From: Greg KH <gregkh@linuxfoundation.org>
To: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, hpa@zytor.com, prarit@redhat.com,
x86@kernel.org, stable@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5.10 RESEND 0/2] x86/irq: Plug vector setup race
Date: Sun, 24 Aug 2025 10:37:51 +0200 [thread overview]
Message-ID: <2025082435-attribute-mounted-f09e@gregkh> (raw)
In-Reply-To: <20250822033304.1096496-1-ruanjinjie@huawei.com>
On Fri, Aug 22, 2025 at 03:33:02AM +0000, Jinjie Ruan wrote:
> There is a vector setup race, which overwrites the interrupt
> descriptor in the per CPU vector array resulting in a disfunctional device.
>
> CPU0 CPU1
> interrupt is raised in APIC IRR
> but not handled
> free_irq()
> per_cpu(vector_irq, CPU1)[vector] = VECTOR_SHUTDOWN;
>
> request_irq() common_interrupt()
> d = this_cpu_read(vector_irq[vector]);
>
> per_cpu(vector_irq, CPU1)[vector] = desc;
>
> if (d == VECTOR_SHUTDOWN)
> this_cpu_write(vector_irq[vector], VECTOR_UNUSED);
>
> free_irq() cannot observe the pending vector in the CPU1 APIC as there is
> no way to query the remote CPUs APIC IRR.
>
> This requires that request_irq() uses the same vector/CPU as the one which
> was freed, but this also can be triggered by a spurious interrupt.
>
> Interestingly enough this problem managed to be hidden for more than a
> decade.
>
> Prevent this by reevaluating vector_irq under the vector lock, which is
> held by the interrupt activation code when vector_irq is updated.
>
> The first patch provides context for subsequent real bugfix patch.
>
> Fixes: 9345005f4eed ("x86/irq: Fix do_IRQ() interrupt warning for cpu hotplug retriggered irqs")
> Cc: stable@vger.kernel.org#5.10.x
> Cc: gregkh@linuxfoundation.org
>
> v1 -> RESEND
> - Add upstream commit ID.
>
> Jacob Pan (1):
> x86/irq: Factor out handler invocation from common_interrupt()
>
> Thomas Gleixner (1):
> x86/irq: Plug vector setup race
>
> arch/x86/kernel/irq.c | 70 ++++++++++++++++++++++++++++++++++---------
> 1 file changed, 56 insertions(+), 14 deletions(-)
>
> --
> 2.34.1
>
>
Dropping as I didn't take the patches for later kernels either.
greg k-h
prev parent reply other threads:[~2025-08-24 8:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-22 3:33 [PATCH v5.10 RESEND 0/2] x86/irq: Plug vector setup race Jinjie Ruan
2025-08-22 3:33 ` [PATCH v5.10 RESEND 1/2] x86/irq: Factor out handler invocation from common_interrupt() Jinjie Ruan
2025-08-22 3:33 ` [PATCH v5.10 RESEND 2/2] x86/irq: Plug vector setup race Jinjie Ruan
2025-08-24 8:37 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025082435-attribute-mounted-f09e@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=prarit@redhat.com \
--cc=ruanjinjie@huawei.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.