From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 465A0CD128A for ; Thu, 11 Apr 2024 11:19:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Subject:Cc:To:From:Message-ID:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=iy3n4RnCJxvWck6eAU9cdq6VME+g721dxtzCDGj6F84=; b=anJAxm8Lotkygy 6D3Z7E/KSe4bpV1Xe43shULoahLiMJN58Q4TIoF1RO/9CSPM+EPsGx/lYs0E9Tb00qI8wfreYBj5E GQKpj08Em7kjw0k6S2Efg1Nq21qz9Pq7Vyi8q+F/wGoF2sXCy5a2SG+B96Cp9jZ3Tl6PqH/YOjDRG 0lZ0+VHhjVNbTMXWo9piXPmGucR7nCMZHBDgzf5rgcjYhtSpEWp29r6e6MWVmRxhVzHj9RYuviFx1 vQY0c/sVdmMS3iiIN0MapcjENaFGsF3yL8vpL75Us5eF56lwRQ2bRecTIAkKuipUrMLDRe20g7CHc mpljwbDemHWHgGngmo0w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rusSr-0000000Bhrt-0ZwA; Thu, 11 Apr 2024 11:19:33 +0000 Received: from sin.source.kernel.org ([145.40.73.55]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rusSn-0000000BhrB-4AMm for linux-arm-kernel@lists.infradead.org; Thu, 11 Apr 2024 11:19:31 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id D1EABCE29A8; Thu, 11 Apr 2024 11:19:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0B894C433C7; Thu, 11 Apr 2024 11:19:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712834367; bh=OP7OtQdypE7+8o9W5T5QkVM9BiDZWDXKjJcngRL9ncE=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=bl6QlGo0uk7zNJNrFKvY6P/wrNyiyQcmGiIBn/2LU0aEb7ATXi9Oa13oCtEk9Nk3w sq7KIU9thLEXeXJD6Rd+I+t43GEB5UuTNB0VuUWN5CQm4jZ2zlJlcZoM4AOMZmMWFK wIj/OI1k+dWriHQOhaBgAlAEdWekUGMtLpu6AeXCF2jtool2bbo3Km6zAdABOTT3Pv nHgB3Iq2SYUCKaw4XrcFAIFKCtesYamgUPOhH+O+zTIFh+GaLoFgazySEOPSVWyTOw KtzbD7HIAXXMXXt1WyS/UYtnamZq2IYM5p3lAmaWEimdMVIJHrCcbcpVqxaDRGDNVD ccheWOzsRWw7Q== Received: from sofa.misterjones.org ([185.219.108.64] helo=goblin-girl.misterjones.org) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rusSi-003S4O-U4; Thu, 11 Apr 2024 12:19:25 +0100 Date: Thu, 11 Apr 2024 12:19:24 +0100 Message-ID: <86r0fcrvsz.wl-maz@kernel.org> From: Marc Zyngier To: Guanrui Huang Cc: yuzenghui@huawei.com, shannon.zhao@linux.alibaba.com, tglx@linutronix.de, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] irqchip/gic-v3-its: Fix double free on error In-Reply-To: <20240411105630.53865-1-guanrui.huang@linux.alibaba.com> References: <20240411105630.53865-1-guanrui.huang@linux.alibaba.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI-EPG/1.14.7 (Harue) FLIM-LB/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL-LB/10.8 EasyPG/1.0.0 Emacs/29.2 (aarch64-unknown-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: guanrui.huang@linux.alibaba.com, yuzenghui@huawei.com, shannon.zhao@linux.alibaba.com, tglx@linutronix.de, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240411_041930_417635_A695F184 X-CRM114-Status: GOOD ( 22.16 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, 11 Apr 2024 11:56:30 +0100, Guanrui Huang wrote: > > In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error > with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page, > and then there is a double free in its_vpe_irq_domain_alloc. > > Fix it by calling its_vpe_irq_domain_free directly, bitmap and > vprop_page will be freed in this function. > > And check whether its_vm is equal to domain->host_data to make sure > its_vpe_irq_domain_free handle right its_vm. > > Signed-off-by: Guanrui Huang > --- > drivers/irqchip/irq-gic-v3-its.c | 12 +++++------- > 1 file changed, 5 insertions(+), 7 deletions(-) > > diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c > index fca888b36680..72c44e555c88 100644 > --- a/drivers/irqchip/irq-gic-v3-its.c > +++ b/drivers/irqchip/irq-gic-v3-its.c > @@ -4523,6 +4523,9 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq > > BUG_ON(!vm); > > + if (vm != domain->host_data) > + return -EINVAL; > + How can this happen? > bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); > if (!bitmap) > return -ENOMEM; > @@ -4561,13 +4564,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq > irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i)); > } > > - if (err) { > - if (i > 0) > - its_vpe_irq_domain_free(domain, virq, i); > - > - its_lpi_free(bitmap, base, nr_ids); > - its_free_prop_table(vprop_page); > - } > + if (err) > + its_vpe_irq_domain_free(domain, virq, i); > > return err; > } This otherwise looks reasonable. Thanks, M. -- Without deviation from the norm, progress is not possible. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel