From: Rishabh Bhatnagar <risbhat@amazon.com>
To: <stable@vger.kernel.org>
Cc: <gregkh@linuxfoundation.org>, <sashal@kernel.org>,
<tglx@linutronix.de>, <mingo@redhat.com>,
<linux-kernel@vger.kernel.org>, <benh@amazon.com>,
<mbacco@amazon.com>, Lukas Wunner <lukas@wunner.de>,
Bjorn Helgaas <bhelgaas@google.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
<linux-pci@vger.kernel.org>,
Rishabh Bhatnagar <risbhat@amazon.com>
Subject: [PATCH 1/6] genirq: Update code comments wrt recycled thread_mask
Date: Thu, 29 Sep 2022 21:06:46 +0000 [thread overview]
Message-ID: <20220929210651.12308-2-risbhat@amazon.com> (raw)
In-Reply-To: <20220929210651.12308-1-risbhat@amazon.com>
From: Lukas Wunner <lukas@wunner.de>
commit 836557bd58e5e65c05c73af9f6ebed885dbfccfc upstream.
Previously a race existed between __free_irq() and __setup_irq() wherein
the thread_mask of a just removed action could be handed out to a newly
added action and the freed irq thread would then tread on the oneshot
mask bit of the newly added irq thread in irq_finalize_oneshot():
time
| __free_irq()
| raw_spin_lock_irqsave(&desc->lock, flags);
| <remove action from linked list>
| raw_spin_unlock_irqrestore(&desc->lock, flags);
|
| __setup_irq()
| raw_spin_lock_irqsave(&desc->lock, flags);
| <traverse linked list to determine oneshot mask bit>
| raw_spin_unlock_irqrestore(&desc->lock, flags);
|
| irq_thread() of freed irq (__free_irq() waits in synchronize_irq())
| irq_thread_fn()
| irq_finalize_oneshot()
| raw_spin_lock_irq(&desc->lock);
| desc->threads_oneshot &= ~action->thread_mask;
| raw_spin_unlock_irq(&desc->lock);
v
The race was known at least since 2012 when it was documented in a code
comment by commit e04268b0effc ("genirq: Remove paranoid warnons and bogus
fixups"). The race itself is harmless as nothing touches any of the
potentially freed data after synchronize_irq().
In 2017 the race was close by commit 9114014cf4e6 ("genirq: Add mutex to
irq desc to serialize request/free_irq()"), apparently inadvertantly so
because the race is neither mentioned in the commit message nor was the
code comment updated. Make up for that.
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: linux-pci@vger.kernel.org
Link: https://lkml.kernel.org/r/32fc25aa35ecef4b2692f57687bb7fc2a57230e2.1529828292.git.lukas@wunner.de
Signed-off-by: Rishabh Bhatnagar <risbhat@amazon.com>
---
kernel/irq/manage.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
index 914b43f2255b..cb35db00fdf4 100644
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -1030,10 +1030,7 @@ static int irq_thread(void *data)
* This is the regular exit path. __free_irq() is stopping the
* thread via kthread_stop() after calling
* synchronize_irq(). So neither IRQTF_RUNTHREAD nor the
- * oneshot mask bit can be set. We cannot verify that as we
- * cannot touch the oneshot mask at this point anymore as
- * __setup_irq() might have given out currents thread_mask
- * again.
+ * oneshot mask bit can be set.
*/
task_work_cancel(current, irq_thread_dtor);
return 0;
@@ -1257,7 +1254,9 @@ __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new)
/*
* Protects against a concurrent __free_irq() call which might wait
* for synchronize_irq() to complete without holding the optional
- * chip bus lock and desc->lock.
+ * chip bus lock and desc->lock. Also protects against handing out
+ * a recycled oneshot thread_mask bit while it's still in use by
+ * its previous owner.
*/
mutex_lock(&desc->request_mutex);
--
2.37.1
next prev parent reply other threads:[~2022-09-29 21:08 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-29 21:06 [PATCH 0/6] IRQ handling patches backport to 4.14 stable Rishabh Bhatnagar
2022-09-29 21:06 ` Rishabh Bhatnagar [this message]
2022-09-29 21:06 ` [PATCH 2/6] genirq: Synchronize only with single thread on free_irq() Rishabh Bhatnagar
2022-09-29 21:06 ` [PATCH 3/6] genirq: Delay deactivation in free_irq() Rishabh Bhatnagar
2022-09-29 21:06 ` [PATCH 4/6] genirq: Fix misleading synchronize_irq() documentation Rishabh Bhatnagar
2022-09-29 21:06 ` [PATCH 5/6] genirq: Add optional hardware synchronization for shutdown Rishabh Bhatnagar
2022-09-29 21:06 ` [PATCH 6/6] x86/ioapic: Implement irq_get_irqchip_state() callback Rishabh Bhatnagar
2022-10-02 15:30 ` [PATCH 0/6] IRQ handling patches backport to 4.14 stable Greg KH
2022-10-03 17:54 ` Bhatnagar, Rishabh
2022-10-07 3:07 ` Herrenschmidt, Benjamin
2022-10-09 17:50 ` Bhatnagar, Rishabh
2022-10-14 19:00 ` Bhatnagar, Rishabh
2022-10-15 15:36 ` gregkh
2022-10-27 10:13 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220929210651.12308-2-risbhat@amazon.com \
--to=risbhat@amazon.com \
--cc=benh@amazon.com \
--cc=bhelgaas@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=lukas@wunner.de \
--cc=mbacco@amazon.com \
--cc=mika.westerberg@linux.intel.com \
--cc=mingo@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.