PCI/MSI: Handle msi_populate_sysfs() errors correctly

Previously, when msi_populate_sysfs() failed, we saved the error return
value as dev->msi_irq_groups, which leads to a page fault when
free_msi_irqs() calls msi_destroy_sysfs().

To prevent this, leave dev->msi_irq_groups alone when msi_populate_sysfs()
fails.

Found by the Hulk Robot when injecting a memory allocation fault in
msi_populate_sysfs():

  BUG: unable to handle page fault for address: fffffffffffffff4
  ...
  Call Trace:
   msi_destroy_sysfs+0x30/0xa0
   free_msi_irqs+0x11d/0x1b0

Fixes: 2f170814bdd2 ("genirq/msi: Move MSI sysfs handling from PCI to MSI core")
Link: https://lore.kernel.org/r/20211012071556.939137-1-wanghai38@huawei.com
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Barry Song <song.bao.hua@hisilicon.com>

diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
index 0099a00..4b47929 100644 (file)
--- a/drivers/pci/msi.c
+++ b/drivers/pci/msi.c
@@ -535,6 +535,7 @@ static int msi_verify_entries(struct pci_dev *dev)
 static int msi_capability_init(struct pci_dev *dev, int nvec,
                               struct irq_affinity *affd)
 {
+       const struct attribute_group **groups;
        struct msi_desc *entry;
        int ret;
 
@@ -558,12 +559,14 @@ static int msi_capability_init(struct pci_dev *dev, int nvec,
        if (ret)
                goto err;
 
-       dev->msi_irq_groups = msi_populate_sysfs(&dev->dev);
-       if (IS_ERR(dev->msi_irq_groups)) {
-               ret = PTR_ERR(dev->msi_irq_groups);
+       groups = msi_populate_sysfs(&dev->dev);
+       if (IS_ERR(groups)) {
+               ret = PTR_ERR(groups);
                goto err;
        }
 
+       dev->msi_irq_groups = groups;
+
        /* Set MSI enabled bits */
        pci_intx_for_msi(dev, 0);
        pci_msi_set_enable(dev, 1);
@@ -691,6 +694,7 @@ static void msix_mask_all(void __iomem *base, int tsize)
 static int msix_capability_init(struct pci_dev *dev, struct msix_entry *entries,
                                int nvec, struct irq_affinity *affd)
 {
+       const struct attribute_group **groups;
        void __iomem *base;
        int ret, tsize;
        u16 control;
@@ -730,12 +734,14 @@ static int msix_capability_init(struct pci_dev *dev, struct msix_entry *entries,
 
        msix_update_entries(dev, entries);
 
-       dev->msi_irq_groups = msi_populate_sysfs(&dev->dev);
-       if (IS_ERR(dev->msi_irq_groups)) {
-               ret = PTR_ERR(dev->msi_irq_groups);
+       groups = msi_populate_sysfs(&dev->dev);
+       if (IS_ERR(groups)) {
+               ret = PTR_ERR(groups);
                goto out_free;
        }
 
+       dev->msi_irq_groups = groups;
+
        /* Set MSI-X enabled bits and unmask the function */
        pci_intx_for_msi(dev, 0);
        dev->msix_enabled = 1;