Received: by 2002:ab2:1347:0:b0:1f4:ac9d:b246 with SMTP id g7csp322879lqg;
        Thu, 11 Apr 2024 04:19:35 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVKFukx640dEQ6xaCJVVFgQ2JnDKErbcWyg2/MwgOnNlSs0YzuPQ7RP1L/AREaIN8wdjxJPjCtvgneCgQbHGoz+weQuhr2S6N3x6hdgBg==
X-Google-Smtp-Source: AGHT+IEDR2HeL4PGPmKxsDIVpgEtUMtbM0gZKDawRxKCS7BSZTxee+uzE64l6NQOFSFhWeBsh8eF
X-Received: by 2002:a17:907:76d8:b0:a52:5a:de45 with SMTP id kf24-20020a17090776d800b00a52005ade45mr3954214ejc.12.1712834375343;
        Thu, 11 Apr 2024 04:19:35 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1712834375; cv=pass;
        d=google.com; s=arc-20160816;
        b=BtvA5V2BlMSkDH02HvdJ5ysJsEWY0lszC8Mkk8SOcwGpvdYWcFUdk1AOuo+GRdE82P
         ORBmLyfaMNyUeL2D9lDQ259J8Q5laH4GNlccj7B/05dMZxImKSHupyH7D75PuPoI0IED
         nwJHPCr5e3FxL/HfpaxtjhQx13nEPKZzBh7as3Kbu1DU83AJti0TPcyVK6EtVs0h07bY
         UmuKEY9FUytdtvZ2E5+mMM3BUDEBZszTA1j+PHOfrx4jU/W5UBHzZS2grsnJLMGVCl9B
         hWdAaItdfaHJG8kqUk4FgJE8XIYapbNbbS7P4Zgv0YGeOlsYowj1V6csNFMTwxsWQ8hV
         v7vg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :user-agent:references:in-reply-to:subject:cc:to:from:message-id
         :date:dkim-signature;
        bh=xqquH5bFrrYDgHwVhQEkNA3nIH323p/OAIaGRsIPpBM=;
        fh=sPY5FAfuxNYMZMMpZmFLDEDYe9JDuPN6+sJGkFwUr1Y=;
        b=VofvwJ5spzD5J3jZuRz9rc3tzCxzWAMS7R4OmT8J/NlBHyCnNGhiTdQDteJYBOv/tF
         XGGnyhKcYD3ZD55My5zrx26ge2SJfxfFFYAonu2rx1NOJ8xAtDMPhDFakeOdGqqkAW+7
         ueCiiq39ed4Qz3lStrqJVQMmFyy7KRkf/N5c+V9Q+eNpdj5iKtokFFE2pnXNjYfyyXvC
         xuqa5f2Iyw5mu0gxur1z3Tcj3/wRjKdMIcek7s0C7FemtspZaBqMUfkwzfydZKsQ+HYg
         Q9EabPVcDafvvMlwnNOxWAR2ySiAKiJ1wgnZv67w9ykebYVbJwGAekvgMK6MlilxHx4W
         Fg9g==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bl6QlGo0;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-140326-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-140326-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-140326-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3])
        by mx.google.com with ESMTPS id js8-20020a17090797c800b00a4e07530802si677433ejc.271.2024.04.11.04.19.35
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 11 Apr 2024 04:19:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-140326-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bl6QlGo0;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-140326-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-140326-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 170D21F221DA
	for <linux.lists.archive@gmail.com>; Thu, 11 Apr 2024 11:19:35 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 5F5411482E6;
	Thu, 11 Apr 2024 11:19:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bl6QlGo0"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D4212EAE5
	for <linux-kernel@vger.kernel.org>; Thu, 11 Apr 2024 11:19:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1712834367; cv=none; b=npf4NA/SG0me9EBvEwDzE9Y5kIRtOaOQy80RAInxhriB2jjZZq/U/jvJ5Dbi9FYr+R6n+OREoBa0RpEdvTczajK+UACMyjLq5A49RZzAq903MC/GzWAi8QT7kovOVT4XX5Rc3yvCscVmx67ZCnMGbC0cBH0AFy6LyB0A71DymE4=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1712834367; c=relaxed/simple;
	bh=OP7OtQdypE7+8o9W5T5QkVM9BiDZWDXKjJcngRL9ncE=;
	h=Date:Message-ID:From:To:Cc:Subject:In-Reply-To:References:
	 MIME-Version:Content-Type; b=rVKm+EP/Mbwy4wdd0UR3vpLaauVYwUo6edyGXExy9pVJnS/ZOo9gWymU32HcJMCoOrAwykc/c6Wmsx3KJRxzzjb7y4ScD+vVamUlucmoGKWh3onoHB3H2DBuhnhUeRAKCV+V8InMQVxTOrwWX+2r6e2Qmd3qltRb0/fkVmrtyUo=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bl6QlGo0; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0B894C433C7;
	Thu, 11 Apr 2024 11:19:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1712834367;
	bh=OP7OtQdypE7+8o9W5T5QkVM9BiDZWDXKjJcngRL9ncE=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=bl6QlGo0uk7zNJNrFKvY6P/wrNyiyQcmGiIBn/2LU0aEb7ATXi9Oa13oCtEk9Nk3w
	 sq7KIU9thLEXeXJD6Rd+I+t43GEB5UuTNB0VuUWN5CQm4jZ2zlJlcZoM4AOMZmMWFK
	 wIj/OI1k+dWriHQOhaBgAlAEdWekUGMtLpu6AeXCF2jtool2bbo3Km6zAdABOTT3Pv
	 nHgB3Iq2SYUCKaw4XrcFAIFKCtesYamgUPOhH+O+zTIFh+GaLoFgazySEOPSVWyTOw
	 KtzbD7HIAXXMXXt1WyS/UYtnamZq2IYM5p3lAmaWEimdMVIJHrCcbcpVqxaDRGDNVD
	 ccheWOzsRWw7Q==
Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org)
	by disco-boy.misterjones.org with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.95)
	(envelope-from <maz@kernel.org>)
	id 1rusSi-003S4O-U4;
	Thu, 11 Apr 2024 12:19:25 +0100
Date: Thu, 11 Apr 2024 12:19:24 +0100
Message-ID: <86r0fcrvsz.wl-maz@kernel.org>
From: Marc Zyngier <maz@kernel.org>
To: Guanrui Huang <guanrui.huang@linux.alibaba.com>
Cc: yuzenghui@huawei.com,
	shannon.zhao@linux.alibaba.com,
	tglx@linutronix.de,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] irqchip/gic-v3-its: Fix double free on error
In-Reply-To: <20240411105630.53865-1-guanrui.huang@linux.alibaba.com>
References: <20240411105630.53865-1-guanrui.huang@linux.alibaba.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue)
 FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/29.2
 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
X-SA-Exim-Connect-IP: 185.219.108.64
X-SA-Exim-Rcpt-To: guanrui.huang@linux.alibaba.com, yuzenghui@huawei.com, shannon.zhao@linux.alibaba.com, tglx@linutronix.de, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org
X-SA-Exim-Mail-From: maz@kernel.org
X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false

On Thu, 11 Apr 2024 11:56:30 +0100,
Guanrui Huang <guanrui.huang@linux.alibaba.com> wrote:
> 
> In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error
> with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page,
> and then there is a double free in its_vpe_irq_domain_alloc.
> 
> Fix it by calling its_vpe_irq_domain_free directly, bitmap and
> vprop_page will be freed in this function.
> 
> And check whether its_vm is equal to domain->host_data to make sure
> its_vpe_irq_domain_free handle right its_vm.
> 
> Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
> ---
>  drivers/irqchip/irq-gic-v3-its.c | 12 +++++-------
>  1 file changed, 5 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
> index fca888b36680..72c44e555c88 100644
> --- a/drivers/irqchip/irq-gic-v3-its.c
> +++ b/drivers/irqchip/irq-gic-v3-its.c
> @@ -4523,6 +4523,9 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
>  
>  	BUG_ON(!vm);
>  
> +	if (vm != domain->host_data)
> +		return -EINVAL;
> +

How can this happen?

>  	bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
>  	if (!bitmap)
>  		return -ENOMEM;
> @@ -4561,13 +4564,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
>  		irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i));
>  	}
>  
> -	if (err) {
> -		if (i > 0)
> -			its_vpe_irq_domain_free(domain, virq, i);
> -
> -		its_lpi_free(bitmap, base, nr_ids);
> -		its_free_prop_table(vprop_page);
> -	}
> +	if (err)
> +		its_vpe_irq_domain_free(domain, virq, i);
>  
>  	return err;
>  }

This otherwise looks reasonable.

Thanks,

	M.

-- 
Without deviation from the norm, progress is not possible.