Hello,
These bugs were found during code review. Details in the commits.
Please review and apply.
CC: Roger Pau Monné <[email protected]>
CC: David Vrabel <[email protected]>
CC: Boris Ostrovsky <[email protected]>
CC: Eduardo Valentin <[email protected]>
CC: Juergen Gross <[email protected]>
CC: Thomas Gleixner <[email protected]>
CC: "K. Y. Srinivasan" <[email protected]>
CC: Liu Shuo <[email protected]>
CC: Anoob Soman <[email protected]>
Amit Shah (2):
xen: fix out-of-bounds irq unbind for MSI message groups
xen: events: free irqs in error condition
drivers/xen/events/events_base.c | 2 ++
1 file changed, 2 insertions(+)
--
2.7.3.AMZN
Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
When an MSI descriptor was not available, the error path would try to
unbind an irq that was never acquired - potentially unbinding an
unrelated irq.
Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
Reported-by: Hooman Mirhadi <[email protected]>
CC: <[email protected]>
CC: Roger Pau Monné <[email protected]>
CC: David Vrabel <[email protected]>
CC: Boris Ostrovsky <[email protected]>
CC: Eduardo Valentin <[email protected]>
CC: Juergen Gross <[email protected]>
CC: Thomas Gleixner <[email protected]>
CC: "K. Y. Srinivasan" <[email protected]>
CC: Liu Shuo <[email protected]>
CC: Anoob Soman <[email protected]>
Signed-off-by: Amit Shah <[email protected]>
---
drivers/xen/events/events_base.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
index 1ab4bd1..b6b8b29 100644
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -749,6 +749,7 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct msi_desc *msidesc,
}
ret = irq_set_msi_desc(irq, msidesc);
+ i--;
if (ret < 0)
goto error_irq;
out:
--
2.7.3.AMZN
Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
In case of errors in irq setup for MSI, free up the allocated irqs.
Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
Reported-by: Hooman Mirhadi <[email protected]>
CC: <[email protected]>
CC: Roger Pau Monné <[email protected]>
CC: David Vrabel <[email protected]>
CC: Boris Ostrovsky <[email protected]>
CC: Eduardo Valentin <[email protected]>
CC: Juergen Gross <[email protected]>
CC: Thomas Gleixner <[email protected]>
CC: "K. Y. Srinivasan" <[email protected]>
CC: Liu Shuo <[email protected]>
CC: Anoob Soman <[email protected]>
Signed-off-by: Amit Shah <[email protected]>
---
drivers/xen/events/events_base.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
index b6b8b29..96aa575 100644
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -758,6 +758,7 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct msi_desc *msidesc,
error_irq:
for (; i >= 0; i--)
__unbind_from_irq(irq + i);
+ xen_free_irq(irq);
mutex_unlock(&irq_mapping_update_lock);
return ret;
}
--
2.7.3.AMZN
Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
On Mon, Feb 26, 2018 at 05:36:35PM +0000, Amit Shah wrote:
> In case of errors in irq setup for MSI, free up the allocated irqs.
>
> Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
> Reported-by: Hooman Mirhadi <[email protected]>
> CC: <[email protected]>
> CC: Roger Pau Monn? <[email protected]>
> CC: David Vrabel <[email protected]>
> CC: Boris Ostrovsky <[email protected]>
> CC: Eduardo Valentin <[email protected]>
> CC: Juergen Gross <[email protected]>
> CC: Thomas Gleixner <[email protected]>
> CC: "K. Y. Srinivasan" <[email protected]>
> CC: Liu Shuo <[email protected]>
> CC: Anoob Soman <[email protected]>
> Signed-off-by: Amit Shah <[email protected]>
> ---
> drivers/xen/events/events_base.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
> index b6b8b29..96aa575 100644
> --- a/drivers/xen/events/events_base.c
> +++ b/drivers/xen/events/events_base.c
> @@ -758,6 +758,7 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct msi_desc *msidesc,
> error_irq:
> for (; i >= 0; i--)
> __unbind_from_irq(irq + i);
> + xen_free_irq(irq);
Hm, xen_free_irq calls irq_free_desc, which is irq_free_descs(irq, 1),
I think you will have to introduce a new free function:
xen_free_irqs(unsigned irq, unsigned int nr)
That calls irq_free_descs(irq, nr)
Thanks, Roger.
On Mo, 2018-02-26 at 18:14 +0000, Roger Pau Monné wrote:
> On Mon, Feb 26, 2018 at 05:36:35PM +0000, Amit Shah wrote:
> >
> > In case of errors in irq setup for MSI, free up the allocated irqs.
> >
> > Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
> > Reported-by: Hooman Mirhadi <[email protected]>
> > CC: <[email protected]>
> > CC: Roger Pau Monné <[email protected]>
> > CC: David Vrabel <[email protected]>
> > CC: Boris Ostrovsky <[email protected]>
> > CC: Eduardo Valentin <[email protected]>
> > CC: Juergen Gross <[email protected]>
> > CC: Thomas Gleixner <[email protected]>
> > CC: "K. Y. Srinivasan" <[email protected]>
> > CC: Liu Shuo <[email protected]>
> > CC: Anoob Soman <[email protected]>
> > Signed-off-by: Amit Shah <[email protected]>
> > ---
> > drivers/xen/events/events_base.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/xen/events/events_base.c
> > b/drivers/xen/events/events_base.c
> > index b6b8b29..96aa575 100644
> > --- a/drivers/xen/events/events_base.c
> > +++ b/drivers/xen/events/events_base.c
> > @@ -758,6 +758,7 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev
> > *dev, struct msi_desc *msidesc,
> > error_irq:
> > for (; i >= 0; i--)
> > __unbind_from_irq(irq + i);
> > + xen_free_irq(irq);
> Hm, xen_free_irq calls irq_free_desc, which is irq_free_descs(irq,
> 1),
Er... right.
> I think you will have to introduce a new free function:
>
> xen_free_irqs(unsigned irq, unsigned int nr)
>
> That calls irq_free_descs(irq, nr)
Actually, xen_free_irq() is already done in __unbind_from_irq(), so
this patch is actually wrong and not needed.
Amit
Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B
On 02/26/2018 12:36 PM, Amit Shah wrote:
> When an MSI descriptor was not available, the error path would try to
> unbind an irq that was never acquired - potentially unbinding an
> unrelated irq.
>
> Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
> Reported-by: Hooman Mirhadi <[email protected]>
> CC: <[email protected]>
> CC: Roger Pau Monné <[email protected]>
> CC: David Vrabel <[email protected]>
> CC: Boris Ostrovsky <[email protected]>
> CC: Eduardo Valentin <[email protected]>
> CC: Juergen Gross <[email protected]>
> CC: Thomas Gleixner <[email protected]>
> CC: "K. Y. Srinivasan" <[email protected]>
> CC: Liu Shuo <[email protected]>
> CC: Anoob Soman <[email protected]>
> Signed-off-by: Amit Shah <[email protected]>
> ---
> drivers/xen/events/events_base.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
> index 1ab4bd1..b6b8b29 100644
> --- a/drivers/xen/events/events_base.c
> +++ b/drivers/xen/events/events_base.c
> @@ -749,6 +749,7 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev *dev, struct msi_desc *msidesc,
> }
>
> ret = irq_set_msi_desc(irq, msidesc);
> + i--;
> if (ret < 0)
> goto error_irq;
We really only need to do this in case of an error.
(And this patch needs to go to stable trees as well.)
Thanks
-boris
On Mon, Feb 26, 2018 at 06:57:03PM +0000, Shah, Amit wrote:
>
> On Mo, 2018-02-26 at 18:14 +0000, Roger Pau Monn? wrote:
> > On Mon, Feb 26, 2018 at 05:36:35PM +0000, Amit Shah wrote:
> > >
> > > In case of errors in irq setup for MSI, free up the allocated irqs.
