Re: [PATCH] irq: simplify irq_im_handle_irq()

[Jiri Slaby <jirislaby@kernel.org>]

Hi,

On 21. 07. 25, 17:44, Thomas Gleixner wrote:
> On Mon, Jul 21 2025 at 10:27, Yury Norov wrote:
>> On Mon, Jul 21, 2025 at 04:07:22PM +0200, Thomas Gleixner wrote:
>> find_next_bit() and for_each_bit() cannot be used in concurrent
>> environment, and having atomic clear_bit() is meaningless here.
>> Two concurrent processes, if running in parallel, may pick the
>> same offset, ending up executing the handle_simple_irq() twice.
> 
> The irq work cannot be run in parallel on multiple CPUs. It's guaranteed
> that only one irq work handler runs at a time. So irq_sim_handle_irq()
> is fully serialized by the irq work magic.
> 
> But the bitmap can be modified concurrently, which is not a problem.

Actually, it is (IMO):

         while (!bitmap_empty(work_ctx->pending, work_ctx->irq_count)) {
                 offset = find_next_bit(work_ctx->pending,
                                        work_ctx->irq_count, offset);
                 clear_bit(offset, work_ctx->pending);
                 irqnum = irq_find_mapping(work_ctx->domain, offset);
                 handle_simple_irq(irq_to_desc(irqnum));
         }


If another CPU sets a bit X in the beginning of the work_ctx->pending 
bitmap while this is running for some time already (that means offset is 
already greater that that X), bitmap_empty() will be always true and 
this spins forever (or crashes). It is because find_next_bit() will 
never return that bit X -- so clear_bit() will never happen on that.

What is worse, find_next_bit() will return work_ctx->irq_count and both 
clear_bit() and irq_find_mapping() will touch an OOB memory.

Or what am I missing?

find_next_bit_wrap() would cure that.

thanks,
-- 
js
suse labs