Xen project Mailing List

Re: [PATCH 1/4] dt-overlay: Fix NULL pointer dereference

To: Julien Grall <julien@xxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Michal Orzel <michal.orzel@xxxxxxx>

Date: Mon, 23 Sep 2024 13:05:30 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=xen.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q3sdp2muBkg4qEcmjlHN7jfdQHRuTHQcd8HuTqP/W2g=; b=BehpOCRAMkNC24vNw3UsVVNCANEI96aMBlDZXaqg4EJRg35OcfTit4ovY9TVSqAypCeM5ZfJt/3X3eoIAWf3hXIHpAoEOUWcX6TCYxF/W3/XwrVby2T0Xv/AeFcn/PaUgHhyZl+Z3VXbsH5O6w8fI3B17y0SGDOe+KzcEuBzrQpdGO/HXnmtTqZKnLVJ/x3Q2C8vn4uAuIjJj2qVYI0l+RqpIRIvz5uJQLsrjGgE/FG9jr5QINRC9huWUAgO57uOt+I72cUkbQJ6oMQn4u26Y1PcJw5XgU6iPRFVsvL9TULkt5/wDRHJK2d0hFUtedeeUdlIyKTrR9rXGFDkJLa9gA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cVaiRgBBPgzFrEd+24vgGyBHnaU/PhjwdzVGqHlBgkyRrlbwgnV90dziL07GnLiolcIMu7+gVH6dwxMPhhs2oFQCIPjJB8tM4pjPx01r3c/ug8I1/hrIQ1BHAsg7C4bk3yjKvn0VzmC3RZz5sh4vrz1IIgBvMEIhaswCZPaFR8dqXfxzUwKlK4zX6xlJnp/dsJFdlnS7+UUFim5yZlivLDBbZm4/0y7hLtxiXc/jNbHgKbP7dgeOzRlOxU7H6rxuekUYfNkyNCqGLr+4AIIBuLYwRcTZmKqUIF8HXW/oaHoWFLBMBNZmsG23t0AEk9+AuvOaFHiMDzyIr80xbrEioQ==

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Bertrand Marquis <bertrand.marquis@xxxxxxx>

Delivery-date: Mon, 23 Sep 2024 11:05:40 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Julien, On 20/09/2024 10:29, Julien Grall wrote: > > > Hi Michal, > > On 19/09/2024 12:42, Michal Orzel wrote: >> Attempt to attach an overlay (xl dt-overlay attach) to a domain without >> first adding this overlay to Xen (xl dt-overlay add) results in an >> overlay track entry being NULL in handle_attach_overlay_nodes(). This >> leads to NULL pointer dereference and the following data abort crash: >> >> (XEN) Cannot find any matching tracker with input dtbo. Operation is >> supported only for prior added dtbo. >> (XEN) Data Abort Trap. Syndrome=0x5 >> (XEN) Walking Hypervisor VA 0x40 on CPU0 via TTBR 0x0000000046948000 >> (XEN) 0TH[0x000] = 0x46940f7f >> (XEN) 1ST[0x000] = 0x0 >> (XEN) CPU0: Unexpected Trap: Data Abort >> (XEN) ----[ Xen-4.20-unstable arm64 debug=y Not tainted ]---- >> ... >> (XEN) Xen call trace: >> (XEN) [<00000a0000208b30>] dt_overlay_domctl+0x304/0x370 (PC) >> (XEN) [<00000a0000208b30>] dt_overlay_domctl+0x304/0x370 (LR) >> (XEN) [<00000a0000274b7c>] arch_do_domctl+0x48/0x328 >> >> Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device >> attachment to domains") >> Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx> >> --- >> xen/common/dt-overlay.c | 7 +++++-- >> 1 file changed, 5 insertions(+), 2 deletions(-) >> >> diff --git a/xen/common/dt-overlay.c b/xen/common/dt-overlay.c >> index d53b4706cd2f..8606b14d1e8e 100644 >> --- a/xen/common/dt-overlay.c >> +++ b/xen/common/dt-overlay.c >> @@ -908,8 +908,11 @@ static long handle_attach_overlay_nodes(struct domain >> *d, >> out: >> spin_unlock(&overlay_lock); >> >> - rangeset_destroy(entry->irq_ranges); >> - rangeset_destroy(entry->iomem_ranges); >> + if ( entry ) >> + { >> + rangeset_destroy(entry->irq_ranges); >> + rangeset_destroy(entry->iomem_ranges); >> + } > > While looking at the error paths in handle_attach_overlay_nodes(), I > noticed we don't revert any partial changes made by handle_device(). > > In this case, I am wondering whether it is correct to destroy the > rangeset. How would you be able to revert the changes? I guess the same story applies as for the partial add/remove which was stated by Vikram in the commit msg of 7e5c4a8b86f12942de0566b1d61f71d15774364b meaning partial success withe some failures may lead to other failures and might need a system reboot. I did not carefully look into this series, my plan was to fix the issues without changing the functional behavior. FWICS, we do not yet support detachment (only add/remove and attach) and removal of nodes and ranges is only possible if the nodes are assigned to hwdom. ~Michal

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.