+++ /dev/null
-From b97e8a2f7130a4b30d1502003095833d16c028b3 Mon Sep 17 00:00:00 2001
-From: Hagar Hemdan <hagarhem@amazon.com>
-Date: Fri, 31 May 2024 16:21:44 +0000
-Subject: irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update()
-
-From: Hagar Hemdan <hagarhem@amazon.com>
-
-commit b97e8a2f7130a4b30d1502003095833d16c028b3 upstream.
-
-its_vlpi_prop_update() calls lpi_write_config() which obtains the
-mapping information for a VLPI without lock held. So it could race
-with its_vlpi_unmap().
-
-Since all calls from its_irq_set_vcpu_affinity() require the same
-lock to be held, hoist the locking there instead of sprinkling the
-locking all over the place.
-
-This bug was discovered using Coverity Static Analysis Security Testing
-(SAST) by Synopsys, Inc.
-
-[ tglx: Use guard() instead of goto ]
-
-Fixes: 015ec0386ab6 ("irqchip/gic-v3-its: Add VLPI configuration handling")
-Suggested-by: Marc Zyngier <maz@kernel.org>
-Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: stable@vger.kernel.org
-Reviewed-by: Marc Zyngier <maz@kernel.org>
-Link: https://lore.kernel.org/r/20240531162144.28650-1-hagarhem@amazon.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/irqchip/irq-gic-v3-its.c | 44 ++++++++++-----------------------------
- 1 file changed, 12 insertions(+), 32 deletions(-)
-
---- a/drivers/irqchip/irq-gic-v3-its.c
-+++ b/drivers/irqchip/irq-gic-v3-its.c
-@@ -1826,28 +1826,22 @@ static int its_vlpi_map(struct irq_data
- {
- struct its_device *its_dev = irq_data_get_irq_chip_data(d);
- u32 event = its_get_event_id(d);
-- int ret = 0;
-
- if (!info->map)
- return -EINVAL;
-
-- raw_spin_lock(&its_dev->event_map.vlpi_lock);
--
- if (!its_dev->event_map.vm) {
- struct its_vlpi_map *maps;
-
- maps = kcalloc(its_dev->event_map.nr_lpis, sizeof(*maps),
- GFP_ATOMIC);
-- if (!maps) {
-- ret = -ENOMEM;
-- goto out;
-- }
-+ if (!maps)
-+ return -ENOMEM;
-
- its_dev->event_map.vm = info->map->vm;
- its_dev->event_map.vlpi_maps = maps;
- } else if (its_dev->event_map.vm != info->map->vm) {
-- ret = -EINVAL;
-- goto out;
-+ return -EINVAL;
- }
-
- /* Get our private copy of the mapping information */
-@@ -1879,46 +1873,32 @@ static int its_vlpi_map(struct irq_data
- its_dev->event_map.nr_vlpis++;
- }
-
--out:
-- raw_spin_unlock(&its_dev->event_map.vlpi_lock);
-- return ret;
-+ return 0;
- }
-
- static int its_vlpi_get(struct irq_data *d, struct its_cmd_info *info)
- {
- struct its_device *its_dev = irq_data_get_irq_chip_data(d);
- struct its_vlpi_map *map;
-- int ret = 0;
--
-- raw_spin_lock(&its_dev->event_map.vlpi_lock);
-
- map = get_vlpi_map(d);
-
-- if (!its_dev->event_map.vm || !map) {
-- ret = -EINVAL;
-- goto out;
-- }
-+ if (!its_dev->event_map.vm || !map)
-+ return -EINVAL;
-
- /* Copy our mapping information to the incoming request */
- *info->map = *map;
-
--out:
-- raw_spin_unlock(&its_dev->event_map.vlpi_lock);
-- return ret;
-+ return 0;
- }
-
- static int its_vlpi_unmap(struct irq_data *d)
- {
- struct its_device *its_dev = irq_data_get_irq_chip_data(d);
- u32 event = its_get_event_id(d);
-- int ret = 0;
-
-- raw_spin_lock(&its_dev->event_map.vlpi_lock);
--
-- if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) {
-- ret = -EINVAL;
-- goto out;
-- }
-+ if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d))
-+ return -EINVAL;
-
- /* Drop the virtual mapping */
- its_send_discard(its_dev, event);
-@@ -1942,9 +1922,7 @@ static int its_vlpi_unmap(struct irq_dat
- kfree(its_dev->event_map.vlpi_maps);
- }
-
--out:
-- raw_spin_unlock(&its_dev->event_map.vlpi_lock);
-- return ret;
-+ return 0;
- }
-
- static int its_vlpi_prop_update(struct irq_data *d, struct its_cmd_info *info)
-@@ -1972,6 +1950,8 @@ static int its_irq_set_vcpu_affinity(str
- if (!is_v4(its_dev->its))
- return -EINVAL;
-
-+ guard(raw_spinlock_irq)(&its_dev->event_map.vlpi_lock);
-+
- /* Unmap request? */
- if (!info)
- return its_vlpi_unmap(d);
-irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch
tracing-selftests-fix-kprobe-event-name-test-for-.isra.-functions.patch
null_blk-print-correct-max-open-zones-limit-in-null_init_zoned_dev.patch
wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch
+++ /dev/null
-From b97e8a2f7130a4b30d1502003095833d16c028b3 Mon Sep 17 00:00:00 2001
-From: Hagar Hemdan <hagarhem@amazon.com>
-Date: Fri, 31 May 2024 16:21:44 +0000
-Subject: irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update()
-
-From: Hagar Hemdan <hagarhem@amazon.com>
-
-commit b97e8a2f7130a4b30d1502003095833d16c028b3 upstream.
