Received: by 2002:ab2:7903:0:b0:1fb:b500:807b with SMTP id a3csp1078518lqj; Mon, 3 Jun 2024 09:28:56 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXt9Vf+DAcdPV6Lak3gp/qke0xgxk9fUKZNOL0Vezln7L9UJiOhl1EUBK+v9xi1JmhlkI5KO3mEP27fqorSuq2iLQCHNNF5f95adBhfRQ== X-Google-Smtp-Source: AGHT+IHNFcDIPIpXHALRAG78cIicvrdksCysSrQKAFDiR5smQupG73OfKbcRbWPt+IlxbsAjG97C X-Received: by 2002:a17:903:124f:b0:1e4:6938:6fe3 with SMTP id d9443c01a7336-1f6370bd2f3mr123940505ad.58.1717432136449; Mon, 03 Jun 2024 09:28:56 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717432136; cv=pass; d=google.com; s=arc-20160816; b=sRqGSuPYKpc29eQOvNvRExCHLXbS4QT7btxLhw5EX/Wca7cBBfaKxKoi/oyXfAMHdi PIGPmO52jCdQqfdG2xoTQlOGoFovnIlgX2YfMMjXj6fuLePdBsPc5rsC2PfR5ohGVXv0 vpd+605XYr9Kf1J3IlC8qZ6CLwX66tY2Qk/zqMFQBiW8AD43+8Y/v/tGkvI02ISR+ref SdmzYK/ALDqxhZSy/ZRSYf8+cwYQvgccP3swiKip/9fDvPvcrXlXGnVKFmc58B93s28R 31QU95WscgVu3b+NGkwwJgY8+KegLgRpDqqm6cT58hyUhfqurJpvZFJ6p7Uu1dGZHbmO 3Ixw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:precedence:robot-unsubscribe:robot-id :message-id:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:references:in-reply-to:cc:subject:to:reply-to:sender :from:dkim-signature:dkim-signature:date; bh=OWL8vUukaZCxzvPlUNuVqTu5L4wQE8fJVp+dX7uMbyk=; fh=zAzRgkFvMyVN3d5bMJ5KK5OntBgf+5ruZJB2BQL0b88=; b=orS9BMH37MEZifmCXwvqVIMjLOt0bU0TElK0pgfMrNv2OZDq4EotNlBT7/DQihIAjg ZTtyJ/YwbXbK/Xo+pY1kgXfMvaHhaPs/4NsY6cnCMt4UIR0nc5VhuVTRvrDSSPXtTAIF lIYP8aYtTg+h9rxbg0s1/8SWwjrS4hxkVOgLI8g1s4LPoVnkXTJ62oy3uYv045j5S5uk R0nlN2+E1YzaM8EL4i/9Lb8vidBac5xBEUHP97HVrBjAfEZCwYHxzcdPtWIHd79yu/Ir R9n7bium/G/WgNgAEni3UkSfzJyMKCHHr1MCpw+bj2ARTvnjqk39FqN42VISUokw9RXj ACtw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=rAOAZHJF; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e header.b=HXYf4y0p; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-199443-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199443-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id d9443c01a7336-1f6324191b7si67573225ad.608.2024.06.03.09.28.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jun 2024 09:28:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-199443-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=rAOAZHJF; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e header.b=HXYf4y0p; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-199443-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-199443-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 175F4285A99 for ; Mon, 3 Jun 2024 16:27:01 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0660F136678; Mon, 3 Jun 2024 16:26:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="rAOAZHJF"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="HXYf4y0p" Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77F6A13213B; Mon, 3 Jun 2024 16:26:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717432013; cv=none; b=nC3b+mEGjIdSiUbK/SXhyV8oR97HgLbCX8hIvB1UZI8vILfFHvBvils6/ETHITmXRHWTQEK7RkdcT4ItDNyXRJmOw+05AIrwwyebqXl1vbvxjKlE2f4a+vG4YR3Ds2bAWqhhYIZxrOBhuVC2VXnQdNzUCM95tqePJh2f0y0P/kU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717432013; c=relaxed/simple; bh=834LTm9qL+T6Ib99HUwKfxZFT/9WNNx2dUFFcuI17jY=; h=Date:From:To:Subject:Cc:In-Reply-To:References:MIME-Version: Message-ID:Content-Type; b=SX9Io8J1EOyGu/ywM2ZOHp/eif2sXgscrwaBBywXLIE2/SNF160WVHd1cJdWoZUvtiFC4LeeCGrPksJ7mKZRRXETbQjxV1s64PB+ldW4BSJvNGoBbPQNy1sdfYsRE8CRyqD72Lrv1EiSCmZE8jybBTVl5jnLAmTwbylRHeY4ikI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=rAOAZHJF; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=HXYf4y0p; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Date: Mon, 03 Jun 2024 16:26:49 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1717432009; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OWL8vUukaZCxzvPlUNuVqTu5L4wQE8fJVp+dX7uMbyk=; b=rAOAZHJFvTuVj+gl154Ru5UsndhGBOeV2ZUWr3TG/MvqIj8ZO1g/VFQWyk9poZqIzrLt6j ohqoa5gFz+UINR21PG2BtPTpfqTPVRRzNn8eN5spgwhOi27uwOOkzRjkZqcUq045u8yT69 eApAZZFtzrEo6Sl3AR5eOwYJ9OUAHyvl0ZQX5V1VQ2AolR98KbpETUuZv4/f4SY6a5NA/Y NQdvWG/RuzAiqL+bB1CChphp4w66WYadt7Vc/O5rnnKC7fXtAXFTgsQFHZV/NRLvcumFl0 YAJPtpAtS5+z331A8bJyWV9aTeR+ugbBl4wDbEL1ICNOtfd1vDOohRWSX3jzgQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1717432009; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=OWL8vUukaZCxzvPlUNuVqTu5L4wQE8fJVp+dX7uMbyk=; b=HXYf4y0pbXwbDjTFcik6y7dSfjQ1Zb7CzJ/vWYLRdDQP7RespdFhDVaNgXkO9Z2U9xEUJ3 CkugWZMMLTMkq7Cg== From: "tip-bot2 for Hagar Hemdan" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: irq/urgent] irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() Cc: Marc Zyngier , Hagar Hemdan , Thomas Gleixner , stable@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20240531162144.28650-1-hagarhem@amazon.com> References: <20240531162144.28650-1-hagarhem@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Message-ID: <171743200922.10875.2490040658088179596.