OpenCloudOS-Kernel/drivers/xen
Juergen Gross 87797fad6c xen/events: replace evtchn_rwlock with RCU
In unprivileged Xen guests event handling can cause a deadlock with
Xen console handling. The evtchn_rwlock and the hvc_lock are taken in
opposite sequence in __hvc_poll() and in Xen console IRQ handling.
Normally this is no problem, as the evtchn_rwlock is taken as a reader
in both paths, but as soon as an event channel is being closed, the
lock will be taken as a writer, which will cause read_lock() to block:

CPU0                     CPU1                CPU2
(IRQ handling)           (__hvc_poll())      (closing event channel)

read_lock(evtchn_rwlock)
                         spin_lock(hvc_lock)
                                             write_lock(evtchn_rwlock)
                                                 [blocks]
spin_lock(hvc_lock)
    [blocks]
                        read_lock(evtchn_rwlock)
                            [blocks due to writer waiting,
                             and not in_interrupt()]

This issue can be avoided by replacing evtchn_rwlock with RCU in
xen_free_irq(). Note that RCU is used only to delay freeing of the
irq_info memory. There is no RCU based dereferencing or replacement of
pointers involved.

In order to avoid potential races between removing the irq_info
reference and handling of interrupts, set the irq_info pointer to NULL
only when freeing its memory. The IRQ itself must be freed at that
time, too, as otherwise the same IRQ number could be allocated again
before handling of the old instance would have been finished.

This is XSA-441 / CVE-2023-34324.

Fixes: 54c9de8989 ("xen/events: add a new "late EOI" evtchn framework")
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Julien Grall <jgrall@amazon.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2023-10-09 09:21:16 +02:00
..
events xen/events: replace evtchn_rwlock with RCU 2023-10-09 09:21:16 +02:00
xen-pciback xen-pciback: Remove unused function declarations 2023-08-21 09:53:22 +02:00
xenbus xen/xenbus: Avoid a lockdep warning when adding a watch 2023-08-22 08:04:59 +02:00
xenfs xen: remove unnecessary (void*) conversions 2023-03-16 12:04:00 +01:00
Kconfig xen: privcmd: Add support for irqfd 2023-08-22 12:12:50 +02:00
Makefile xen/grant-dma-iommu: Introduce stub IOMMU driver 2022-06-06 16:07:30 +02:00
acpi.c
arm-device.c
balloon.c xen: simplify sysctl registration for balloon 2023-04-13 11:49:20 -07:00
biomerge.c
cpu_hotplug.c
dbgp.c
efi.c efi: Apply allowlist to EFI configuration tables when running under Xen 2023-01-23 11:33:24 +01:00
evtchn.c xen/evtchn: Introduce new IOCTL to bind static evtchn 2023-07-26 08:42:34 +02:00
features.c x86/xen: Remove undefined behavior in setup_features() 2022-06-21 16:36:11 +02:00
gntalloc.c mm: replace vma->vm_flags direct modifications with modifier calls 2023-02-09 16:51:39 -08:00
gntdev-common.h xen/gntdev: Accommodate VMA splitting 2022-10-06 10:40:21 +02:00
gntdev-dmabuf.c xen/gntdev: Prepare to dynamic dma-buf locking specification 2022-10-18 01:21:47 +03:00
gntdev-dmabuf.h
gntdev.c mm: replace vma->vm_flags direct modifications with modifier calls 2023-02-09 16:51:39 -08:00
grant-dma-iommu.c xen/grant-dma-iommu: Implement a dummy probe_device() callback 2023-02-13 07:22:08 +01:00
grant-dma-ops.c xen/virtio: Fix NULL deref when a bridge of PCI root bus has no parent 2023-07-04 08:18:21 +02:00
grant-table.c xen: Fix one kernel-doc comment 2023-08-21 15:58:57 +02:00
manage.c xen/manage: Use orderly_reboot() to reboot 2022-08-01 07:42:22 +02:00
mcelog.c
mem-reservation.c x86/xen: remove 32-bit pv leftovers 2021-11-02 08:03:43 -05:00
pci.c xen/pci: Make use of the helper macro LIST_HEAD() 2022-02-10 11:10:23 +01:00
pcpu.c ACPI: processor: Fix evaluating _PDC method when running as Xen dom0 2023-03-22 19:36:31 +01:00
platform-pci.c xen: simplify evtchn_do_upcall() call maze 2023-09-19 07:04:49 +02:00
privcmd-buf.c mm: replace vma->vm_flags direct modifications with modifier calls 2023-02-09 16:51:39 -08:00
privcmd.c xen: privcmd: Add support for irqfd 2023-08-22 12:12:50 +02:00
privcmd.h
pvcalls-back.c workqueue: Ordered workqueue creation cleanups 2023-06-27 16:46:06 -07:00
pvcalls-front.c xen/pvcalls: don't call bind_evtchn_to_irqhandler() under lock 2023-04-24 07:27:10 +02:00
pvcalls-front.h
swiotlb-xen.c swiotlb: make io_tlb_default_mem local to swiotlb.c 2023-08-01 18:02:09 +02:00
sys-hypervisor.c xen: sysfs: make kobj_type structure constant 2023-02-18 16:50:21 +01:00
time.c
unpopulated-alloc.c xen/balloon: don't use PV mode extra memory for zone device allocations 2022-04-07 15:08:37 -05:00
xen-acpi-pad.c ACPI: make remove callback of ACPI driver void 2022-11-23 19:11:22 +01:00
xen-acpi-processor.c xen: Switch to use kmemdup() helper 2023-08-21 09:54:05 +02:00
xen-balloon.c
xen-front-pgdir-shbuf.c xen: Replace one-element array with flexible-array member 2023-02-13 09:15:45 +01:00
xen-scsiback.c xen: branch for v6.4-rc1 2023-04-27 17:27:06 -07:00
xlate_mmu.c xen: unexport __init-annotated xen_xlate_map_ballooned_pages() 2022-06-07 08:11:35 +02:00