

Fixes: 711419e5 ("irqdomain: Add the missing assignment of domain->fwnode for named fwnode")
Reported-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Acked-by: default avatarBjorn Helgaas <bhelgaas@google.com>
Acked-by: default avatarMarc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/873661qakd.fsf@nanos.tec.linutronix.deSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 02c4ddf1
...@@ -2323,12 +2323,12 @@ static int mp_irqdomain_create(int ioapic) ...@@ -2323,12 +2323,12 @@ static int mp_irqdomain_create(int ioapic)
ip->irqdomain = irq_domain_create_linear(fn, hwirqs, cfg->ops, ip->irqdomain = irq_domain_create_linear(fn, hwirqs, cfg->ops,
(void *)(long)ioapic); (void *)(long)ioapic);
/* Release fw handle if it was allocated above */ if (!ip->irqdomain) {
if (!cfg->dev) /* Release fw handle if it was allocated above */
irq_domain_free_fwnode(fn); if (!cfg->dev)
irq_domain_free_fwnode(fn);
if (!ip->irqdomain)
return -ENOMEM; return -ENOMEM;
}
ip->irqdomain->parent = parent; ip->irqdomain->parent = parent;
......
...@@ -265,12 +265,13 @@ void __init arch_init_msi_domain(struct irq_domain *parent) ...@@ -265,12 +265,13 @@ void __init arch_init_msi_domain(struct irq_domain *parent)
msi_default_domain = msi_default_domain =
pci_msi_create_irq_domain(fn, &pci_msi_domain_info, pci_msi_create_irq_domain(fn, &pci_msi_domain_info,
parent); parent);
irq_domain_free_fwnode(fn);
} }
if (!msi_default_domain) if (!msi_default_domain) {
irq_domain_free_fwnode(fn);
pr_warn("failed to initialize irqdomain for MSI/MSI-x.\n"); pr_warn("failed to initialize irqdomain for MSI/MSI-x.\n");
else } else {
msi_default_domain->flags |= IRQ_DOMAIN_MSI_NOMASK_QUIRK; msi_default_domain->flags |= IRQ_DOMAIN_MSI_NOMASK_QUIRK;
}
} }
#ifdef CONFIG_IRQ_REMAP #ifdef CONFIG_IRQ_REMAP
...@@ -303,7 +304,8 @@ struct irq_domain *arch_create_remap_msi_irq_domain(struct irq_domain *parent, ...@@ -303,7 +304,8 @@ struct irq_domain *arch_create_remap_msi_irq_domain(struct irq_domain *parent,
if (!fn) if (!fn)
return NULL; return NULL;
d = pci_msi_create_irq_domain(fn, &pci_msi_ir_domain_info, parent); d = pci_msi_create_irq_domain(fn, &pci_msi_ir_domain_info, parent);
irq_domain_free_fwnode(fn); if (!d)
irq_domain_free_fwnode(fn);
return d; return d;
} }
#endif #endif
...@@ -366,7 +368,8 @@ static struct irq_domain *dmar_get_irq_domain(void) ...@@ -366,7 +368,8 @@ static struct irq_domain *dmar_get_irq_domain(void)
if (fn) { if (fn) {
dmar_domain = msi_create_irq_domain(fn, &dmar_msi_domain_info, dmar_domain = msi_create_irq_domain(fn, &dmar_msi_domain_info,
x86_vector_domain); x86_vector_domain);
irq_domain_free_fwnode(fn); if (!dmar_domain)
irq_domain_free_fwnode(fn);
} }
out: out:
mutex_unlock(&dmar_lock); mutex_unlock(&dmar_lock);
...@@ -491,7 +494,10 @@ struct irq_domain *hpet_create_irq_domain(int hpet_id) ...@@ -491,7 +494,10 @@ struct irq_domain *hpet_create_irq_domain(int hpet_id)
} }
d = msi_create_irq_domain(fn, domain_info, parent); d = msi_create_irq_domain(fn, domain_info, parent);
irq_domain_free_fwnode(fn); if (!d) {
irq_domain_free_fwnode(fn);
kfree(domain_info);
}
return d; return d;
} }
......
