The commit 281f1f99cf3a ("PCI: dwc: Detect number of iATU windows") gets the values of pci->num_ib_windows and pci->num_ob_windows from iATU registers instead of DT properties in dw_pcie_iatu_detect_regions*() or its unroll version. However, before the values are set, the allocations in dw_pcie_ep_init() refer them to determine the sizes of window_map. As a result, null pointer dereference exception will occur when linking the EP function and the controller. # ln -s functions/pci_epf_test/test controllers/66000000.pcie-ep/ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 The call trace is as follows: Call trace: _find_next_bit.constprop.1+0xc/0x88 dw_pcie_ep_set_bar+0x78/0x1f8 pci_epc_set_bar+0x9c/0xe8 pci_epf_test_core_init+0xe8/0x220 pci_epf_test_bind+0x1e0/0x378 pci_epf_bind+0x54/0xb0 pci_epc_epf_link+0x58/0x80 configfs_symlink+0x1c0/0x570 vfs_symlink+0xdc/0x198 do_symlinkat+0xa0/0x110 __arm64_sys_symlinkat+0x28/0x38 el0_svc_common+0x84/0x1a0 do_el0_svc+0x38/0x88 el0_svc+0x1c/0x28 el0_sync_handler+0x88/0xb0 el0_sync+0x140/0x180 The pci->num_{ib,ob}_windows should be referenced after they are set by dw_pcie_iatu_detect_regions*() called from dw_pcie_setup(). Cc: Rob Herring <robh@xxxxxxxxxx> Fixes: 281f1f99cf3a ("PCI: dwc: Detect number of iATU windows") Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@xxxxxxxxxxxxx> --- drivers/pci/controller/dwc/pcie-designware-ep.c | 41 ++++++++++++------------- 1 file changed, 20 insertions(+), 21 deletions(-) Changed since v1: - Add description of exception to commit message - Change the subject diff --git a/drivers/pci/controller/dwc/pcie-designware-ep.c b/drivers/pci/controller/dwc/pcie-designware-ep.c index bcd1cd9..adc7ca5 100644 --- a/drivers/pci/controller/dwc/pcie-designware-ep.c +++ b/drivers/pci/controller/dwc/pcie-designware-ep.c @@ -638,6 +638,7 @@ static unsigned int dw_pcie_ep_find_ext_capability(struct dw_pcie *pci, int cap) int dw_pcie_ep_init_complete(struct dw_pcie_ep *ep) { struct dw_pcie *pci = to_dw_pcie_from_ep(ep); + struct device *dev = pci->dev; unsigned int offset; unsigned int nbars; u8 hdr_type; @@ -669,6 +670,25 @@ int dw_pcie_ep_init_complete(struct dw_pcie_ep *ep) dw_pcie_setup(pci); dw_pcie_dbi_ro_wr_dis(pci); + ep->ib_window_map = devm_kcalloc(dev, + BITS_TO_LONGS(pci->num_ib_windows), + sizeof(long), + GFP_KERNEL); + if (!ep->ib_window_map) + return -ENOMEM; + + ep->ob_window_map = devm_kcalloc(dev, + BITS_TO_LONGS(pci->num_ob_windows), + sizeof(long), + GFP_KERNEL); + if (!ep->ob_window_map) + return -ENOMEM; + + ep->outbound_addr = devm_kcalloc(dev, pci->num_ob_windows, sizeof(phys_addr_t), + GFP_KERNEL); + if (!ep->outbound_addr) + return -ENOMEM; + return 0; } EXPORT_SYMBOL_GPL(dw_pcie_ep_init_complete); @@ -676,7 +696,6 @@ EXPORT_SYMBOL_GPL(dw_pcie_ep_init_complete); int dw_pcie_ep_init(struct dw_pcie_ep *ep) { int ret; - void *addr; u8 func_no; struct resource *res; struct pci_epc *epc; @@ -714,26 +733,6 @@ int dw_pcie_ep_init(struct dw_pcie_ep *ep) ep->phys_base = res->start; ep->addr_size = resource_size(res); - ep->ib_window_map = devm_kcalloc(dev, - BITS_TO_LONGS(pci->num_ib_windows), - sizeof(long), - GFP_KERNEL); - if (!ep->ib_window_map) - return -ENOMEM; - - ep->ob_window_map = devm_kcalloc(dev, - BITS_TO_LONGS(pci->num_ob_windows), - sizeof(long), - GFP_KERNEL); - if (!ep->ob_window_map) - return -ENOMEM; - - addr = devm_kcalloc(dev, pci->num_ob_windows, sizeof(phys_addr_t), - GFP_KERNEL); - if (!addr) - return -ENOMEM; - ep->outbound_addr = addr; - if (pci->link_gen < 1) pci->link_gen = of_pci_get_max_link_speed(np); -- 2.7.4