From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 19 Nov 2021 14:16:01 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v5.4.161~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9681f9c48edb9e10b296a83eefa5164e080b97a5;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	pci-msi-destroy-sysfs-before-freeing-entries.patch
---

diff --git a/queue-4.14/pci-msi-destroy-sysfs-before-freeing-entries.patch b/queue-4.14/pci-msi-destroy-sysfs-before-freeing-entries.patch
new file mode 100644
index 00000000000..5b6aff409f2
--- /dev/null
+++ b/queue-4.14/pci-msi-destroy-sysfs-before-freeing-entries.patch
@@ -0,0 +1,67 @@
+From 3735459037114d31e5acd9894fad9aed104231a0 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Tue, 9 Nov 2021 14:53:57 +0100
+Subject: PCI/MSI: Destroy sysfs before freeing entries
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 3735459037114d31e5acd9894fad9aed104231a0 upstream.
+
+free_msi_irqs() frees the MSI entries before destroying the sysfs entries
+which are exposing them. Nothing prevents a concurrent free while a sysfs
+file is read and accesses the possibly freed entry.
+
+Move the sysfs release ahead of freeing the entries.
+
+Fixes: 1c51b50c2995 ("PCI/MSI: Export MSI mode using attributes, not kobjects")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Bjorn Helgaas <helgaas@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/87sfw5305m.ffs@tglx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/msi.c |   24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/pci/msi.c
++++ b/drivers/pci/msi.c
+@@ -372,18 +372,6 @@ static void free_msi_irqs(struct pci_dev
+ 			for (i = 0; i < entry->nvec_used; i++)
+ 				BUG_ON(irq_has_action(entry->irq + i));
+ 
+-	pci_msi_teardown_msi_irqs(dev);
+-
+-	list_for_each_entry_safe(entry, tmp, msi_list, list) {
+-		if (entry->msi_attrib.is_msix) {
+-			if (list_is_last(&entry->list, msi_list))
+-				iounmap(entry->mask_base);
+-		}
+-
+-		list_del(&entry->list);
+-		free_msi_entry(entry);
+-	}
+-
+ 	if (dev->msi_irq_groups) {
+ 		sysfs_remove_groups(&dev->dev.kobj, dev->msi_irq_groups);
+ 		msi_attrs = dev->msi_irq_groups[0]->attrs;
+@@ -399,6 +387,18 @@ static void free_msi_irqs(struct pci_dev
+ 		kfree(dev->msi_irq_groups);
+ 		dev->msi_irq_groups = NULL;
+ 	}
++
++	pci_msi_teardown_msi_irqs(dev);
++
++	list_for_each_entry_safe(entry, tmp, msi_list, list) {
++		if (entry->msi_attrib.is_msix) {
++			if (list_is_last(&entry->list, msi_list))
++				iounmap(entry->mask_base);
++		}
++
++		list_del(&entry->list);
++		free_msi_entry(entry);
++	}
+ }
+ 
+ static void pci_intx_for_msi(struct pci_dev *dev, int enable)
diff --git a/queue-4.14/series b/queue-4.14/series
index 31df114f2aa..b7f2ce70eca 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -198,3 +198,4 @@ pci-add-pci_exp_devctl_payload_-macros.patch
 ext4-fix-lazy-initialization-next-schedule-time-computation-in-more-granular-unit.patch
 tracing-resize-tgid_map-to-pid_max-not-pid_max_default.patch
 parisc-entry-fix-trace-test-in-syscall-exit-path.patch
+pci-msi-destroy-sysfs-before-freeing-entries.patch