lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aHjBe9k2Igl2iopq@lpieralisi>
Date: Thu, 17 Jul 2025 11:25:15 +0200
From: Lorenzo Pieralisi <lpieralisi@...nel.org>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: Marc Zyngier <maz@...nel.org>, Thomas Gleixner <tglx@...utronix.de>,
	Timothy Hayes <timothy.hayes@....com>,
	Sascha Bischoff <sascha.bischoff@....com>,
	linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/3] irqchip/gic-v5: Fix error handling in
 gicv5_its_irq_domain_alloc()

On Wed, Jul 16, 2025 at 02:38:22PM -0500, Dan Carpenter wrote:
> There are two issues to fix in this code:
> 1) If gicv5_alloc_lpi() fails the original code was checking the wrong
> variable.  Fix the mixup between "ret" and "lpi".
> 2) If irq_domain_alloc_irqs_parent() fails, then clean up all the loop
> iterations instead of just the current iteration.
> 
> Fixes: 57d72196dfc8 ("irqchip/gic-v5: Add GICv5 ITS support")
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> ---
>  drivers/irqchip/irq-gic-v5-its.c | 14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/irqchip/irq-gic-v5-its.c b/drivers/irqchip/irq-gic-v5-its.c
> index 55360ae9f1f6..8cc8563e27d5 100644
> --- a/drivers/irqchip/irq-gic-v5-its.c
> +++ b/drivers/irqchip/irq-gic-v5-its.c
> @@ -949,15 +949,18 @@ static int gicv5_its_irq_domain_alloc(struct irq_domain *domain, unsigned int vi
>  	device_id = its_dev->device_id;
>  
>  	for (i = 0; i < nr_irqs; i++) {
> -		lpi = gicv5_alloc_lpi();
> +		ret = gicv5_alloc_lpi();
>  		if (ret < 0) {
>  			pr_debug("Failed to find free LPI!\n");
>  			goto out_eventid;

This should be:

goto out_free_lpi;

otherwise we miss cleaning up for [0, i - 1] on LPI alloc failure.

I can fix it up - not sure it is worth splitting it into two patches,
just let me know please how you want me to handle it.

Thanks,
Lorenzo

>  		}
> +		lpi = ret;
>  
>  		ret = irq_domain_alloc_irqs_parent(domain, virq + i, 1, &lpi);
> -		if (ret)
> +		if (ret) {
> +			gicv5_free_lpi(lpi);
>  			goto out_free_lpi;
> +		}
>  
>  		/*
>  		 * Store eventid and deviceid into the hwirq for later use.
> @@ -979,7 +982,12 @@ static int gicv5_its_irq_domain_alloc(struct irq_domain *domain, unsigned int vi
>  	return 0;
>  
>  out_free_lpi:
> -	gicv5_free_lpi(lpi);
> +	while (--i >= 0) {
> +		irqd = irq_domain_get_irq_data(domain, virq + i);
> +		gicv5_free_lpi(irqd->parent_data->hwirq);
> +		irq_domain_reset_irq_data(irqd);
> +		irq_domain_free_irqs_parent(domain, virq + i, 1);
> +	}
>  out_eventid:
>  	gicv5_its_free_eventid(its_dev, event_id_base, nr_irqs);
>  	return ret;
> -- 
> 2.47.2
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