From b9b0dafd645ad6a7c8965a91399ad720f9201e70 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 19 Jun 2024 08:23:39 -0400 Subject: [PATCH] Drop irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch from 5.15 and 5.10 --- ...ce-condition-in-its_vlpi_prop_update.patch | 141 ------------------ queue-5.10/series | 1 - ...ce-condition-in-its_vlpi_prop_update.patch | 141 ------------------ queue-5.15/series | 1 - 4 files changed, 284 deletions(-) delete mode 100644 queue-5.10/irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch delete mode 100644 queue-5.15/irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch diff --git a/queue-5.10/irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch b/queue-5.10/irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch deleted file mode 100644 index 78d43ae77c1..00000000000 --- a/queue-5.10/irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch +++ /dev/null @@ -1,141 +0,0 @@ -From b97e8a2f7130a4b30d1502003095833d16c028b3 Mon Sep 17 00:00:00 2001 -From: Hagar Hemdan -Date: Fri, 31 May 2024 16:21:44 +0000 -Subject: irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() - -From: Hagar Hemdan - -commit b97e8a2f7130a4b30d1502003095833d16c028b3 upstream. - -its_vlpi_prop_update() calls lpi_write_config() which obtains the -mapping information for a VLPI without lock held. So it could race -with its_vlpi_unmap(). - -Since all calls from its_irq_set_vcpu_affinity() require the same -lock to be held, hoist the locking there instead of sprinkling the -locking all over the place. - -This bug was discovered using Coverity Static Analysis Security Testing -(SAST) by Synopsys, Inc. - -[ tglx: Use guard() instead of goto ] - -Fixes: 015ec0386ab6 ("irqchip/gic-v3-its: Add VLPI configuration handling") -Suggested-by: Marc Zyngier -Signed-off-by: Hagar Hemdan -Signed-off-by: Thomas Gleixner -Cc: stable@vger.kernel.org -Reviewed-by: Marc Zyngier -Link: https://lore.kernel.org/r/20240531162144.28650-1-hagarhem@amazon.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/irqchip/irq-gic-v3-its.c | 44 ++++++++++----------------------------- - 1 file changed, 12 insertions(+), 32 deletions(-) - ---- a/drivers/irqchip/irq-gic-v3-its.c -+++ b/drivers/irqchip/irq-gic-v3-its.c -@@ -1826,28 +1826,22 @@ static int its_vlpi_map(struct irq_data - { - struct its_device *its_dev = irq_data_get_irq_chip_data(d); - u32 event = its_get_event_id(d); -- int ret = 0; - - if (!info->map) - return -EINVAL; - -- raw_spin_lock(&its_dev->event_map.vlpi_lock); -- - if (!its_dev->event_map.vm) { - struct its_vlpi_map *maps; - - maps = kcalloc(its_dev->event_map.nr_lpis, sizeof(*maps), - GFP_ATOMIC); -- if (!maps) { -- ret = -ENOMEM; -- goto out; -- } -+ if (!maps) -+ return -ENOMEM; - - its_dev->event_map.vm = info->map->vm; - its_dev->event_map.vlpi_maps = maps; - } else if (its_dev->event_map.vm != info->map->vm) { -- ret = -EINVAL; -- goto out; -+ return -EINVAL; - } - - /* Get our private copy of the mapping information */ -@@ -1879,46 +1873,32 @@ static int its_vlpi_map(struct irq_data - its_dev->event_map.nr_vlpis++; - } - --out: -- raw_spin_unlock(&its_dev->event_map.vlpi_lock); -- return ret; -+ return 0; - } - - static int its_vlpi_get(struct irq_data *d, struct its_cmd_info *info) - { - struct its_device *its_dev = irq_data_get_irq_chip_data(d); - struct its_vlpi_map *map; -- int ret = 0; -- -- raw_spin_lock(&its_dev->event_map.vlpi_lock); - - map = get_vlpi_map(d); - -- if (!its_dev->event_map.vm || !map) { -- ret = -EINVAL; -- goto out; -- } -+ if (!its_dev->event_map.vm || !map) -+ return -EINVAL; - - /* Copy our mapping information to the incoming request */ - *info->map = *map; - --out: -- raw_spin_unlock(&its_dev->event_map.vlpi_lock); -- return ret; -+ return 0; - } - - static int its_vlpi_unmap(struct irq_data *d) - { - struct its_device *its_dev = irq_data_get_irq_chip_data(d); - u32 event = its_get_event_id(d); -- int ret = 0; - -- raw_spin_lock(&its_dev->event_map.vlpi_lock); -- -- if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) { -- ret = -EINVAL; -- goto out; -- } -+ if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) -+ return -EINVAL; - - /* Drop the virtual mapping */ - its_send_discard(its_dev, event); -@@ -1942,9 +1922,7 @@ static int its_vlpi_unmap(struct irq_dat - kfree(its_dev->event_map.vlpi_maps); - } - --out: -- raw_spin_unlock(&its_dev->event_map.vlpi_lock); -- return ret; -+ return 0; - } - - static int its_vlpi_prop_update(struct irq_data *d, struct its_cmd_info *info) -@@ -1972,6 +1950,8 @@ static int its_irq_set_vcpu_affinity(str - if (!is_v4(its_dev->its)) - return -EINVAL; - -+ guard(raw_spinlock_irq)(&its_dev->event_map.vlpi_lock); -+ - /* Unmap request? */ - if (!info) - return its_vlpi_unmap(d); diff --git a/queue-5.10/series b/queue-5.10/series index 9b23fcd871a..d8d1da69402 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -1,4 +1,3 @@ -irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch tracing-selftests-fix-kprobe-event-name-test-for-.isra.