linux/drivers/xen
Maximilian Heyne 88ca2521bd xen/events: Fix race in set_evtchn_to_irq
There is a TOCTOU issue in set_evtchn_to_irq. Rows in the evtchn_to_irq
mapping are lazily allocated in this function. The check whether the row
is already present and the row initialization is not synchronized. Two
threads can at the same time allocate a new row for evtchn_to_irq and
add the irq mapping to the their newly allocated row. One thread will
overwrite what the other has set for evtchn_to_irq[row] and therefore
the irq mapping is lost. This will trigger a BUG_ON later in
bind_evtchn_to_cpu:

  INFO: pci 0000:1a:15.4: [1d0f:8061] type 00 class 0x010802
  INFO: nvme 0000:1a:12.1: enabling device (0000 -> 0002)
  INFO: nvme nvme77: 1/0/0 default/read/poll queues
  CRIT: kernel BUG at drivers/xen/events/events_base.c:427!
  WARN: invalid opcode: 0000 [#1] SMP NOPTI
  WARN: Workqueue: nvme-reset-wq nvme_reset_work [nvme]
  WARN: RIP: e030:bind_evtchn_to_cpu+0xc2/0xd0
  WARN: Call Trace:
  WARN:  set_affinity_irq+0x121/0x150
  WARN:  irq_do_set_affinity+0x37/0xe0
  WARN:  irq_setup_affinity+0xf6/0x170
  WARN:  irq_startup+0x64/0xe0
  WARN:  __setup_irq+0x69e/0x740
  WARN:  ? request_threaded_irq+0xad/0x160
  WARN:  request_threaded_irq+0xf5/0x160
  WARN:  ? nvme_timeout+0x2f0/0x2f0 [nvme]
  WARN:  pci_request_irq+0xa9/0xf0
  WARN:  ? pci_alloc_irq_vectors_affinity+0xbb/0x130
  WARN:  queue_request_irq+0x4c/0x70 [nvme]
  WARN:  nvme_reset_work+0x82d/0x1550 [nvme]
  WARN:  ? check_preempt_wakeup+0x14f/0x230
  WARN:  ? check_preempt_curr+0x29/0x80
  WARN:  ? nvme_irq_check+0x30/0x30 [nvme]
  WARN:  process_one_work+0x18e/0x3c0
  WARN:  worker_thread+0x30/0x3a0
  WARN:  ? process_one_work+0x3c0/0x3c0
  WARN:  kthread+0x113/0x130
  WARN:  ? kthread_park+0x90/0x90
  WARN:  ret_from_fork+0x3a/0x50

This patch sets evtchn_to_irq rows via a cmpxchg operation so that they
will be set only once. The row is now cleared before writing it to
evtchn_to_irq in order to not create a race once the row is visible for
other threads.

While at it, do not require the page to be zeroed, because it will be
overwritten with -1's in clear_evtchn_to_irq_row anyway.

Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
Fixes: d0b075ffee ("xen/events: Refactor evtchn_to_irq array to be dynamically allocated")
Link: https://lore.kernel.org/r/20210812130930.127134-1-mheyne@amazon.de
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
2021-08-12 10:49:54 -05:00
..
events xen/events: Fix race in set_evtchn_to_irq 2021-08-12 10:49:54 -05:00
xen-pciback xen-pciback: reconfigure also from backend watch handler 2021-05-21 09:55:16 +02:00
xenbus xen: Use DEVICE_ATTR_*() macro 2021-07-05 09:23:31 +02:00
xenfs
acpi.c
arm-device.c
balloon.c mm/memory_hotplug: MEMHP_MERGE_RESOURCE -> MHP_MERGE_RESOURCE 2021-02-26 09:41:00 -08:00
biomerge.c
cpu_hotplug.c xen/cpuhotplug: Fix initial CPU offlining for PV(H) guests 2020-05-21 13:01:45 -05:00
dbgp.c
efi.c
evtchn.c xen/evtchn: use READ/WRITE_ONCE() for accessing ring indices 2021-02-23 10:07:52 -06:00
features.c
gntalloc.c
gntdev-common.h xen: Use evtchn_type_t as a type for event channels 2020-04-07 12:12:54 +02:00
gntdev-dmabuf.c xen: gntdev: fix common struct sg_table related issues 2020-09-10 08:18:35 +02:00
gntdev-dmabuf.h
gntdev.c xen/gntdev: fix gntdev_mmap() error exit path 2021-05-10 09:32:00 +02:00
grant-table.c xen: don't use page->lru for ZONE_DEVICE memory 2020-12-09 10:31:41 +01:00
Kconfig xen: Remove support for PV ACPI cpu/memory hotplug 2021-04-23 09:31:50 +02:00
Makefile xen: Remove support for PV ACPI cpu/memory hotplug 2021-04-23 09:31:50 +02:00
manage.c xen/manage: Fix fall-through warnings for Clang 2020-12-16 07:58:44 +01:00
mcelog.c
mem-reservation.c
pci.c
pcpu.c xen: Use DEVICE_ATTR_*() macro 2021-07-05 09:23:31 +02:00
platform-pci.c xen: Set platform PCI device INTX affinity to CPU0 2021-01-13 16:12:03 +01:00
privcmd-buf.c
privcmd.c xen/privcmd: allow fetching resource sizes 2021-01-13 12:31:17 +01:00
privcmd.h
pvcalls-back.c xen/events: link interdomain events to associated xenbus device 2021-02-11 14:47:00 -08:00
pvcalls-front.c xen: remove redundant initialization of variable ret 2020-10-04 18:41:33 -05:00
pvcalls-front.h
swiotlb-xen.c xen/swiotlb: check if the swiotlb has already been initialized 2021-05-14 15:52:11 +02:00
sys-hypervisor.c
time.c x86/paravirt: Switch time pvops functions to use static_call() 2021-03-11 16:17:52 +01:00
unpopulated-alloc.c xen/unpopulated-alloc: fix error return code in fill_list() 2021-05-10 09:42:25 +02:00
xen-acpi-pad.c
xen-acpi-processor.c xen: Replace lkml.org links with lore 2021-02-23 10:08:07 -06:00
xen-balloon.c xen: Use DEVICE_ATTR_*() macro 2021-07-05 09:23:31 +02:00
xen-front-pgdir-shbuf.c xen-front-pgdir-shbuf: don't record wrong grant handle upon error 2021-02-23 12:35:43 -06:00
xen-scsiback.c scsi: target: core: Add gfp_t arg to target_cmd_init_cdb() 2021-03-04 17:37:02 -05:00
xlate_mmu.c xen: add helpers to allocate unpopulated memory 2020-09-04 10:00:01 +02:00