xen/events: avoid NULL pointer dereference in dom0 on large machines

Using the pvops kernel a NULL pointer dereference was detected on a
large machine (144 processors) when booting as dom0 in
evtchn_fifo_unmask() during assignment of a pirq.

The event channel in question was the first to need a new entry in
event_array[] in events_fifo.c. Unfortunately xen_irq_info_pirq_setup()
is called with evtchn being 0 for a new pirq and the real event channel
number is assigned to the pirq only during __startup_pirq().

It is mandatory to call xen_evtchn_port_setup() after assigning the
event channel number to the pirq to make sure all memory needed for the
event channel is allocated.

Signed-off-by: Juergen Gross <jgross@suse.com>
Cc: <stable@vger.kernel.org> # 3.14+
Signed-off-by: David Vrabel <david.vrabel@citrix.com>

1 files changed, 12 insertions, 6 deletions

diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
index b4bca2d4a7e5..70fba973a107 100644
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -526,20 +526,26 @@ static unsigned int __startup_pirq(unsigned int irq)
         pirq_query_unmask(irq);
 
         rc = set_evtchn_to_irq(evtchn, irq);
-        if (rc != 0) {
-                pr_err("irq%d: Failed to set port to irq mapping (%d)\n",
-                       irq, rc);
-                xen_evtchn_close(evtchn);
-                return 0;
-        }
+        if (rc)
+                goto err;
+
         bind_evtchn_to_cpu(evtchn, 0);
         info->evtchn = evtchn;
 
+        rc = xen_evtchn_port_setup(info);
+        if (rc)
+                goto err;
+
 out:
         unmask_evtchn(evtchn);
         eoi_pirq(irq_get_irq_data(irq));
 
         return 0;
+
+err:
+        pr_err("irq%d: Failed to set port to irq mapping (%d)\n", irq, rc);
+        xen_evtchn_close(evtchn);
+        return 0;
 }
 
 static unsigned int startup_pirq(struct irq_data *data)