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Precedence: bulk Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit The following commit has been merged into the irq/urgent branch of tip: Commit-ID: b97e8a2f7130a4b30d1502003095833d16c028b3 Gitweb: https://git.kernel.org/tip/b97e8a2f7130a4b30d1502003095833d16c028b3 Author: Hagar Hemdan AuthorDate: Fri, 31 May 2024 16:21:44 Committer: Thomas Gleixner CommitterDate: Mon, 03 Jun 2024 18:20:00 +02:00 irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() its_vlpi_prop_update() calls lpi_write_config() which obtains the mapping information for a VLPI without lock held. So it could race with its_vlpi_unmap(). Since all calls from its_irq_set_vcpu_affinity() require the same lock to be held, hoist the locking there instead of sprinkling the locking all over the place. This bug was discovered using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. [ tglx: Use guard() instead of goto ] Fixes: 015ec0386ab6 ("irqchip/gic-v3-its: Add VLPI configuration handling") Suggested-by: Marc Zyngier Signed-off-by: Hagar Hemdan Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Reviewed-by: Marc Zyngier Link: https://lore.kernel.org/r/20240531162144.28650-1-hagarhem@amazon.com --- drivers/irqchip/irq-gic-v3-its.c | 44 ++++++++----------------------- 1 file changed, 12 insertions(+), 32 deletions(-) diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index 40ebf17..3c755d5 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -1846,28 +1846,22 @@ static int its_vlpi_map(struct irq_data *d, struct its_cmd_info *info) { struct its_device *its_dev = irq_data_get_irq_chip_data(d); u32 event = its_get_event_id(d); - int ret = 0; if (!info->map) return -EINVAL; - raw_spin_lock(&its_dev->event_map.vlpi_lock); - if (!its_dev->event_map.vm) { struct its_vlpi_map *maps; maps = kcalloc(its_dev->event_map.nr_lpis, sizeof(*maps), GFP_ATOMIC); - if (!maps) { - ret = -ENOMEM; - goto out; - } + if (!maps) + return -ENOMEM; its_dev->event_map.vm = info->map->vm; its_dev->event_map.vlpi_maps = maps; } else if (its_dev->event_map.vm != info->map->vm) { - ret = -EINVAL; - goto out; + return -EINVAL; } /* Get our private copy of the mapping information */ @@ -1899,46 +1893,32 @@ static int its_vlpi_map(struct irq_data *d, struct its_cmd_info *info) its_dev->event_map.nr_vlpis++; } -out: - raw_spin_unlock(&its_dev->event_map.vlpi_lock); - return ret; + return 0; } static int its_vlpi_get(struct irq_data *d, struct its_cmd_info *info) { struct its_device *its_dev = irq_data_get_irq_chip_data(d); struct its_vlpi_map *map; - int ret = 0; - - raw_spin_lock(&its_dev->event_map.vlpi_lock); map = get_vlpi_map(d); - if (!its_dev->event_map.vm || !map) { - ret = -EINVAL; - goto out; - } + if (!its_dev->event_map.vm || !map) + return -EINVAL; /* Copy our mapping information to the incoming request */ *info->map = *map; -out: - raw_spin_unlock(&its_dev->event_map.vlpi_lock); - return ret; + return 0; } static int its_vlpi_unmap(struct irq_data *d) { struct its_device *its_dev = irq_data_get_irq_chip_data(d); u32 event = its_get_event_id(d); - int ret = 0; - - raw_spin_lock(&its_dev->event_map.vlpi_lock); - if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) { - ret = -EINVAL; - goto out; - } + if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) + return -EINVAL; /* Drop the virtual mapping */ its_send_discard(its_dev, event); @@ -1962,9 +1942,7 @@ static int its_vlpi_unmap(struct irq_data *d) kfree(its_dev->event_map.vlpi_maps); } -out: - raw_spin_unlock(&its_dev->event_map.vlpi_lock); - return ret; + return 0; } static int its_vlpi_prop_update(struct irq_data *d, struct its_cmd_info *info) @@ -1992,6 +1970,8 @@ static int its_irq_set_vcpu_affinity(struct irq_data *d, void *vcpu_info) if (!is_v4(its_dev->its)) return -EINVAL; + guard(raw_spinlock_irq)(&its_dev->event_map.vlpi_lock); + /* Unmap request? */ if (!info) return its_vlpi_unmap(d);