-functions.patch null_blk-print-correct-max-open-zones-limit-in-null_init_zoned_dev.patch wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch diff --git a/queue-5.15/irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch b/queue-5.15/irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch deleted file mode 100644 index ba469582c5e..00000000000 --- a/queue-5.15/irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch +++ /dev/null @@ -1,141 +0,0 @@ -From b97e8a2f7130a4b30d1502003095833d16c028b3 Mon Sep 17 00:00:00 2001 -From: Hagar Hemdan -Date: Fri, 31 May 2024 16:21:44 +0000 -Subject: irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update() - -From: Hagar Hemdan - -commit b97e8a2f7130a4b30d1502003095833d16c028b3 upstream. - -its_vlpi_prop_update() calls lpi_write_config() which obtains the -mapping information for a VLPI without lock held. So it could race -with its_vlpi_unmap(). - -Since all calls from its_irq_set_vcpu_affinity() require the same -lock to be held, hoist the locking there instead of sprinkling the -locking all over the place. - -This bug was discovered using Coverity Static Analysis Security Testing -(SAST) by Synopsys, Inc. - -[ tglx: Use guard() instead of goto ] - -Fixes: 015ec0386ab6 ("irqchip/gic-v3-its: Add VLPI configuration handling") -Suggested-by: Marc Zyngier -Signed-off-by: Hagar Hemdan -Signed-off-by: Thomas Gleixner -Cc: stable@vger.kernel.org -Reviewed-by: Marc Zyngier -Link: https://lore.kernel.org/r/20240531162144.28650-1-hagarhem@amazon.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/irqchip/irq-gic-v3-its.c | 44 ++++++++++----------------------------- - 1 file changed, 12 insertions(+), 32 deletions(-) - ---- a/drivers/irqchip/irq-gic-v3-its.c -+++ b/drivers/irqchip/irq-gic-v3-its.c -@@ -1831,28 +1831,22 @@ static int its_vlpi_map(struct irq_data - { - struct its_device *its_dev = irq_data_get_irq_chip_data(d); - u32 event = its_get_event_id(d); -- int ret = 0; - - if (!info->map) - return -EINVAL; - -- raw_spin_lock(&its_dev->event_map.vlpi_lock); -- - if (!its_dev->event_map.vm) { - struct its_vlpi_map *maps; - - maps = kcalloc(its_dev->event_map.nr_lpis, sizeof(*maps), - GFP_ATOMIC); -- if (!maps) { -- ret = -ENOMEM; -- goto out; -- } -+ if (!maps) -+ return -ENOMEM; - - its_dev->event_map.vm = info->map->vm; - its_dev->event_map.vlpi_maps = maps; - } else if (its_dev->event_map.vm != info->map->vm) { -- ret = -EINVAL; -- goto out; -+ return -EINVAL; - } - - /* Get our private copy of the mapping information */ -@@ -1884,46 +1878,32 @@ static int its_vlpi_map(struct irq_data - its_dev->event_map.nr_vlpis++; - } - --out: -- raw_spin_unlock(&its_dev->event_map.vlpi_lock); -- return ret; -+ return 0; - } - - static int its_vlpi_get(struct irq_data *d, struct its_cmd_info *info) - { - struct its_device *its_dev = irq_data_get_irq_chip_data(d); - struct its_vlpi_map *map; -- int ret = 0; -- -- raw_spin_lock(&its_dev->event_map.vlpi_lock); - - map = get_vlpi_map(d); - -- if (!its_dev->event_map.vm || !map) { -- ret = -EINVAL; -- goto out; -- } -+ if (!its_dev->event_map.vm || !map) -+ return -EINVAL; - - /* Copy our mapping information to the incoming request */ - *info->map = *map; - --out: -- raw_spin_unlock(&its_dev->event_map.vlpi_lock); -- return ret; -+ return 0; - } - - static int its_vlpi_unmap(struct irq_data *d) - { - struct its_device *its_dev = irq_data_get_irq_chip_data(d); - u32 event = its_get_event_id(d); -- int ret = 0; - -- raw_spin_lock(&its_dev->event_map.vlpi_lock); -- -- if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) { -- ret = -EINVAL; -- goto out; -- } -+ if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) -+ return -EINVAL; - - /* Drop the virtual mapping */ - its_send_discard(its_dev, event); -@@ -1947,9 +1927,7 @@ static int its_vlpi_unmap(struct irq_dat - kfree(its_dev->event_map.vlpi_maps); - } - --out: -- raw_spin_unlock(&its_dev->event_map.vlpi_lock); -- return ret; -+ return 0; - } - - static int its_vlpi_prop_update(struct irq_data *d, struct its_cmd_info *info) -@@ -1977,6 +1955,8 @@ static int its_irq_set_vcpu_affinity(str - if (!is_v4(its_dev->its)) - return -EINVAL; - -+ guard(raw_spinlock_irq)(&its_dev->event_map.vlpi_lock); -+ - /* Unmap request? */ - if (!info) - return its_vlpi_unmap(d); diff --git a/queue-5.15/series b/queue-5.15/series index afb73206a03..c234ac29e0c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -138,7 +138,6 @@ drivers-core-synchronize-really_probe-and-dev_uevent.patch drm-exynos-vidi-fix-memory-leak-in-.get_modes.patch drm-exynos-hdmi-report-safe-640x480-mode-as-a-fallback-when-no-edid-found.patch mptcp-ensure-snd_una-is-properly-initialized-on-connect.patch -irqchip-gic-v3-its-fix-potential-race-condition-in-its_vlpi_prop_update.patch tracing-selftests-fix-kprobe-event-name-test-for-.isra.-functions.patch null_blk-print-correct-max-open-zones-limit-in-null_init_zoned_dev.patch sock_map-avoid-race-between-sock_map_close-and-sk_psock_put.patch -- 2.47.3