* [PATCH v4 1/2] irqchip/gic-v3-its: Fix double free on error
@ 2024-04-13 6:40 ` Guanrui Huang
0 siblings, 0 replies; 8+ messages in thread
From: Guanrui Huang @ 2024-04-13 6:40 UTC (permalink / raw)
To: maz
Cc: yuzenghui, shannon.zhao, tglx, linux-arm-kernel, linux-kernel,
Guanrui Huang
In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error
with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page,
and then there is a double free in its_vpe_irq_domain_alloc.
Fix it by calling its_vpe_irq_domain_free directly, bitmap and
vprop_page will be freed in this function.
Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
---
drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index fca888b36680..2305f6b524a9 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -4561,13 +4561,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i));
}
- if (err) {
- if (i > 0)
- its_vpe_irq_domain_free(domain, virq, i);
-
- its_lpi_free(bitmap, base, nr_ids);
- its_free_prop_table(vprop_page);
- }
+ if (err)
+ its_vpe_irq_domain_free(domain, virq, i);
return err;
}
--
2.36.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH v4 1/2] irqchip/gic-v3-its: Fix double free on error
@ 2024-04-13 6:40 ` Guanrui Huang
0 siblings, 0 replies; 8+ messages in thread
From: Guanrui Huang @ 2024-04-13 6:40 UTC (permalink / raw)
To: maz
Cc: yuzenghui, shannon.zhao, tglx, linux-arm-kernel, linux-kernel,
Guanrui Huang
In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error
with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page,
and then there is a double free in its_vpe_irq_domain_alloc.
Fix it by calling its_vpe_irq_domain_free directly, bitmap and
vprop_page will be freed in this function.
Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
---
drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index fca888b36680..2305f6b524a9 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -4561,13 +4561,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i));
}
- if (err) {
- if (i > 0)
- its_vpe_irq_domain_free(domain, virq, i);
-
- its_lpi_free(bitmap, base, nr_ids);
- its_free_prop_table(vprop_page);
- }
+ if (err)
+ its_vpe_irq_domain_free(domain, virq, i);
return err;
}
--
2.36.1
^ permalink raw reply related [flat|nested] 8+ messages in thread* [PATCH v4 2/2] irqchip/gic-v3-its: remove BUG_ON in its_vpe_irq_domain_alloc
2024-04-13 6:40 ` Guanrui Huang
@ 2024-04-13 6:40 ` Guanrui Huang
-1 siblings, 0 replies; 8+ messages in thread
From: Guanrui Huang @ 2024-04-13 6:40 UTC (permalink / raw)
To: maz
Cc: yuzenghui, shannon.zhao, tglx, linux-arm-kernel, linux-kernel,
Guanrui Huang
If vm is NULL in here, that means caller has a bug.
BUG_ON in here is useless, this will paper over bug.
So just remove this check.
Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
---
drivers/irqchip/irq-gic-v3-its.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 2305f6b524a9..55c83e19719d 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -4521,8 +4521,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
struct page *vprop_page;
int base, nr_ids, i, err = 0;
- BUG_ON(!vm);
-
bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
if (!bitmap)
return -ENOMEM;
--
2.36.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v4 2/2] irqchip/gic-v3-its: remove BUG_ON in its_vpe_irq_domain_alloc
@ 2024-04-13 6:40 ` Guanrui Huang
0 siblings, 0 replies; 8+ messages in thread
From: Guanrui Huang @ 2024-04-13 6:40 UTC (permalink / raw)
To: maz
Cc: yuzenghui, shannon.zhao, tglx, linux-arm-kernel, linux-kernel,
Guanrui Huang
If vm is NULL in here, that means caller has a bug.
BUG_ON in here is useless, this will paper over bug.
So just remove this check.
Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
---
drivers/irqchip/irq-gic-v3-its.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 2305f6b524a9..55c83e19719d 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -4521,8 +4521,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
struct page *vprop_page;
int base, nr_ids, i, err = 0;
- BUG_ON(!vm);
-
bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
if (!bitmap)
return -ENOMEM;
--
2.36.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v4 2/2] irqchip/gic-v3-its: remove BUG_ON in its_vpe_irq_domain_alloc
2024-04-13 6:40 ` Guanrui Huang
@ 2024-04-13 8:44 ` Marc Zyngier
-1 siblings, 0 replies; 8+ messages in thread
From: Marc Zyngier @ 2024-04-13 8:44 UTC (permalink / raw)
To: Guanrui Huang
Cc: yuzenghui, shannon.zhao, tglx, linux-arm-kernel, linux-kernel
On Sat, 13 Apr 2024 07:40:51 +0100,
Guanrui Huang <guanrui.huang@linux.alibaba.com> wrote:
>
> If vm is NULL in here, that means caller has a bug.
> BUG_ON in here is useless, this will paper over bug.
This BUG_ON() doesn't paper over a bug like your previous patch
did. It catches a bug (vm should never be NULL), but also forces the
system to crash for no good reason.
The same effect will be obtained by letting the code run its course
and vm being dereferenced, triggering an exception.
>
> So just remove this check.
>
> Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
> ---
> drivers/irqchip/irq-gic-v3-its.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
> index 2305f6b524a9..55c83e19719d 100644
> --- a/drivers/irqchip/irq-gic-v3-its.c
> +++ b/drivers/irqchip/irq-gic-v3-its.c
> @@ -4521,8 +4521,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
> struct page *vprop_page;
> int base, nr_ids, i, err = 0;
>
> - BUG_ON(!vm);
> -
> bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
> if (!bitmap)
> return -ENOMEM;
With the commit message fixed:
Acked-by: Marc Zyngier <maz@kernel.org>
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v4 2/2] irqchip/gic-v3-its: remove BUG_ON in its_vpe_irq_domain_alloc
@ 2024-04-13 8:44 ` Marc Zyngier
0 siblings, 0 replies; 8+ messages in thread
From: Marc Zyngier @ 2024-04-13 8:44 UTC (permalink / raw)
To: Guanrui Huang
Cc: yuzenghui, shannon.zhao, tglx, linux-arm-kernel, linux-kernel
On Sat, 13 Apr 2024 07:40:51 +0100,
Guanrui Huang <guanrui.huang@linux.alibaba.com> wrote:
>
> If vm is NULL in here, that means caller has a bug.
> BUG_ON in here is useless, this will paper over bug.
This BUG_ON() doesn't paper over a bug like your previous patch
did. It catches a bug (vm should never be NULL), but also forces the
system to crash for no good reason.
The same effect will be obtained by letting the code run its course
and vm being dereferenced, triggering an exception.
>
> So just remove this check.
>
> Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
> ---
> drivers/irqchip/irq-gic-v3-its.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
> index 2305f6b524a9..55c83e19719d 100644
> --- a/drivers/irqchip/irq-gic-v3-its.c
> +++ b/drivers/irqchip/irq-gic-v3-its.c
> @@ -4521,8 +4521,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
> struct page *vprop_page;
> int base, nr_ids, i, err = 0;
>
> - BUG_ON(!vm);
> -
> bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
> if (!bitmap)
> return -ENOMEM;
With the commit message fixed:
Acked-by: Marc Zyngier <maz@kernel.org>
M.
--
Without deviation from the norm, progress is not possible.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v4 1/2] irqchip/gic-v3-its: Fix double free on error
2024-04-13 6:40 ` Guanrui Huang
@ 2024-04-13 8:44 ` Marc Zyngier
-1 siblings, 0 replies; 8+ messages in thread
From: Marc Zyngier @ 2024-04-13 8:44 UTC (permalink / raw)
To: Guanrui Huang
Cc: yuzenghui, shannon.zhao, tglx, linux-arm-kernel, linux-kernel
On Sat, 13 Apr 2024 07:40:50 +0100,
Guanrui Huang <guanrui.huang@linux.alibaba.com> wrote:
>
> In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error
> with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page,
> and then there is a double free in its_vpe_irq_domain_alloc.
>
> Fix it by calling its_vpe_irq_domain_free directly, bitmap and
> vprop_page will be freed in this function.
>
> Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
> ---
> drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
> 1 file changed, 2 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
> index fca888b36680..2305f6b524a9 100644
> --- a/drivers/irqchip/irq-gic-v3-its.c
> +++ b/drivers/irqchip/irq-gic-v3-its.c
> @@ -4561,13 +4561,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
> irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i));
> }
>
> - if (err) {
> - if (i > 0)
> - its_vpe_irq_domain_free(domain, virq, i);
> -
> - its_lpi_free(bitmap, base, nr_ids);
> - its_free_prop_table(vprop_page);
> - }
> + if (err)
> + its_vpe_irq_domain_free(domain, virq, i);
>
> return err;
> }
Reviewed-by: Marc Zyngier <maz@kernel.org>
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [PATCH v4 1/2] irqchip/gic-v3-its: Fix double free on error
@ 2024-04-13 8:44 ` Marc Zyngier
0 siblings, 0 replies; 8+ messages in thread
From: Marc Zyngier @ 2024-04-13 8:44 UTC (permalink / raw)
To: Guanrui Huang
Cc: yuzenghui, shannon.zhao, tglx, linux-arm-kernel, linux-kernel
On Sat, 13 Apr 2024 07:40:50 +0100,
Guanrui Huang <guanrui.huang@linux.alibaba.com> wrote:
>
> In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error
> with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page,
> and then there is a double free in its_vpe_irq_domain_alloc.
>
> Fix it by calling its_vpe_irq_domain_free directly, bitmap and
> vprop_page will be freed in this function.
>
> Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
> ---
> drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
> 1 file changed, 2 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
> index fca888b36680..2305f6b524a9 100644
> --- a/drivers/irqchip/irq-gic-v3-its.c
> +++ b/drivers/irqchip/irq-gic-v3-its.c
> @@ -4561,13 +4561,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
> irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i));
> }
>
> - if (err) {
> - if (i > 0)
> - its_vpe_irq_domain_free(domain, virq, i);
> -
> - its_lpi_free(bitmap, base, nr_ids);
> - its_free_prop_table(vprop_page);
> - }
> + if (err)
> + its_vpe_irq_domain_free(domain, virq, i);
>
> return err;
> }
Reviewed-by: Marc Zyngier <maz@kernel.org>
M.
--
Without deviation from the norm, progress is not possible.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2024-04-13 8:44 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-13 6:40 [PATCH v4 1/2] irqchip/gic-v3-its: Fix double free on error Guanrui Huang
2024-04-13 6:40 ` Guanrui Huang
2024-04-13 6:40 ` [PATCH v4 2/2] irqchip/gic-v3-its: remove BUG_ON in its_vpe_irq_domain_alloc Guanrui Huang
2024-04-13 6:40 ` Guanrui Huang
2024-04-13 8:44 ` Marc Zyngier
2024-04-13 8:44 ` Marc Zyngier
2024-04-13 8:44 ` [PATCH v4 1/2] irqchip/gic-v3-its: Fix double free on error Marc Zyngier
2024-04-13 8:44 ` Marc Zyngier
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.