From nobody Sun Oct 5 12:46:14 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66DA0242D87; Mon, 4 Aug 2025 10:07:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754302061; cv=none; b=Tmy6RBhVubOTVzkWn3YHLPy5eByoq8gZm13r4+VbYWE+i/lykz12fqoBDC7Zfrl0ZErRLJvenXwaz1HAcfTlSaKEQIGvbqkSrxbVR/fiCGRBx/F9oMyZ1XctjubN6Gvs4M5N/BW3Gc/6wQcT8lo0Irn2JdWUALe8ytjByWNlkaU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754302061; c=relaxed/simple; bh=oiQMlkrXcO+aPEChRoO64pS6g7V1XkVmPaeAn8eRcc0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=VadhiJ8m+8PWuqa99/7g7VfcKhAdXStyV0utSlgKBjAQt4vPWlX+F89stF4i3Pua2JcrPX3pdN6rmH7/vauEIe/uuuPFuf1WejddoD9onJ0jZiqLvwePqsTAfSdFLhfK8O4HnbIMYwrPEtDh4jeeQcNfom/ImzCTo4xTg4K3Ls4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=cueDMIy8; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=aE+VyAuq; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="cueDMIy8"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="aE+VyAuq" From: Nam Cao DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1754302057; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JjChbKi0Rx93+Tu2sjL4XTOUdNd3zTW9vbhD+j3CVZ8=; b=cueDMIy8Ro5gB+R96xllpBtDUM3dcrqgXK1eWLGoTc32TJde0nm+5uCv4QV15DEf6rw7AN uPs8MfcLhLB4KZeyb+wrt9XjlwQ06jl1Wwx75j7rO0q4KLuoQEReOEfJauBonnBwo2JIaH HkFBwQhbnVn1aPMpt5RLieH3ICpXp+0p1gyweMpjjSTB07SL9VNfzH1weAChE2UPdGjhzs 8EEAL+F/wXQ9N3tGAt5h+S7mjxP9SF8Jo9NwdX4QXZS1B1vcpJ3ArlWk1hF1GyOdZxaDQf V054yG6dj87ds1abhK3LOdwhMKVjXWBMhufJw98rMRJ+Xp3n1LgJ1oPqtMykBw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1754302057; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JjChbKi0Rx93+Tu2sjL4XTOUdNd3zTW9vbhD+j3CVZ8=; b=aE+VyAuqBsX0dOcnYOYHE7uJKfAO3KB/0ng80qh9CmmL6D/7lmf9bpCRHMYm2VrgyMzAMa y+OkvktQhtj3XBAw== To: Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Gautam Menghani , =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= , linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org Cc: Nam Cao , stable@vger.kernel.org Subject: [PATCH 1/2] powerpc/pseries/msi: Fix potential underflow and leak issue Date: Mon, 4 Aug 2025 12:07:27 +0200 Message-Id: In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" pseries_irq_domain_alloc() allocates interrupts at parent's interrupt domain. If it fails in the progress, all allocated interrupts are freed. The number of successfully allocated interrupts so far is stored "i". However, "i - 1" interrupts are freed. This is broken: - One interrupt is not be freed - If "i" is zero, "i - 1" wraps around Correct the number of freed interrupts to 'i'. Fixes: a5f3d2c17b07 ("powerpc/pseries/pci: Add MSI domains") Signed-off-by: Nam Cao Cc: stable@vger.kernel.org Reviewed-by: C=C3=A9dric Le Goater --- arch/powerpc/platforms/pseries/msi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/platforms/pseries/msi.c b/arch/powerpc/platforms/= pseries/msi.c index ee1c8c6898a3..9dc294de631f 100644 --- a/arch/powerpc/platforms/pseries/msi.c +++ b/arch/powerpc/platforms/pseries/msi.c @@ -593,7 +593,7 @@ static int pseries_irq_domain_alloc(struct irq_domain *= domain, unsigned int virq =20 out: /* TODO: handle RTAS cleanup in ->msi_finish() ? */ - irq_domain_free_irqs_parent(domain, virq, i - 1); + irq_domain_free_irqs_parent(domain, virq, i); return ret; } =20 --=20 2.39.5 From nobody