0500-xsa458.patch

From: Jan Beulich <jbeulich@suse.com>
Subject: x86/IRQ: avoid double unlock in map_domain_pirq()

Forever since its introduction the main loop in the function dealing
with multi-vector MSI had error exit points ("break") with different
properties: In one case no IRQ descriptor lock is being held.
Nevertheless the subsequent error cleanup path assumed such a lock would
uniformly need releasing. Identify the case by setting "desc" to NULL,
thus allowing the unlock to be skipped as necessary.

This is CVE-2024-31143 / XSA-458.

Coverity ID: 1605298
Fixes: d1b6d0a02489 ("x86: enable multi-vector MSI")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

--- a/xen/arch/x86/irq.c
+++ b/xen/arch/x86/irq.c
@@ -2273,6 +2273,7 @@ int map_domain_pirq(
 
             set_domain_irq_pirq(d, irq, info);
             spin_unlock_irqrestore(&desc->lock, flags);
+            desc = NULL;
 
             info = NULL;
             irq = create_irq(NUMA_NO_NODE, true);
@@ -2308,7 +2309,9 @@ int map_domain_pirq(
 
         if ( ret )
         {
-            spin_unlock_irqrestore(&desc->lock, flags);
+            if ( desc )
+                spin_unlock_irqrestore(&desc->lock, flags);
+
             pci_disable_msi(msi_desc);
             if ( nr )
             {