[PATCH] irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update()

From: Hagar Hemdan <hagarhem@amazon.com>
Cc: Maximilian Heyne <mheyne@amazon.de>,
	Norbert Manthey <nmanthey@amazon.de>,
	Hagar Hemdan <hagarhem@amazon.com>, Marc Zyngier <maz@kernel.org>,
	"Thomas Gleixner" <tglx@linutronix.de>,
	Eric Auger <eric.auger@redhat.com>,
	<linux-arm-kernel@lists.infradead.org>,
	<linux-kernel@vger.kernel.org>
Subject: [PATCH] irqchip/gic-v3-its: Fix potential race condition in its_vlpi_prop_update()
Date: Thu, 30 May 2024 10:57:13 +0000	[thread overview]
Message-ID: <20240530105713.18552-1-hagarhem@amazon.com> (raw)

Similar to commit 046b5054f566 ("irqchip/gic-v3-its: Lock VLPI map array
before translating it"), its_vlpi_prop_update() calls lpi_write_config()
which obtains the mapping information for a VLPI.
This should always be done with vlpi_lock for this device held. Otherwise,
its_vlpi_prop_update() could race with its_vlpi_unmap().

This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.

Fixes: 015ec0386ab6 ("irqchip/gic-v3-its: Add VLPI configuration handling")
Signed-off-by: Hagar Hemdan <hagarhem@amazon.com>
---
 drivers/irqchip/irq-gic-v3-its.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 40ebf1726393..ecaad1786345 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -1970,9 +1970,13 @@ static int its_vlpi_unmap(struct irq_data *d)
 static int its_vlpi_prop_update(struct irq_data *d, struct its_cmd_info *info)
 {
 	struct its_device *its_dev = irq_data_get_irq_chip_data(d);
+	int ret = 0;
 
-	if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d))
-		return -EINVAL;
+	raw_spin_lock(&its_dev->event_map.vlpi_lock);
+	if (!its_dev->event_map.vm || !irqd_is_forwarded_to_vcpu(d)) {
+		ret = -EINVAL;
+		goto out;
+	}
 
 	if (info->cmd_type == PROP_UPDATE_AND_INV_VLPI)
 		lpi_update_config(d, 0xff, info->config);
@@ -1980,7 +1984,9 @@ static int its_vlpi_prop_update(struct irq_data *d, struct its_cmd_info *info)
 		lpi_write_config(d, 0xff, info->config);
 	its_vlpi_set_doorbell(d, !!(info->config & LPI_PROP_ENABLED));
 
-	return 0;
+out:
+	raw_spin_unlock(&its_dev->event_map.vlpi_lock);
+	return ret;
 }
 
 static int its_irq_set_vcpu_affinity(struct irq_data *d, void *vcpu_info)
-- 
2.40.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
