Received: by 2002:ab2:7903:0:b0:1fb:b500:807b with SMTP id a3csp926422lqj; Mon, 3 Jun 2024 05:25:19 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUSdGlOBjsppu3GoOPVjU0wKM5RN8XhQV4R1n1XHpyZ2wVIUuZcBBcp8ZOo3DmnYyiy/y0tjNRXz75hUyNv3MMRcDo+2L69bzzn2bvYMQ== X-Google-Smtp-Source: AGHT+IFHJt6Xf22mtiCcKcVOKIbqGRLk09H+0Q9hzY9GmynK2loSZoa5Yuo7GhLvZ2IaLOBEBxNF X-Received: by 2002:a17:902:d4cf:b0:1f6:73cb:4877 with SMTP id d9443c01a7336-1f673cb4a69mr35784635ad.6.1717417519200; Mon, 03 Jun 2024 05:25:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717417519; cv=pass; d=google.com; s=arc-20160816; b=GkW5z0uwebXiQY5oJ3kc6ylgMfhTE2qTHGMSe6RLyDuflB8NUJhJSiw+22QqoO76Mu KavTnGKY6I/Ru18y7rpndmAZTQIhEXCUskzqY2/GeyycWc44shR869GcX/NY24ZfkFcd NFRuhWwkqoPBGlOKjfsqNJ9xgJVy5rcKEuDJEsVLWx2egMq7RwwJvXX942WB4AAR0ghk anA/OGg+kxJdTn1opvJuVSzbSv18lsRsl3pwm4lADBorEovR3XNq128pPB3Vu3pgAhib Gx6mXOlrnoqOe2E7ZwYozaRNunOoa8EHrO1MVteL/S6moEEP0vGGNVV5yLrNZEk1mOBi TKYA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:precedence:robot-unsubscribe:robot-id :message-id:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:references:in-reply-to:cc:subject:to:reply-to:sender :from:dkim-signature:dkim-signature:date; bh=fkSA7wJzHRXARTryahlZJvg0OXJiY2Vv3n352u4LYUg=; fh=zAzRgkFvMyVN3d5bMJ5KK5OntBgf+5ruZJB2BQL0b88=; b=xiNEhEs8KK5eXp/5+SnKvKFVqXpL+aVaKkYCkUCWKynmWsiNo3cyClWHGGZhp014/C do+jXHSSbzEsebmI3dLOviBm8SH8UM/BQNH/+s2a77MaDgSbUBl0w/l0rKVfGliH5uDW KYtZ/nSqtCX4kP5fZJ+eCrXbBzLhBbkEr1MkO6qnBzZ43KnvQbMYFE4cAkY/7RwopoH2 Y10Xa6Wgv6z4uC1QuXYaH8Tq3s7cQNVojMG4W/eqnm7RdjpM+ePV4DlSsY7gXKr9yYPi /h+ccmUIrQgW9hmjrDKe3gdH3AxAXdbd1ZWjqE0RGlCOlYWanBZb0/l+ul/5iDTW0zgA g7Rg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=4bsdwNHj; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-199107-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199107-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id d9443c01a7336-1f67ca3b7fcsi17233435ad.412.2024.06.03.05.25.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jun 2024 05:25:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-199107-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=4bsdwNHj; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-199107-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199107-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id CDAB7285230 for ; Mon, 3 Jun 2024 12:25:18 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 55A0612C466; Mon, 3 Jun 2024 12:25:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="4bsdwNHj"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="TOiAYS5G" Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D437077118; Mon, 3 Jun 2024 12:25:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717417510; cv=none; b=O3+nvXBe8rTsBCT2Jn2JAsnQ7rREv03QozMx4bcdIWWuzIgaa6f2JMcR3bGeRsNHpmboIXkPDu59e0A6HbuZ20bazJwEXaFPyQdt0T1aD9C9h9OZZNPwNMlb7WlknSrUA3YrUqq5LDH/qe9DL4nxO/o/n5928qqeqIcvcLg9Bt0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717417510; c=relaxed/simple; bh=UlmbVGRyQ2g8T8gjbDPF55SMl841W/T6lcIgZeShKJU=; h=Date:From:To:Subject:Cc:In-Reply-To:References:MIME-Version: Message-ID:Content-Type; b=N1WSaNJ7bEsXLaVt7VhSoadtE/6zl2/9EAizksiQdAdnMwhCEsYyQ20cjErtaDEsMwwrdVrShV/V2ecxi3mFR32rYtRVnTSqm5vQePP7xCSg+CCO8W58q2gUpH1UBbBZf+IXHqbWrJYeYCIYPXbta/Xml9tJEI9AaOoyxdBQ6PM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=4bsdwNHj; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=TOiAYS5G; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Date: Mon, 03 Jun 2024 12:25:06 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1717417507; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fkSA7wJzHRXARTryahlZJvg0OXJiY2Vv3n352u4LYUg=; b=4bsdwNHjM0IPJkSp5nGBBEj6wi/t3e9CASvCuQCEBshXXyG+CCA6idNx5rmn7MWYDf9iih cjwCQ0mX+VWaoUAS5f+8oI+yAWwjfOabmncxBLKzsve8/RdPrRxdLse0WHUtD+Tx2adcDv n7+/NovMkBagRMBsdVPfTa7Uopw2PgW30SFiODPwAULOe1c2vJ8IdrU0rlwjuXvIXbqvKk J+OXmIVwiLs5f+Ky/Aglg7j0yr1rvOsxHy8BMRzVdH1iGo3TgJwTqPFvOU4QSVu9e6x+27 ejdYopLmgMp4ZI6RgI3kdnJ2NIXItGq9XnR/q31V0VHIWES9KRNdJPmwCclu6w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1717417507; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fkSA7wJzHRXARTryahlZJvg0OXJiY2Vv3n352u4LYUg=; b=TOiAYS5GlmLWWyzsqUCjC6eYScCTY3QeXOm9S+vSIqVHypsrXAUR/LBYhqpbKYjpIMdiuW IWEolsSuKcKnZvAQ== From: "tip-bot2 for Hagar Hemdan" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: irq/urgent] irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() Cc: Marc Zyngier , Hagar Hemdan , Thomas Gleixner , stable@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20240531162144.28650-1-hagarhem@amazon.com> References: <20240531162144.28650-1-hagarhem@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <171741750653.10875.4371546608500601999.