...@@ -703,7 +703,6 @@ int __init arch_early_irq_init(void) ...@@ -703,7 +703,6 @@ int __init arch_early_irq_init(void)
x86_vector_domain = irq_domain_create_tree(fn, &x86_vector_domain_ops, x86_vector_domain = irq_domain_create_tree(fn, &x86_vector_domain_ops,
NULL); NULL);
BUG_ON(x86_vector_domain == NULL); BUG_ON(x86_vector_domain == NULL);
irq_domain_free_fwnode(fn);
irq_set_default_host(x86_vector_domain); irq_set_default_host(x86_vector_domain);
arch_init_msi_domain(x86_vector_domain); arch_init_msi_domain(x86_vector_domain);
......
...@@ -167,9 +167,10 @@ static struct irq_domain *uv_get_irq_domain(void) ...@@ -167,9 +167,10 @@ static struct irq_domain *uv_get_irq_domain(void)
goto out; goto out;
uv_domain = irq_domain_create_tree(fn, &uv_domain_ops, NULL); uv_domain = irq_domain_create_tree(fn, &uv_domain_ops, NULL);
irq_domain_free_fwnode(fn);
if (uv_domain) if (uv_domain)
uv_domain->parent = x86_vector_domain; uv_domain->parent = x86_vector_domain;
else
irq_domain_free_fwnode(fn);
out: out:
mutex_unlock(&uv_lock); mutex_unlock(&uv_lock);
......
...@@ -4508,9 +4508,10 @@ int amd_iommu_create_irq_domain(struct amd_iommu *iommu) ...@@ -4508,9 +4508,10 @@ int amd_iommu_create_irq_domain(struct amd_iommu *iommu)
if (!fn) if (!fn)
return -ENOMEM; return -ENOMEM;
iommu->ir_domain = irq_domain_create_tree(fn, &amd_ir_domain_ops, iommu); iommu->ir_domain = irq_domain_create_tree(fn, &amd_ir_domain_ops, iommu);
irq_domain_free_fwnode(fn); if (!iommu->ir_domain) {
if (!iommu->ir_domain) irq_domain_free_fwnode(fn);
return -ENOMEM; return -ENOMEM;
}
iommu->ir_domain->parent = arch_get_ir_parent_domain(); iommu->ir_domain->parent = arch_get_ir_parent_domain();
iommu->msi_domain = arch_create_remap_msi_irq_domain(iommu->ir_domain, iommu->msi_domain = arch_create_remap_msi_irq_domain(iommu->ir_domain,
......
...@@ -536,8 +536,8 @@ static int intel_setup_irq_remapping(struct intel_iommu *iommu) ...@@ -536,8 +536,8 @@ static int intel_setup_irq_remapping(struct intel_iommu *iommu)
0, INTR_REMAP_TABLE_ENTRIES, 0, INTR_REMAP_TABLE_ENTRIES,
fn, &intel_ir_domain_ops, fn, &intel_ir_domain_ops,
iommu); iommu);
irq_domain_free_fwnode(fn);
if (!iommu->ir_domain) { if (!iommu->ir_domain) {
irq_domain_free_fwnode(fn);
pr_err("IR%d: failed to allocate irqdomain\n", iommu->seq_id); pr_err("IR%d: failed to allocate irqdomain\n", iommu->seq_id);
goto out_free_bitmap; goto out_free_bitmap;
} }
......
...@@ -704,9 +704,10 @@ static int vmd_enable_domain(struct vmd_dev *vmd, unsigned long features) ...@@ -704,9 +704,10 @@ static int vmd_enable_domain(struct vmd_dev *vmd, unsigned long features)
vmd->irq_domain = pci_msi_create_irq_domain(fn, &vmd_msi_domain_info, vmd->irq_domain = pci_msi_create_irq_domain(fn, &vmd_msi_domain_info,
x86_vector_domain); x86_vector_domain);
irq_domain_free_fwnode(fn); if (!vmd->irq_domain) {
if (!vmd->irq_domain) irq_domain_free_fwnode(fn);
return -ENODEV; return -ENODEV;
}
pci_add_resource(&resources, &vmd->resources[0]); pci_add_resource(&resources, &vmd->resources[0]);
pci_add_resource_offset(&resources, &vmd->resources[1], offset[0]); pci_add_resource_offset(&resources, &vmd->resources[1], offset[0]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment