Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3848914pxb; Tue, 17 Nov 2020 05:19:57 -0800 (PST) X-Google-Smtp-Source: ABdhPJxB9pFNeyCtFf+2UMARJFEKH2ryVEs9j0o1PnCGmUbiDVAO0MhSd7cNbUYcSm2bgBEpFjFe X-Received: by 2002:a17:906:f207:: with SMTP id gt7mr19813297ejb.293.1605619197229; Tue, 17 Nov 2020 05:19:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605619197; cv=none; d=google.com; s=arc-20160816; b=mBlo64Hzs5iwtPWmhlcZB36MtpGddFOHQsmwOAtTWeRBTHPzKfJj1GDlCiEhNbZ7QX WvRJ4in5gBuOqq5W/W4K03x9uSMopMC0IqtF0s/JJUr/IbMHapszvnUTlcdeOyj8wYDg U1ru0/u8EGykSkzSW1eSqhQwl2J35g0wbNjq2m0KTqko2VCmwKkNWAqx8dgwF3e9pl8Z z2UF0G+Y1QBVL8r6Qietl+N1VLHYNiDllZHOMzH1lStB3RL6EhnPnc7oNe1cPJ0j2T3F Nf+2pg64NTlhKwgC7q63TVS/Li/ZTVmKa3Z6LZ/htNTrnmLp1HSibxgMsfQaftwxGH8n MfvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pRJZzr45blhkMt3d4HO5enJpBMM52GogtgOQpDeoWK4=; b=I/f26VDnr28CNeuEX47E1QCKDE2ssZu/ulQxYybgzWNEXfhdAH/NCzkeo7KKlUBxUh 34Em8AWegNsZlyemfqEOR67pLvGmL1ijt2oi3oiuzs8iGzKJ7weoLoBj4Icjm2xQ/CQn za43YxT4yt98VT3zqa5SyT/1TsS8cGPVFBLanrHz4tcCnyQApfERbO3rSfNGPktk+5c3 +kNEMOZTpUyRvioeOFWEI6nDD5cjzcCZx1b3r4IlGCcQHfNtg4Vorzqnn6bD1I7dHuG2 IBbcHw2oj6acp98ofg6oSvysBl8/d1dw1bWiRybqjy5T5NIzZfs8J+dRezCQKZk7+9Zf k5GA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=I2Kn5w3s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d1si7919815edx.295.2020.11.17.05.19.34; Tue, 17 Nov 2020 05:19:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=I2Kn5w3s; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730536AbgKQNRR (ORCPT + 99 others); Tue, 17 Nov 2020 08:17:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:49188 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729935AbgKQNRD (ORCPT ); Tue, 17 Nov 2020 08:17:03 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 82BF221734; Tue, 17 Nov 2020 13:17:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1605619022; bh=bAOESwU40WE647EZwq+HTbu5x/7cJ1kekcQwV8aud5k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I2Kn5w3s7xSAY6mAqSGmFFsBTxsu9XhjJeJrG+vTjPHNPIl7R66PziW6s3I8PZeft uxnCpSAQXebdqYfCmCEZl7r+e0s5BYGXv0oXJH+fttX0eM7Kfs69pkZ+BKVZKdbyBl d2itY2isbRX6wCilyj8ryRMH5vE2gInyILVK44b4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= , Jinoh Kang , Juergen Gross , Stefano Stabellini , Wei Liu Subject: [PATCH 4.14 69/85] xen/events: avoid removing an event channel while handling it Date: Tue, 17 Nov 2020 14:05:38 +0100 Message-Id: <20201117122114.416198605@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201117122111.018425544@linuxfoundation.org> References: <20201117122111.018425544@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Juergen Gross commit 073d0552ead5bfc7a3a9c01de590e924f11b5dd2 upstream. Today it can happen that an event channel is being removed from the system while the event handling loop is active. This can lead to a race resulting in crashes or WARN() splats when trying to access the irq_info structure related to the event channel. Fix this problem by using a rwlock taken as reader in the event handling loop and as writer when deallocating the irq_info structure. As the observed problem was a NULL dereference in evtchn_from_irq() make this function more robust against races by testing the irq_info pointer to be not NULL before dereferencing it. And finally make all accesses to evtchn_to_irq[row][col] atomic