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Precedence: bulk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit The following commit has been merged into the irq/urgent branch of tip: Commit-ID: 8dd4302d37bb2fe842acb3be688d393254b4f126 Gitweb: https://git.kernel.org/tip/8dd4302d37bb2fe842acb3be688d393254b4f126 Author: Hagar Hemdan AuthorDate: Fri, 31 May 2024 16:21:44 Committer: Thomas Gleixner CommitterDate: Mon, 03 Jun 2024 14:19:42 +02:00 irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() its_vlpi_prop_update() calls lpi_write_config() which obtains the mapping information for a VLPI without lock held. So it could race with its_vlpi_unmap(). Since all calls from its_irq_set_vcpu_affinity() require the same lock to be held, hoist the locking there instead of sprinkling the locking all over the place. This bug was discovered using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. [ tglx: Use guard() instead of goto ] Fixes: 015ec0386ab6 ("irqchip/gic-v3-its: Add VLPI configuration handling") Suggested-by: Marc Zyngier Signed-off-by: Hagar Hemdan Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20240531162144.28650-1-hagarhem@amazon.com --- drivers/irqchip/irq-gic-v3-its.c | 44 ++++++++----------------------- 1 file changed, 12 insertions(+), 32 deletions(-) diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index 40ebf17..c696ac9 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -1846,28 +1846,22 @@ static int its_vlpi_map(struct irq_data *d, struct its_cmd_info *info) { struct its_device *its_dev = irq_data_get_irq_chip_data(d); u32 event = its_get_event_id(d); - int ret = 0; if (!info->map) return -EINVAL; - raw_spin_lock(&its_dev->event_map.vlpi_lock); - if (!its_dev->event_map.vm) { struct its_vlpi_map *maps; maps = kcalloc(its_dev->event_map.nr_lpis, sizeof(*maps), GFP_ATOMIC); - if (!maps) { - ret = -ENOMEM; - goto out; - } + if (!maps) + return -ENOMEM; its_dev->event_map.vm = info->map->vm; its_dev->event_map.vlpi_maps = maps; } else if (its_dev->event_map.vm != info->map->vm) { - ret = -EINVAL; - goto out; + return -EINVAL; } /* Get our private copy of the mapping information */ @@ -1899,46 +1893,32 @@ static int its_vlpi_map(struct irq_data *d, struct its_cmd_info *info) its_dev->event_map.nr_vlpis++; } -out: - raw_spin_unlock(&its_dev->event_map.vlpi_lock); - return ret; + return 0; } static int its_vlpi_get(struct irq_data *d, struct its_cmd_info *info) { struct its_device *its_dev = irq_data_get_irq_chip_data(d); struct its_vlpi_map *map; - int ret = 0; - - raw_spin_lock(&its_dev->event_map.vlpi_lock); map = get_vlpi_map(d); - if (!its_dev->event_map.vm || !map) { - ret = -EINVAL; - goto out; - } + if (!its_dev->event_map.vm || !map) + return -EINVAL; /* Copy our mapping information to the incoming request */ *info->map = *map; -out: - raw_spin_unlock(&its_dev->event_map.vlpi_lock); - return ret; + return 0; } static int its_vlpi_unmap(struct irq_data *d) { struct its_device *its_dev = irq_data_get_irq_chip_data(d); u32 event = its_get_event_id(d); - int ret = 0; - - raw_spin_lock(&its_dev->event_map.vlpi_lock); - if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) { - ret = -EINVAL; - goto out; - } + if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) + return -EINVAL; /* Drop the virtual mapping */ its_send_discard(its_dev, event); @@ -1962,9 +1942,7 @@ static int its_vlpi_unmap(struct irq_data *d) kfree(its_dev->event_map.vlpi_maps); } -out: - raw_spin_unlock(&its_dev->event_map.vlpi_lock); - return ret; + return 0; } static int its_vlpi_prop_update(struct irq_data *d, struct its_cmd_info *info) @@ -1992,6 +1970,8 @@ static int its_irq_set_vcpu_affinity(struct irq_data *d, void *vcpu_info) if (!is_v4(its_dev->its)) return -EINVAL; + guard(raw_spinlock_irq, &its_dev->event_map.vlpi_lock); + /* Unmap request? */ if (!info) return its_vlpi_unmap(d);