On Wed, 2018-11-28 at 03:20:48 UTC, Radu Rendec wrote: > The arch_teardown_msi_irqs() function assumes that controller ops > pointers were already checked in arch_setup_msi_irqs(), but this > assumption is wrong: arch_teardown_msi_irqs() can be called even when > arch_setup_msi_irqs() returns an error (-ENOSYS). > > This can happen in the following scenario: > > * msi_capability_init() calls pci_msi_setup_msi_irqs() > * pci_msi_setup_msi_irqs() returns -ENOSYS > * msi_capability_init() notices the error and calls free_msi_irqs() > * free_msi_irqs() calls pci_msi_teardown_msi_irqs() > > This is easier to see when CONFIG_PCI_MSI_IRQ_DOMAIN is not set and > pci_msi_setup_msi_irqs() and pci_msi_teardown_msi_irqs() are just > aliases to arch_setup_msi_irqs() and arch_teardown_msi_irqs(). > > The call to free_msi_irqs() upon pci_msi_setup_msi_irqs() failure seems > legit, as it does additional cleanup; e.g. list_del(&entry->list) and > kfree(entry) inside free_msi_irqs() do happen (MSI descriptors are > allocated before pci_msi_setup_msi_irqs() is called and need to be > cleaned up if that fails). > > Signed-off-by: Radu Rendec <radu.ren...@gmail.com>
Applied to powerpc fixes, thanks. https://git.kernel.org/powerpc/c/78e7b15e17ac175e7eed9e21c6f92d cheers