Sun Oct 5 12:46:14 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 925BB248176; Mon, 4 Aug 2025 10:07:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754302062; cv=none; b=Ns/vpaW0czjaajmy0CdtHmKbRShCTDvOOodf3AWs7ohQmmuyEI+M8HLQ5VuKoZmCdfA/oiU1EXWWC1+h8TLB6E8NtYkuDiCRF0mdWYIpll9aMyEblvr10H8skW7rkXOj0XntiVfCQ/tZ2rye6Svug8w0QRxUW8pl6dA4n9C/E/o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754302062; c=relaxed/simple; bh=9FJa5cnoRi4/m2V++5onhLC6nw8Udm0vtnZvljuKqAM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=g4gsYUwEp0FHgXBYu/qfj2gzY3+muYwQ65B5hTnzFdC1F3plmfMbal/42ZoMZ6vybpdXTFl0rQzEEXWXSy/hyHNaLCzWd7NCM3CLO4wcZjjbmiamPtp+CY9l1M/hN5MkCZ4mvcr2IbwpqEVjBrYnuWL941Gu2MY/Sle2MjXrJbM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=jhQi5Miz; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=cSUMp+lC; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="jhQi5Miz"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="cSUMp+lC" From: Nam Cao DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1754302057; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vfNEYV4azBODPkXCFpVp5ETyBOPcIAUZ4WPfo58yan0=; b=jhQi5Miz84mSJDlCRDll/KaL0uUb4xBNytAYfmdikDUa09352eXlbvYz5JQrMI8+hlVmQG lqvAe20rWJiE1mUcXiOn4gHV/Yxg4WFQuqgehpCXBj2m7Rom+XP8MhT26or4ejesQ2ZL2T xLMhflezjrAlSG2gdXGKStEBTe4d0p0QNZwyxxXrsQVThzn/CRDaFOq91m4GH+iR3GrEPQ c5Yz+g2lPwQEXB255EQd0UBz94xwoeGxzCSNKC9X3+gI3osAZqzTW70LSJHyTy7TqSWyLn JRVXciCcSCLo3Q2woGN/Q09Kg33x4wrQ0zynjDWRVIhheb8pjkd5qpHzQVzAGA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1754302057; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vfNEYV4azBODPkXCFpVp5ETyBOPcIAUZ4WPfo58yan0=; b=cSUMp+lC1a9J9y9pYNmaymkHXnLszknvyani9UfAClOFVCEZZoBnhhQ7zV9IcDgr0pk9zF PNSi05pwk+pTJVAA== To: Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Gautam Menghani , =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= , linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org Cc: Nam Cao , stable@vger.kernel.org Subject: [PATCH 2/2] powerpc/powernv/pci: Fix underflow and leak issue Date: Mon, 4 Aug 2025 12:07:28 +0200 Message-Id: <70f8debe8688e0b467367db769b71c20146a836d.1754300646.git.namcao@linutronix.de> In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" pnv_irq_domain_alloc() allocates interrupts at parent's interrupt domain. If it fails in the progress, all allocated interrupts are freed. The number of successfully allocated interrupts so far is stored "i". However, "i - 1" interrupts are freed. This is broken: - One interrupt is not be freed - If "i" is zero, "i - 1" wraps around Correct the number of freed interrupts to "i". Fixes: 0fcfe2247e75 ("powerpc/powernv/pci: Add MSI domains") Signed-off-by: Nam Cao Cc: stable@vger.kernel.org --- arch/powerpc/platforms/powernv/pci-ioda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platf= orms/powernv/pci-ioda.c index d8ccf2c9b98a..0166bf39ce1e 100644 --- a/arch/powerpc/platforms/powernv/pci-ioda.c +++ b/arch/powerpc/platforms/powernv/pci-ioda.c @@ -1854,7 +1854,7 @@ static int pnv_irq_domain_alloc(struct irq_domain *do= main, unsigned int virq, return 0; =20 out: - irq_domain_free_irqs_parent(domain, virq, i - 1); + irq_domain_free_irqs_parent(domain, virq, i); msi_bitmap_free_hwirqs(&phb->msi_bmp, hwirq, nr_irqs); return ret; } --=20 2.39.5