From: Thomas Gleixner <tglx@linutronix.de>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>, Peter Anvin <hpa@zytor.com>,
Jiang Liu <jiang.liu@linux.intel.com>,
Joe Lawrence <joe.lawrence@stratus.com>,
Jeremiah Mahler <jmmahler@gmail.com>,
Borislav Petkov <bp@alien8.de>,
andy.shevchenko@gmail.com, Guenter Roeck <linux@roeck-us.net>
Subject: [patch 01/14] x86/irq: Fix a race in x86_vector_free_irqs()
Date: Thu, 31 Dec 2015 16:30:44 -0000 [thread overview]
Message-ID: <20151231160106.151314722@linutronix.de> (raw)
In-Reply-To: 20151231155849.772553760@linutronix.de
[-- Attachment #1: x86-irq-fix-a-race-window-in-x86_vector_free_irqs.patch --]
[-- Type: text/plain, Size: 2980 bytes --]
There's a race condition between
x86_vector_free_irqs()
{
free_apic_chip_data(irq_data->chip_data);
xxxxx //irq_data->chip_data has been freed, but the pointer
//hasn't been reset yet
irq_domain_reset_irq_data(irq_data);
}
and
smp_irq_move_cleanup_interrupt()
{
raw_spin_lock(&vector_lock);
data = apic_chip_data(irq_desc_get_irq_data(desc));
access data->xxxx // may access freed memory
raw_spin_unlock(&desc->lock);
}
which may cause smp_irq_move_cleanup_interrupt() to access freed memory.
Call irq_domain_reset_irq_data(), which clears the pointer with vector lock
held.
[ tglx: Free memory outside of lock held region. ]
Signed-off-by: Jiang Liu <jiang.liu@linux.intel.com>
Cc: Jeremiah Mahler <jmmahler@gmail.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: andy.shevchenko@gmail.com
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Joe Lawrence <joe.lawrence@stratus.com>
Link: http://lkml.kernel.org/r/1450880014-11741-3-git-send-email-jiang.liu@linux.intel.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
arch/x86/kernel/apic/vector.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/arch/x86/kernel/apic/vector.c
+++ b/arch/x86/kernel/apic/vector.c
@@ -224,10 +224,8 @@ static int assign_irq_vector_policy(int
static void clear_irq_vector(int irq, struct apic_chip_data *data)
{
struct irq_desc *desc;
- unsigned long flags;
int cpu, vector;
- raw_spin_lock_irqsave(&vector_lock, flags);
BUG_ON(!data->cfg.vector);
vector = data->cfg.vector;
@@ -237,10 +235,8 @@ static void clear_irq_vector(int irq, st
data->cfg.vector = 0;
cpumask_clear(data->domain);
- if (likely(!data->move_in_progress)) {
- raw_spin_unlock_irqrestore(&vector_lock, flags);
+ if (likely(!data->move_in_progress))
return;
- }
desc = irq_to_desc(irq);
for_each_cpu_and(cpu, data->old_domain, cpu_online_mask) {
@@ -253,7 +249,6 @@ static void clear_irq_vector(int irq, st
}
}
data->move_in_progress = 0;
- raw_spin_unlock_irqrestore(&vector_lock, flags);
}
void init_irq_alloc_info(struct irq_alloc_info *info,
@@ -274,19 +269,24 @@ void copy_irq_alloc_info(struct irq_allo
static void x86_vector_free_irqs(struct irq_domain *domain,
unsigned int virq, unsigned int nr_irqs)
{
+ struct apic_chip_data *apic_data;
struct irq_data *irq_data;
+ unsigned long flags;
int i;
for (i = 0; i < nr_irqs; i++) {
irq_data = irq_domain_get_irq_data(x86_vector_domain, virq + i);
if (irq_data && irq_data->chip_data) {
+ raw_spin_lock_irqsave(&vector_lock, flags);
clear_irq_vector(virq + i, irq_data->chip_data);
- free_apic_chip_data(irq_data->chip_data);
+ apic_data = irq_data->chip_data;
+ irq_domain_reset_irq_data(irq_data);
+ raw_spin_unlock_irqrestore(&vector_lock, flags);
+ free_apic_chip_data(apic_data);
#ifdef CONFIG_X86_IO_APIC
if (virq + i < nr_legacy_irqs())
legacy_irq_data[virq + i] = NULL;
#endif
- irq_domain_reset_irq_data(irq_data);
}
}
}
next prev parent reply other threads:[~2015-12-31 16:34 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-31 16:30 [patch 00/14] x86/irq: Plug various vector cleanup races Thomas Gleixner
2015-12-31 16:30 ` Thomas Gleixner [this message]
2015-12-31 16:30 ` [patch 02/14] x86/irq: Validate that irq descriptor is still active Thomas Gleixner
2016-01-16 21:16 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 04/14] x86/irq: Reorganize the return path in assign_irq_vector Thomas Gleixner
2016-01-16 21:17 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 03/14] x86/irq: Do not use apic_chip_data.old_domain as temporary buffer Thomas Gleixner
2015-12-31 16:30 ` [patch 05/14] x86/irq: Reorganize the search in assign_irq_vector Thomas Gleixner
2016-01-16 21:17 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 06/14] x86/irq: Check vector allocation early Thomas Gleixner
2016-01-16 21:17 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 07/14] x86/irq: Copy vectormask instead of an AND operation Thomas Gleixner
2016-01-16 21:18 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 08/14] x86/irq: Get rid of code duplication Thomas Gleixner
2016-01-16 21:18 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 09/14] x86/irq: Remove offline cpus from vector cleanup Thomas Gleixner
2016-01-16 21:18 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 10/14] x86/irq: Clear move_in_progress before sending cleanup IPI Thomas Gleixner
2016-01-16 21:19 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 11/14] x86/irq: Remove the cpumask allocation from send_cleanup_vector() Thomas Gleixner
2016-01-16 21:19 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 12/14] x86/irq: Remove outgoing CPU from vector cleanup mask Thomas Gleixner
2016-01-16 21:19 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 13/14] x86/irq: Call irq_force_move_complete with irq descriptor Thomas Gleixner
2016-01-16 21:20 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2015-12-31 16:30 ` [patch 14/14] x86/irq: Plug vector cleanup race Thomas Gleixner
2016-01-16 21:20 ` [tip:x86/urgent] " tip-bot for Thomas Gleixner
2016-01-04 15:35 ` [patch 00/14] x86/irq: Plug various vector cleanup races Joe Lawrence
2016-01-14 8:24 ` Thomas Gleixner
2016-01-14 10:33 ` Borislav Petkov
2016-01-16 21:37 ` Joe Lawrence
2016-01-18 15:00 ` Joe Lawrence
2016-01-18 15:43 ` Borislav Petkov
2016-01-18 16:38 ` Joe Lawrence
2016-01-20 3:57 ` Joe Lawrence
2016-01-20 8:26 ` Borislav Petkov
2016-01-22 15:28 ` Joe Lawrence
2016-01-16 21:15 ` [tip:x86/urgent] x86/irq: Call chip-> irq_set_affinity in proper context tip-bot for Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151231160106.151314722@linutronix.de \
--to=tglx@linutronix.de \
--cc=andy.shevchenko@gmail.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=jiang.liu@linux.intel.com \
--cc=jmmahler@gmail.com \
--cc=joe.lawrence@stratus.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=mingo@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.