ones in order to avoid seeing partial updates of an array element in irq handling. Note that irq handling can be entered only for event channels which have been valid before, so any not populated row isn't a problem in this regard, as rows are only ever added and never removed. This is XSA-331. Cc: stable@vger.kernel.org Reported-by: Marek Marczykowski-Górecki Reported-by: Jinoh Kang Signed-off-by: Juergen Gross Reviewed-by: Stefano Stabellini Reviewed-by: Wei Liu Signed-off-by: Greg Kroah-Hartman --- drivers/xen/events/events_base.c | 40 ++++++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) --- a/drivers/xen/events/events_base.c +++ b/drivers/xen/events/events_base.c @@ -32,6 +32,7 @@ #include #include #include +#include #ifdef CONFIG_X86 #include @@ -69,6 +70,23 @@ const struct evtchn_ops *evtchn_ops; */ static DEFINE_MUTEX(irq_mapping_update_lock); +/* + * Lock protecting event handling loop against removing event channels. + * Adding of event channels is no issue as the associated IRQ becomes active + * only after everything is setup (before request_[threaded_]irq() the handler + * can't be entered for an event, as the event channel will be unmasked only + * then). + */ +static DEFINE_RWLOCK(evtchn_rwlock); + +/* + * Lock hierarchy: + * + * irq_mapping_update_lock + * evtchn_rwlock + * IRQ-desc lock + */ + static LIST_HEAD(xen_irq_list_head); /* IRQ <-> VIRQ mapping. */ @@ -103,7 +121,7 @@ static void clear_evtchn_to_irq_row(unsi unsigned col; for (col = 0; col < EVTCHN_PER_ROW; col++) - evtchn_to_irq[row][col] = -1; + WRITE_ONCE(evtchn_to_irq[row][col], -1); } static void clear_evtchn_to_irq_all(void) @@ -140,7 +158,7 @@ static int set_evtchn_to_irq(unsigned ev clear_evtchn_to_irq_row(row); } - evtchn_to_irq[row][col] = irq; + WRITE_ONCE(evtchn_to_irq[row][col], irq); return 0; } @@ -150,7 +168,7 @@ int get_evtchn_to_irq(unsigned evtchn) return -1; if (evtchn_to_irq[EVTCHN_ROW(evtchn)] == NULL) return -1; - return evtchn_to_irq[EVTCHN_ROW(evtchn)][EVTCHN_COL(evtchn)]; + return READ_ONCE(evtchn_to_irq[EVTCHN_ROW(evtchn)][EVTCHN_COL(evtchn)]); } /* Get info for IRQ */ @@ -259,10 +277,14 @@ static void xen_irq_info_cleanup(struct */ unsigned int evtchn_from_irq(unsigned irq) { - if (unlikely(WARN(irq >= nr_irqs, "Invalid irq %d!\n", irq))) + const struct irq_info *info = NULL; + + if (likely(irq < nr_irqs)) + info = info_for_irq(irq); + if (!info) return 0; - return info_for_irq(irq)->evtchn; + return info->evtchn; } unsigned irq_from_evtchn(unsigned int evtchn) @@ -438,16 +460,21 @@ static int __must_check xen_allocate_irq static void xen_free_irq(unsigned irq) { struct irq_info *info = info_for_irq(irq); + unsigned long flags; if (WARN_ON(!info)) return; + write_lock_irqsave(&evtchn_rwlock, flags); + list_del(&info->list); set_info_for_irq(irq, NULL); WARN_ON(info->refcnt > 0); + write_unlock_irqrestore(&evtchn_rwlock, flags); + kfree(info); /* Legacy IRQ descriptors are managed by the arch. */ @@ -1233,6 +1260,8 @@ static void __xen_evtchn_do_upcall(void) int cpu = get_cpu(); unsigned count; + read_lock(&evtchn_rwlock); + do { vcpu_info->evtchn_upcall_pending = 0; @@ -1248,6 +1277,7 @@ static void __xen_evtchn_do_upcall(void) } while (count != 1 || vcpu_info->evtchn_upcall_pending); out: + read_unlock(&evtchn_rwlock); put_cpu(); }