-
-its_vlpi_prop_update() calls lpi_write_config() which obtains the
-mapping information for a VLPI without lock held. So it could race
-with its_vlpi_unmap().
-
-Since all calls from its_irq_set_vcpu_affinity() require the same
-lock to be held, hoist the locking there instead of sprinkling the
-locking all over the place.
-
-This bug was discovered using Coverity Static Analysis Security Testing
-(SAST) by Synopsys, Inc.
-
-[ tglx: Use guard() instead of goto ]
-
-Fixes: 015ec0386ab6 ("irqchip/gic-v3-its: Add VLPI configuration handling")
-Suggested-by: Marc Zyngier <maz@kernel.org>
-Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Cc: stable@vger.kernel.org
-Reviewed-by: Marc Zyngier <maz@kernel.org>
-Link: https://lore.kernel.org/r/20240531162144.28650-1-hagarhem@amazon.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/irqchip/irq-gic-v3-its.c | 44 ++++++++++-----------------------------
- 1 file changed, 12 insertions(+), 32 deletions(-)
-
---- a/drivers/irqchip/irq-gic-v3-its.c
-+++ b/drivers/irqchip/irq-gic-v3-its.c
-@@ -1831,28 +1831,22 @@ static int its_vlpi_map(struct irq_data
- {
- struct its_device *its_dev = irq_data_get_irq_chip_data(d);
- u32 event = its_get_event_id(d);
-- int ret = 0;
-
- if (!info->map)
- return -EINVAL;
-
-- raw_spin_lock(&its_dev->event_map.vlpi_lock);
--
- if (!its_dev->event_map.vm) {
- struct its_vlpi_map *maps;
-
- maps = kcalloc(its_dev->event_map.nr_lpis, sizeof(*maps),
- GFP_ATOMIC);
-- if (!maps) {
-- ret = -ENOMEM;
-- goto out;
-- }
-+ if (!maps)
-+ return -ENOMEM;
-
- its_dev->event_map.vm = info->map->vm;
- its_dev->event_map.vlpi_maps = maps;
- } else if (its_dev->event_map.vm != info->map->vm) {
-- ret = -EINVAL;
-- goto out;
-+ return -EINVAL;
- }
-
- /* Get our private copy of the mapping information */
-@@ -1884,46 +1878,32 @@ static int its_vlpi_map(struct irq_data
- its_dev->event_map.nr_vlpis++;
- }
-
--out:
-- raw_spin_unlock(&its_dev->event_map.vlpi_lock);
-- return ret;
-+ return 0;
- }
-
- static int its_vlpi_get(struct irq_data *d, struct its_cmd_info *info)
- {
- struct its_device *its_dev = irq_data_get_irq_chip_data(d);
- struct its_vlpi_map *map;
-- int ret = 0;
--
-- raw_spin_lock(&its_dev->event_map.vlpi_lock);
-
- map = get_vlpi_map(d);
-
-- if (!its_dev->event_map.vm || !map) {
-- ret = -EINVAL;
-- goto out;
-- }
-+ if (!its_dev->event_map.vm || !map)
-+ return -EINVAL;
-
- /* Copy our mapping information to the incoming request */
- *info->map = *map;
-
--out:
-- raw_spin_unlock(&its_dev->event_map.vlpi_lock);
-- return ret;
-+ return 0;
- }
-
- static int its_vlpi_unmap(struct irq_data *d)
- {
- struct its_device *its_dev = irq_data_get_irq_chip_data(d);
- u32 event = its_get_event_id(d);
-- int ret = 0;
-
-- raw_spin_lock(&its_dev->event_map.vlpi_lock);
--
-- if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) {
-- ret = -EINVAL;
-- goto out;
-- }
-+ if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d))
-+ return -EINVAL;
-
- /* Drop the virtual mapping */
- its_send_discard(its_dev, event);
-@@ -1947,9 +1927,7 @@ static int its_vlpi_unmap(struct irq_dat
- kfree(its_dev->event_map.vlpi_maps);
- }
-
--out:
-- raw_spin_unlock(&its_dev->event_map.vlpi_lock);
-- return ret;
-+ return 0;
- }
-
- static int its_vlpi_prop_update(struct irq_data *d, struct its_cmd_info *info)
-@@ -1977,6 +1955,8 @@ static int its_irq_set_vcpu_affinity(str
- if (!is_v4(its_dev->its))
- return -EINVAL;
-
-+ guard(raw_spinlock_irq)(&its_dev->event_map.vlpi_lock);
-+
- /* Unmap request? */
- if (!info)
- return its_vlpi_unmap(d);
drm-exynos-vidi-fix-memory-leak-in-.get_modes.patch
drm-exynos-hdmi-report-safe-640x480-mode-as-a-fallback-when-no-edid-found.patch
mptcp-ensure-snd_una-is-properly-initialized-on-connect.patch
-irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch
tracing-selftests-fix-kprobe-event-name-test-for-.isra.-functions.patch
null_blk-print-correct-max-open-zones-limit-in-null_init_zoned_dev.patch
sock_map-avoid-race-between-sock_map_close-and-sk_psock_put.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