> > >
> > > Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups")
> > > Reported-by: Hooman Mirhadi <[email protected]>
> > > CC: <[email protected]>
> > > CC: Roger Pau Monn? <[email protected]>
> > > CC: David Vrabel <[email protected]>
> > > CC: Boris Ostrovsky <[email protected]>
> > > CC: Eduardo Valentin <[email protected]>
> > > CC: Juergen Gross <[email protected]>
> > > CC: Thomas Gleixner <[email protected]>
> > > CC: "K. Y. Srinivasan" <[email protected]>
> > > CC: Liu Shuo <[email protected]>
> > > CC: Anoob Soman <[email protected]>
> > > Signed-off-by: Amit Shah <[email protected]>
> > > ---
> > > ?drivers/xen/events/events_base.c | 1 +
> > > ?1 file changed, 1 insertion(+)
> > >
> > > diff --git a/drivers/xen/events/events_base.c
> > > b/drivers/xen/events/events_base.c
> > > index b6b8b29..96aa575 100644
> > > --- a/drivers/xen/events/events_base.c
> > > +++ b/drivers/xen/events/events_base.c
> > > @@ -758,6 +758,7 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev
> > > *dev, struct msi_desc *msidesc,
> > > ?error_irq:
> > > ? for (; i >= 0; i--)
> > > ? __unbind_from_irq(irq + i);
> > > + xen_free_irq(irq);
> > Hm, xen_free_irq calls irq_free_desc, which is irq_free_descs(irq,
> > 1),
>
> Er... ?right.
>
> > I think you will have to introduce a new free function:
> >
> > xen_free_irqs(unsigned irq, unsigned int nr)
> >
> > That calls irq_free_descs(irq, nr)
>
> Actually, xen_free_irq() is already done in __unbind_from_irq(), so
> this patch is actually wrong and not needed.
You still need to free unbound IRQs, AFAICT you could fix the issue
with a single patch, like:
while (nvec--) {
if (nvec >= i)
xen_free_irq(irq + i);
else
__unbind_from_irq(irq + i);
}
Roger.
On Di, 2018-02-27 at 08:14 +0000, Roger Pau Monné wrote:
> On Mon, Feb 26, 2018 at 06:57:03PM +0000, Shah, Amit wrote:
> >
> >
> > On Mo, 2018-02-26 at 18:14 +0000, Roger Pau Monné wrote:
> > >
> > > On Mon, Feb 26, 2018 at 05:36:35PM +0000, Amit Shah wrote:
> > > >
> > > >
> > > > In case of errors in irq setup for MSI, free up the allocated
> > > > irqs.
> > > >
> > > > Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message
> > > > groups")
> > > > Reported-by: Hooman Mirhadi <[email protected]>
> > > > CC: <[email protected]>
> > > > CC: Roger Pau Monné <[email protected]>
> > > > CC: David Vrabel <[email protected]>
> > > > CC: Boris Ostrovsky <[email protected]>
> > > > CC: Eduardo Valentin <[email protected]>
> > > > CC: Juergen Gross <[email protected]>
> > > > CC: Thomas Gleixner <[email protected]>
> > > > CC: "K. Y. Srinivasan" <[email protected]>
> > > > CC: Liu Shuo <[email protected]>
> > > > CC: Anoob Soman <[email protected]>
> > > > Signed-off-by: Amit Shah <[email protected]>
> > > > ---
> > > > drivers/xen/events/events_base.c | 1 +
> > > > 1 file changed, 1 insertion(+)
> > > >
> > > > diff --git a/drivers/xen/events/events_base.c
> > > > b/drivers/xen/events/events_base.c
> > > > index b6b8b29..96aa575 100644
> > > > --- a/drivers/xen/events/events_base.c
> > > > +++ b/drivers/xen/events/events_base.c
> > > > @@ -758,6 +758,7 @@ int xen_bind_pirq_msi_to_irq(struct pci_dev
> > > > *dev, struct msi_desc *msidesc,
> > > > error_irq:
> > > > for (; i >= 0; i--)
> > > > __unbind_from_irq(irq + i);
> > > > + xen_free_irq(irq);
> > > Hm, xen_free_irq calls irq_free_desc, which is
> > > irq_free_descs(irq,
> > > 1),
> > Er... right.
> >
> > >
> > > I think you will have to introduce a new free function:
> > >
> > > xen_free_irqs(unsigned irq, unsigned int nr)
> > >
> > > That calls irq_free_descs(irq, nr)
> > Actually, xen_free_irq() is already done in __unbind_from_irq(), so
> > this patch is actually wrong and not needed.
> You still need to free unbound IRQs, AFAICT you could fix the issue
> with a single patch, like:
>
> while (nvec--) {
> if (nvec >= i)
> xen_free_irq(irq + i);
> else
> __unbind_from_irq(irq + i);
> }
Agreed.
However, since these are two different things, I'd still like to
separate out into two patches, and two paths so it's easier to see
what's being done.
Sending v2 in a bit.
Amit
Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B