From nobody Wed Mar 29 07:52:28 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Pmf0X65GJz42B1d;
	Wed, 29 Mar 2023 07:52:28 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Pmf0X54xfz3PjP;
	Wed, 29 Mar 2023 07:52:28 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1680076348;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=f7IK3w+WiIWvck2SPMMFpPtsYAkFF/A3uTK3+xOE010=;
	b=jStz0QDUBdtVknp7HGEo3USwQa81rVFZdbbDzWJQhNP5Bd6LDjSQo4I8+OiFS1VImT9E4j
	fUleGC2Dlbo3a42a1t2wwLZ0U28qUfXQBLz9XkZh6MwIHPq90dffHlcXx3YNiR/APRotIM
	X7dVPoMWF7OP7md0lfvQ7QXtoiu85iPaq2oJhrbkcigN9bt1LcUG8tvw/Te6gDS6BQHGVw
	kCOL7a/duRG6TYzHj3Sz+z5Q4wgNYQepo+2iLaGdNV6if4vm8JFilcb2cx/eAnWTnOpajq
	Rz68bXumuhsMtFqP8IM/KLOg1ceCKBGX9O5+FNNKMo0z7Kw7AB13YRcivT8ZPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1680076348;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=f7IK3w+WiIWvck2SPMMFpPtsYAkFF/A3uTK3+xOE010=;
	b=RJFfQQs/SDJu/KtkhIW1pNHuDso48kcEf50Hwg4TIy/p+JT3JxM+yudJGCGjeH7rQ+fjiV
	XtDDTJm70k7o4kD+Ff5wTv8nt7HMtneWW0y7mOfJ5d0/oeIq+nx398QQPoMzSRaIuXSZAQ
	FPC4TmhEPwJn7Q787NPxDGOc3XAPytaNCrcMM6jHsUMgl8yndtcHqtp7VjI8ILnUuvFF65
	BJ7ZA3jKB6o/xcej07ngzfWbPnOZPvxqXfDNV3khNU75iW3V5+5/Cf2nIMNgw1i08Z48Fu
	2LNzwZtu/F3v2tuEirmxdHfmbffYXbKRBl1imUsGGAFLguFYbOoUDRr41baq5Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1680076348; a=rsa-sha256; cv=none;
	b=QtE33Q4HppgBswuUtS2/RFUlz52YujYAcGF5SUf2X6IRhyT1VZWM/vXGu0QNtFNUCXtnYA
	iwLgZAD4BlJE5SYk4FKQGYajWW6YzXI+fFOLxgw8HY3/pp4jwphAR4HztBXgOuz3/oiAx9
	BXIpkzjIdfVBuq90E/3LqA232I6G+6n2mEuelzF8zSl5flo+A8aisxKJht5/d2vqNJbw4c
	oLjc6wZWAafq8gc0m7kYmD5uVFqo/TMbhuVUZIX7/Nl+SOTodxNMn1a1osmqgb76c/ptC1
	jfBzPTeiqRfoZBHQqwfochqi/Gl8ilvV4cwmpp30JiAj9RLWAejzQUB9zFd0Xw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Pmf0X3z21zMSr;
	Wed, 29 Mar 2023 07:52:28 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32T7qS5o051983;
	Wed, 29 Mar 2023 07:52:28 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32T7qSGm051982;
	Wed, 29 Mar 2023 07:52:28 GMT
	(envelope-from git)
Date: Wed, 29 Mar 2023 07:52:28 GMT
Message-Id: <202303290752.32T7qSGm051982@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: =?utf-8?Q?Roger=20Pau=20Monn=C3=A9?= <royger@FreeBSD.org>
Subject: git: 2b2415bafa0d - main - xen/intr: fix corruption of event channel table
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: royger
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 2b2415bafa0dda36244f0fedef9f8750b2868dea
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by royger:

URL: https://cgit.FreeBSD.org/src/commit/?id=2b2415bafa0dda36244f0fedef9f8750b2868dea

commit 2b2415bafa0dda36244f0fedef9f8750b2868dea
Author:     Elliott Mitchell <ehem+freebsd@m5p.com>
AuthorDate: 2021-08-27 23:00:05 +0000
Commit:     Roger Pau Monné <royger@FreeBSD.org>
CommitDate: 2023-03-29 07:51:40 +0000

    xen/intr: fix corruption of event channel table
    
    In xen_intr_release_isrc(), the isrc should only be removed if it is
    assigned to a valid port.  This had been mitigated by using 0 for not
    having a port, but this is actually corrupting the table.  Fix this bug
    as modifying the code would cause this bug to manifest as kernel memory
    corruption.  Similar issue for the vCPU bitmap masks.
    
    The KASSERT() doesn't need lock protection.
    
    Reviewed by: royger
    MFC after: 1 week
    Differential Revision: https://reviews.freebsd.org/D30743
---
 sys/x86/xen/xen_intr.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/sys/x86/xen/xen_intr.c b/sys/x86/xen/xen_intr.c
index ca0f56a8546a..4e16778874b5 100644
--- a/sys/x86/xen/xen_intr.c
+++ b/sys/x86/xen/xen_intr.c
@@ -350,23 +350,26 @@ static int
 xen_intr_release_isrc(struct xenisrc *isrc)
 {
 
-	mtx_lock(&xen_intr_isrc_lock);
 	KASSERT(isrc->xi_intsrc.is_handlers == 0,
 	    ("Release called, but xenisrc still in use"));
-	evtchn_mask_port(isrc->xi_port);
-	evtchn_clear_port(isrc->xi_port);
+	mtx_lock(&xen_intr_isrc_lock);
+	if (is_valid_evtchn(isrc->xi_port)) {
+		evtchn_mask_port(isrc->xi_port);
+		evtchn_clear_port(isrc->xi_port);
 
-	/* Rebind port to CPU 0. */
-	evtchn_cpu_mask_port(isrc->xi_cpu, isrc->xi_port);
-	evtchn_cpu_unmask_port(0, isrc->xi_port);
+		/* Rebind port to CPU 0. */
+		evtchn_cpu_mask_port(isrc->xi_cpu, isrc->xi_port);
+		evtchn_cpu_unmask_port(0, isrc->xi_port);
 
-	if (isrc->xi_close != 0 && is_valid_evtchn(isrc->xi_port)) {
-		struct evtchn_close close = { .port = isrc->xi_port };
-		if (HYPERVISOR_event_channel_op(EVTCHNOP_close, &close))
-			panic("EVTCHNOP_close failed");
-	}
+		if (isrc->xi_close != 0) {
+			struct evtchn_close close = { .port = isrc->xi_port };
 
-	xen_intr_port_to_isrc[isrc->xi_port] = NULL;
+			if (HYPERVISOR_event_channel_op(EVTCHNOP_close, &close))
+				panic("EVTCHNOP_close failed");
+		}
+
+		xen_intr_port_to_isrc[isrc->xi_port] = NULL;
+	}
 	isrc->xi_cpu = 0;
 	isrc->xi_type = EVTCHN_TYPE_UNBOUND;
 	isrc->xi_port = 0;