39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
|
From: Jan Beulich <jbeulich@suse.com>
|
||
|
|
Subject: x86/IRQ: avoid double unlock in map_domain_pirq()
|
||
|
|
|
||
|
|
Forever since its introduction the main loop in the function dealing
|
||
|
|
with multi-vector MSI had error exit points ("break") with different
|
||
|
|
properties: In one case no IRQ descriptor lock is being held.
|
||
|
|
Nevertheless the subsequent error cleanup path assumed such a lock would
|
||
|
|
uniformly need releasing. Identify the case by setting "desc" to NULL,
|
||
|
|
thus allowing the unlock to be skipped as necessary.
|
||
|
|
|
||
|
|
This is CVE-2024-31143 / XSA-458.
|
||
|
|
|
||
|
|
Coverity ID: 1605298
|
||
|
|
Fixes: d1b6d0a02489 ("x86: enable multi-vector MSI")
|
||
|
|
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
||
|
|
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
|
||
|
|
|
||
|
|
--- a/xen/arch/x86/irq.c
|
||
|
|
+++ b/xen/arch/x86/irq.c
|
||
|
|
@@ -2286,6 +2286,7 @@ int map_domain_pirq(
|
||
|
|
|
||
|
|
set_domain_irq_pirq(d, irq, info);
|
||
|
|
spin_unlock_irqrestore(&desc->lock, flags);
|
||
|
|
+ desc = NULL;
|
||
|
|
|
||
|
|
info = NULL;
|
||
|
|
irq = create_irq(NUMA_NO_NODE, true);
|
||
|
|
@@ -2321,7 +2322,9 @@ int map_domain_pirq(
|
||
|
|
|
||
|
|
if ( ret )
|
||
|
|
{
|
||
|
|
- spin_unlock_irqrestore(&desc->lock, flags);
|
||
|
|
+ if ( desc )
|
||
|
|
+ spin_unlock_irqrestore(&desc->lock, flags);
|
||
|
|
+
|
||
|
|
pci_disable_msi(msi_desc);
|
||
|
|
if ( nr )
|
||
|
|
{
|