brain-hackers_pepepper-mirror
/
linux-brain
mirror of https://github.com/brain-hackers/linux-brain.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
linux-brain/drivers
History
Maximilian Heyne b9cd73cce5 xen/events: Fix race in set_evtchn_to_irq 
[ Upstream commit 88ca2521bd5b4e8b83743c01a2d4cb09325b51e9 ]

There is a TOCTOU issue in set_evtchn_to_irq. Rows in the evtchn_to_irq
mapping are lazily allocated in this function. The check whether the row
is already present and the row initialization is not synchronized. Two
threads can at the same time allocate a new row for evtchn_to_irq and
add the irq mapping to the their newly allocated row. One thread will
overwrite what the other has set for evtchn_to_irq[row] and therefore
the irq mapping is lost. This will trigger a BUG_ON later in
bind_evtchn_to_cpu:

  INFO: pci 0000:1a:15.4: [1d0f:8061] type 00 class 0x010802
  INFO: nvme 0000:1a:12.1: enabling device (0000 -> 0002)
  INFO: nvme nvme77: 1/0/0 default/read/poll queues
  CRIT: kernel BUG at drivers/xen/events/events_base.c:427!
  WARN: invalid opcode: 0000 [#1] SMP NOPTI
  WARN: Workqueue: nvme-reset-wq nvme_reset_work [nvme]
  WARN: RIP: e030:bind_evtchn_to_cpu+0xc2/0xd0
  WARN: Call Trace:
  WARN:  set_affinity_irq+0x121/0x150
  WARN:  irq_do_set_affinity+0x37/0xe0
  WARN:  irq_setup_affinity+0xf6/0x170
  WARN:  irq_startup+0x64/0xe0
  WARN:  __setup_irq+0x69e/0x740
  WARN:  ? request_threaded_irq+0xad/0x160
  WARN:  request_threaded_irq+0xf5/0x160
  WARN:  ? nvme_timeout+0x2f0/0x2f0 [nvme]
  WARN:  pci_request_irq+0xa9/0xf0
  WARN:  ? pci_alloc_irq_vectors_affinity+0xbb/0x130
  WARN:  queue_request_irq+0x4c/0x70 [nvme]
  WARN:  nvme_reset_work+0x82d/0x1550 [nvme]
  WARN:  ? check_preempt_wakeup+0x14f/0x230
  WARN:  ? check_preempt_curr+0x29/0x80
  WARN:  ? nvme_irq_check+0x30/0x30 [nvme]
  WARN:  process_one_work+0x18e/0x3c0
  WARN:  worker_thread+0x30/0x3a0
  WARN:  ? process_one_work+0x3c0/0x3c0
  WARN:  kthread+0x113/0x130
  WARN:  ? kthread_park+0x90/0x90
  WARN:  ret_from_fork+0x3a/0x50

This patch sets evtchn_to_irq rows via a cmpxchg operation so that they
will be set only once. The row is now cleared before writing it to
evtchn_to_irq in order to not create a race once the row is visible for
other threads.

While at it, do not require the page to be zeroed, because it will be
overwritten with -1's in clear_evtchn_to_irq_row anyway.

Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
Fixes: d0b075ffee ("xen/events: Refactor evtchn_to_irq array to be dynamically allocated")
Link: https://lore.kernel.org/r/20210812130930.127134-1-mheyne@amazon.de
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2021-08-18 08:57:01 +02:00
..
accessibility
acpi ACPI: NFIT: Fix support for virtual SPA ranges 2021-08-18 08:56:57 +02:00
amba amba: Fix resource leak for drivers without .remove 2021-03-04 10:26:32 +01:00
android binder: add flag to clear buffer on txn complete 2020-12-30 11:51:35 +01:00
ata libata: fix ata_pio_sector for CONFIG_HIGHMEM 2021-08-12 13:21:04 +02:00
atm atm: nicstar: register the interrupt handler in the right place 2021-07-19 08:53:12 +02:00
auxdisplay auxdisplay: ht16k33: Fix refresh rate handling 2021-03-04 10:26:30 +01:00
base firmware_loader: fix use-after-free in firmware_fallback_sysfs 2021-08-12 13:20:59 +02:00
bcma
block rbd: always kick acquire on "acquired" and "released" notifications 2021-07-28 13:31:01 +02:00
bluetooth Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc. 2021-07-19 08:53:13 +02:00
bus bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act 2021-06-10 13:37:08 +02:00
cdrom cdrom: gdrom: initialize global variable at init time 2021-05-26 12:05:19 +02:00
char tpm_ftpm_tee: Free and unregister TEE shared memory during kexec 2021-08-12 13:21:01 +02:00
clk clk: fix leak on devm_clk_bulk_get_all() unwind 2021-08-12 13:21:00 +02:00
clocksource clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround 2021-07-19 08:53:15 +02:00
connector
counter counter: stm32-timer-cnt: fix ceiling miss-alignment with reload register 2021-04-14 08:24:09 +02:00
cpufreq cpufreq: Make cpufreq_online() call driver->offline() on errors 2021-07-14 16:53:25 +02:00
cpuidle
crypto crypto: ccp - Annotate SEV Firmware file names 2021-07-19 08:53:14 +02:00
dax device-dax/core: Fix memory leak when rmmod dax.ko 2020-12-30 11:51:46 +01:00
dca
devfreq PM / devfreq: Use more accurate returned new_freq as resume_freq 2021-05-14 09:44:20 +02:00
dio
dma dmaengine: imx-dma: configure the generic DMA type to make it work 2021-08-12 13:20:56 +02:00
dma-buf dma-buf/sync_file: Don't leak fences on merge failure 2021-07-25 14:35:15 +02:00
edac EDAC/Intel: Do not load EDAC driver when running as a guest 2021-07-14 16:53:18 +02:00
eisa
extcon extcon: intel-mrfld: Sync hardware and software state on init 2021-07-19 08:53:16 +02:00
firewire firewire: nosy: Fix a use-after-free bug in nosy_ioctl() 2021-04-07 14:47:43 +02:00
firmware firmware: arm_scmi: Add delayed response status check 2021-08-08 09:04:08 +02:00
fpga fpga: stratix10-soc: Add missing fpga_mgr_free() call 2021-07-19 08:53:15 +02:00
fsi fsi/sbefifo: Fix reset timeout 2021-07-14 16:53:42 +02:00
gnss
gpio gpio: tqmx86: really make IRQ optional 2021-08-12 13:20:57 +02:00
gpu drm/meson: fix colour distortion from HDR set during vendor u-boot 2021-08-18 08:56:59 +02:00
greybus
hid HID: wacom: Re-enable touch by default for Cintiq 24HDT / 27QHDT 2021-08-04 12:27:38 +02:00
hsi HSI: core: fix resource leaks in hsi_add_client_from_dt() 2021-05-14 09:44:25 +02:00
hv hv_utils: Fix passing zero to 'PTR_ERR' warning 2021-07-14 16:53:16 +02:00
hwmon hwmon: (max31790) Fix fan speed reporting for fan7..12 2021-07-14 16:53:23 +02:00
hwspinlock
hwtracing intel_th: Wait until port is in reset before programming it 2021-07-20 16:10:46 +02:00
i2c i2c: dev: zero out array used for i2c reads from userspace 2021-08-18 08:56:56 +02:00
i3c Revert "i3c master: fix missing destroy_workqueue() on error in i3c_master_register" 2021-05-14 09:44:15 +02:00
ide scsi: ide: Do not set the RQF_PREEMPT flag for sense requests 2021-01-12 20:16:09 +01:00
idle
iio iio: adc: Fix incorrect exit of for-loop 2021-08-18 08:56:56 +02:00
infiniband RDMA/cma: Fix rdma_resolve_route() memory leak 2021-07-19 08:53:13 +02:00
input Input: hideep - fix the uninitialized use in hideep_nvm_unlock() 2021-07-20 16:10:45 +02:00
interconnect interconnect: core: fix error return code of icc_link_destroy() 2021-04-16 11:46:37 +02:00
iommu iommu/arm-smmu: Fix arm_smmu_device refcount leak in address translation 2021-07-20 16:10:44 +02:00
ipack ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe 2021-07-19 08:53:17 +02:00
irqchip irqchip/gic-v3: Fix OF_BAD_ADDR error handling 2021-05-14 09:44:20 +02:00
isdn mISDN: fix possible use-after-free in HFC_cleanup() 2021-07-19 08:53:08 +02:00
leds leds: ktd2692: Fix an error handling path 2021-07-14 16:53:47 +02:00
lightnvm lightnvm: fix memory leak when submit fails 2021-01-27 11:47:53 +01:00
macintosh
mailbox
mcb
md md/raid10: properly indicate failure when ending a failed write request 2021-08-12 13:21:03 +02:00
media media: v4l2-mem2mem: always consider OUTPUT queue during poll 2021-08-15 13:08:02 +02:00
