All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Jan Beulich" <JBeulich@suse.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: xen-devel <xen-devel@lists.xenproject.org>,
	Keir Fraser <keir@xen.org>,
	Xiantao Zhang <xiantao.zhang@intel.com>
Subject: Re: [Patch 1/2] x86/vtd: Fix suspected data race condition in iommu_set_root_entry()
Date: Mon, 07 Oct 2013 11:03:20 +0100	[thread overview]
Message-ID: <5252A30802000078000F92C6@nat28.tlf.novell.com> (raw)
In-Reply-To: <1381139316-1820-2-git-send-email-andrew.cooper3@citrix.com>

>>> On 07.10.13 at 11:48, Andrew Cooper <andrew.cooper3@citrix.com> wrote:
> Coverity ID: 1054967
> 
> Coverity spotted that iommu->root_maddr was optionally allocated within the
> protection of the iommu->lock, but was referenced with the protection of the
> iommu->register_lock, and freed without any lock.
> 
> Luckily, the code as-is is not vulnerable to the potential risks identified.
> 
> However, the alloc_pgtable_maddr() is far more appropriately done in
> iommu_alloc(), removing a set of spinlock calls, and a possibility for the
> iommu setup to fail later than iommu_alloc() with an -ENOMEM.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> CC: Keir Fraser <keir@xen.org>

Reviewed-by: Jan Beulich <jbeulich@suse.com>

> CC: Xiantao Zhang <xiantao.zhang@intel.com>
> ---
>  xen/drivers/passthrough/vtd/iommu.c |   19 +++----------------
>  1 file changed, 3 insertions(+), 16 deletions(-)
> 
> diff --git a/xen/drivers/passthrough/vtd/iommu.c 
> b/xen/drivers/passthrough/vtd/iommu.c
> index 12e0165..2dbe97a 100644
> --- a/xen/drivers/passthrough/vtd/iommu.c
> +++ b/xen/drivers/passthrough/vtd/iommu.c
> @@ -696,25 +696,9 @@ static void iommu_free_pagetable(u64 pt_maddr, int 
> level)
>  
>  static int iommu_set_root_entry(struct iommu *iommu)
>  {
> -    struct acpi_drhd_unit *drhd;
>      u32 sts;
>      unsigned long flags;
>  
> -    spin_lock(&iommu->lock);
> -
> -    if ( iommu->root_maddr == 0 )
> -    {
> -        drhd = iommu_to_drhd(iommu);
> -        iommu->root_maddr = alloc_pgtable_maddr(drhd, 1);
> -    }
> -
> -    if ( iommu->root_maddr == 0 )
> -    {
> -        spin_unlock(&iommu->lock);
> -        return -ENOMEM;
> -    }
> -
> -    spin_unlock(&iommu->lock);
>      spin_lock_irqsave(&iommu->register_lock, flags);
>      dmar_writeq(iommu->reg, DMAR_RTADDR_REG, iommu->root_maddr);
>  
> @@ -1144,6 +1128,9 @@ int __init iommu_alloc(struct acpi_drhd_unit *drhd)
>      iommu->intel->drhd = drhd;
>      drhd->iommu = iommu;
>  
> +    if ( !(iommu->root_maddr = alloc_pgtable_maddr(drhd, 1)) )
> +        return -ENOMEM;
> +
>      iommu->reg = ioremap(drhd->address, PAGE_SIZE);
>      if ( !iommu->reg )
>          return -ENOMEM;
> -- 
> 1.7.10.4

  reply	other threads:[~2013-10-07 10:03 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-07  9:48 [Patch 0/2] Misc coverity fixes (set 2) Andrew Cooper
2013-10-07  9:48 ` [Patch 1/2] x86/vtd: Fix suspected data race condition in iommu_set_root_entry() Andrew Cooper
2013-10-07 10:03   ` Jan Beulich [this message]
2013-10-07 14:50   ` Zhang, Xiantao
2013-10-07  9:48 ` [Patch 2/2] x86/traps: improvements to {rd, wr}msr_hypervisor_regs() Andrew Cooper
2013-10-07 10:17   ` Jan Beulich
2013-10-07 10:51     ` Andrew Cooper
2013-10-07 11:59       ` [Patch v2] " Andrew Cooper
2013-10-07 12:01       ` [Patch v3] " Andrew Cooper
2013-10-07 12:26         ` Paul Durrant
2013-10-07 13:15           ` Andrew Cooper
2013-10-07 13:36             ` Jan Beulich
2013-10-07 13:46               ` [Patch v4] " Andrew Cooper
2013-10-08  8:52                 ` Jan Beulich
2013-10-08  9:32                   ` Andrew Cooper
2013-10-08  9:33                     ` [Patch v5] " Andrew Cooper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5252A30802000078000F92C6@nat28.tlf.novell.com \
    --to=jbeulich@suse.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=keir@xen.org \
    --cc=xen-devel@lists.xenproject.org \
    --cc=xiantao.zhang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.