| Message ID | 20240412021556.101792-1-guanrui.huang@linux.alibaba.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] irqchip/gic-v3-its: Fix double free on error | expand |
Hi Guanrui, On 2024/4/12 10:15, Guanrui Huang wrote: > In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error > with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page, > and then there is a double free in its_vpe_irq_domain_alloc. > > Fix it by calling its_vpe_irq_domain_free directly, bitmap and > vprop_page will be freed in this function. > > Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com> > --- > drivers/irqchip/irq-gic-v3-its.c | 11 ++--------- > 1 file changed, 2 insertions(+), 9 deletions(-) > > diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c > index fca888b36680..55c83e19719d 100644 > --- a/drivers/irqchip/irq-gic-v3-its.c > +++ b/drivers/irqchip/irq-gic-v3-its.c > @@ -4521,8 +4521,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq > struct page *vprop_page; > int base, nr_ids, i, err = 0; > > - BUG_ON(!vm); > - The BUG_ON() is indeed useless, though it'd be better to remove it in a separate patch, with a commit message explaining why it is not needed. > bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); > if (!bitmap) > return -ENOMEM; > @@ -4561,13 +4559,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq > irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i)); > } > > - if (err) { > - if (i > 0) > - its_vpe_irq_domain_free(domain, virq, i); > - > - its_lpi_free(bitmap, base, nr_ids); > - its_free_prop_table(vprop_page); > - } > + if (err) > + its_vpe_irq_domain_free(domain, virq, i); This looks good, Reviewed-by: Zenghui Yu <yuzenghui@huawei.com> Thanks for the fix. Zenghui
> In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error > with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page, > and then there is a double free in its_vpe_irq_domain_alloc. > > Fix it by calling its_vpe_irq_domain_free directly, bitmap and > vprop_page will be freed in this function. I find this change description improvable. Would you like to add the tag “Fixes” accordingly? … > +++ b/drivers/irqchip/irq-gic-v3-its.c > @@ -4521,8 +4521,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq > struct page *vprop_page; > int base, nr_ids, i, err = 0; > > - BUG_ON(!vm); … Please improve the patch granularity. See also: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.9-rc4#n81 Regards, Markus
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index fca888b36680..55c83e19719d 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -4521,8 +4521,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq struct page *vprop_page; int base, nr_ids, i, err = 0; - BUG_ON(!vm); - bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids); if (!bitmap) return -ENOMEM; @@ -4561,13 +4559,8 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq irqd_set_resend_when_in_progress(irq_get_irq_data(virq + i)); } - if (err) { - if (i > 0) - its_vpe_irq_domain_free(domain, virq, i); - - its_lpi_free(bitmap, base, nr_ids); - its_free_prop_table(vprop_page); - } + if (err) + its_vpe_irq_domain_free(domain, virq, i); return err; }
In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error with i > 0, its_vpe_irq_domain_free may free bitmap and vprop_page, and then there is a double free in its_vpe_irq_domain_alloc. Fix it by calling its_vpe_irq_domain_free directly, bitmap and vprop_page will be freed in this function. Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com> --- drivers/irqchip/irq-gic-v3-its.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-)