memory memory: fsl_ifc: fix leak of private memory on probe failure 2021-07-20 16:10:52 +02:00
memstick memstick: rtsx_usb_ms: fix UAF 2021-07-14 16:53:13 +02:00
message
mfd mfd: cpcap: Fix cpcap dmamask not set warnings 2021-07-20 16:10:43 +02:00
misc misc: alcor_pci: fix inverted branch condition 2021-07-20 16:10:53 +02:00
mmc mmc: core: Allow UHS-I voltage switch for SDSC cards if supported 2021-07-19 08:53:15 +02:00
mtd mtd: rawnand: marvell: add missing clk_disable_unprepare() on error in marvell_nfc_resume() 2021-07-14 16:53:45 +02:00
mux
net net: dsa: sja1105: fix broken backpressure in .port_fdb_dump 2021-08-18 08:57:00 +02:00
nfc nfc: nfcsim: fix use after free during module unload 2021-08-04 12:27:38 +02:00
ntb
nubus
nvdimm libnvdimm/region: Fix label activation vs errors 2021-08-18 08:56:57 +02:00
nvme nvme: fix nvme_setup_command metadata trace event 2021-08-08 09:04:08 +02:00
nvmem nvmem: core: add a missing of_node_put 2021-07-19 08:53:16 +02:00
of of: Fix truncation of memory sizes on 32-bit platforms 2021-07-14 16:53:45 +02:00
opp
oprofile
parisc
parport
pci PCI: mvebu: Setup BAR0 in order to fix MSI 2021-08-04 12:27:40 +02:00
pcmcia pcmcia: i82092: fix a null pointer dereference bug 2021-08-12 13:21:03 +02:00
perf drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe() 2021-07-14 16:53:14 +02:00
phy phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe() 2021-07-14 16:53:46 +02:00
pinctrl pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq() 2021-07-19 08:53:18 +02:00
platform platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables 2021-08-18 08:56:58 +02:00
pnp
power power: supply: rt5033_battery: Fix device tree enumeration 2021-07-20 16:10:49 +02:00
powercap
pps
ps3 powerpc/ps3: use dma_mapping_error() 2020-12-30 11:51:26 +01:00
ptp ptp: improve max_adj check against unreasonable values 2021-06-23 14:41:26 +02:00
pwm pwm: sprd: Ensure configuring period and duty_cycle isn't wrongly skipped 2021-07-28 13:30:53 +02:00
rapidio rapidio: handle create_workqueue() failure 2021-05-26 12:05:17 +02:00
ras RAS/CEC: Correct ce_add_elem()'s returned values 2021-04-14 08:24:18 +02:00
regulator regulator: hi6421: Fix getting wrong drvdata 2021-07-28 13:30:55 +02:00
remoteproc remoteproc: qcom: Fix potential NULL dereference in adsp_init_mmio() 2020-12-30 11:51:24 +01:00
reset reset: ti-syscon: fix to_ti_syscon_reset_data macro 2021-07-25 14:35:10 +02:00
rpmsg rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() 2021-05-19 10:08:25 +02:00
rtc rtc: max77686: Do not enforce (incorrect) interrupt trigger type 2021-07-25 14:35:12 +02:00
s390 s390/sclp_vt220: fix console name to match device 2021-07-20 16:10:43 +02:00
sbus
scsi scsi: sr: Return correct event when media event code is 3 2021-08-12 13:20:56 +02:00
sfi
sh
siox
slimbus slimbus: qcom-ngd-ctrl: Avoid sending power requests without QMI 2020-12-30 11:51:13 +01:00
soc soc: ixp4xx/qmgr: fix invalid __iomem access 2021-08-12 13:21:04 +02:00
soundwire soundwire: stream: Fix test for DP prepare complete 2021-07-14 16:53:45 +02:00
spi spi: meson-spicc: fix memory leak in meson_spicc_remove 2021-08-12 13:21:04 +02:00
spmi spmi: spmi-pmic-arb: Fix hw_irq overflow 2021-03-04 10:26:49 +01:00
ssb ssb: Fix error return code in ssb_bus_scan() 2021-07-14 16:53:29 +02:00
staging staging: rtl8712: get rid of flush_scheduled_work 2021-08-12 13:21:01 +02:00
target scsi: target: Fix protect handling in WRITE SAME(32) 2021-07-28 13:30:56 +02:00
tc
tee tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag 2021-08-15 13:08:02 +02:00
thermal thermal/core: Correct function name thermal_zone_device_unregister() 2021-07-25 14:35:12 +02:00
thunderbolt thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue 2021-06-03 08:59:03 +02:00
tty serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts. 2021-08-12 13:21:03 +02:00
uio uio_hv_generic: Fix a memory leak in error handling paths 2021-05-26 12:05:17 +02:00
usb USB:ehci:fix Kunpeng920 ehci hardware problem 2021-08-15 13:08:04 +02:00
vfio vfio/pci: Handle concurrent vma faults 2021-07-14 16:53:47 +02:00
vhost vhost: Fix vhost_vq_reset() 2021-04-07 14:47:39 +02:00
video backlight: lm3630a: Fix return code of .update_status() callback 2021-07-20 16:10:45 +02:00
virt virt: vbox: Do not use wait_event_interruptible when called from kernel context 2021-03-04 10:26:10 +01:00
virtio virtio_ring: Fix two use after free bugs 2020-12-30 11:51:29 +01:00
visorbus visorbus: fix error return code in visorchipset_init() 2021-07-14 16:53:42 +02:00
vlynq
vme
w1 w1: ds2438: fixing bug that would always get page0 2021-07-20 16:10:41 +02:00
watchdog Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" 2021-08-08 09:04:08 +02:00
xen xen/events: Fix race in set_evtchn_to_irq 2021-08-18 08:57:01 +02:00
zorro
Kconfig
Makefile