1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
From d46a1ce3175dc45e97a8c9b89b0d0ff46145ae64 Mon Sep 17 00:00:00 2001
From: Jan Beulich <jbeulich@suse.com>
Date: Tue, 16 Jul 2024 14:14:43 +0200
Subject: [PATCH 53/56] x86/IRQ: avoid double unlock in map_domain_pirq()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Forever since its introduction the main loop in the function dealing
with multi-vector MSI had error exit points ("break") with different
properties: In one case no IRQ descriptor lock is being held.
Nevertheless the subsequent error cleanup path assumed such a lock would
uniformly need releasing. Identify the case by setting "desc" to NULL,
thus allowing the unlock to be skipped as necessary.
This is CVE-2024-31143 / XSA-458.
Coverity ID: 1605298
Fixes: d1b6d0a02489 ("x86: enable multi-vector MSI")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
master commit: 57338346f29cea7b183403561bdc5f407163b846
master date: 2024-07-16 14:09:14 +0200
---
xen/arch/x86/irq.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/xen/arch/x86/irq.c b/xen/arch/x86/irq.c
index 00be3b88e8..5dae8bd1b9 100644
--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -2287,6 +2287,7 @@ int map_domain_pirq(
set_domain_irq_pirq(d, irq, info);
spin_unlock_irqrestore(&desc->lock, flags);
+ desc = NULL;
info = NULL;
irq = create_irq(NUMA_NO_NODE, true);
@@ -2322,7 +2323,9 @@ int map_domain_pirq(
if ( ret )
{
- spin_unlock_irqrestore(&desc->lock, flags);
+ if ( desc )
+ spin_unlock_irqrestore(&desc->lock, flags);
+
pci_disable_msi(msi_desc);
if ( nr )
{
--
2.45.2
|
GitWeb
