Re: [RFC PATCH] genirq: Enforce monotonic increase contract in irq_get_next_irq()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Thomas Gleixner <tglx@kernel.org>
To: Aaron Tomlin <atomlin@atomlin.com>
Cc: neelx@suse.com, sean@ashe.io, steve@abita.co, mproche@gmail.com,
	linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH] genirq: Enforce monotonic increase contract in irq_get_next_irq()
Date: Thu, 04 Jun 2026 11:21:17 +0200	[thread overview]
Message-ID: <87fr3264qa.ffs@fw13> (raw)
In-Reply-To: <20260604020149.1148697-1-atomlin@atomlin.com>

On Wed, Jun 03 2026 at 22:01, Aaron Tomlin wrote:
> When an IRQ descriptor is corrupted in memory (e.g., via an out-of-bounds
> write by a rogue driver), the descriptor's internal IRQ number may be
> zeroed out.

Which means the system integrity is compromised.

> During iteration via for_each_active_irq(), irq_get_next_irq() relies on
> irq_desc_get_irq(desc) to retrieve the next IRQ number. If a descriptor is
> corrupted, this can result in returning an IRQ number (e.g., 0) that is
> strictly less than the requested offset. This breaks the fundamental
> forward-progress guarantee of the iterator.
>
> This contract violation causes catastrophic unsigned integer underflows in
> callers. For instance, show_all_irqs() in fs/proc/stat.c calculates
> padding using (i - next). A corrupted descriptor returning 0 forces a
> massive unsigned underflow, trapping the CPU in an extensive loop inside
> show_irq_gap() and triggering a soft lockup watchdog.
>
> While the underlying issue is a memory corruption bug, core iterators
> should be resilient against returning values that violate their own
> mathematical boundaries and induce lockups in other subsystems.

Seriously?

If memory is corrupted and corruption is detected, then the only
sensible thing is to panic the machine and not papering over in a
particular instance and hope that this is the only side effect.

Thanks,

        tglx

next prev parent reply	other threads:[~2026-06-04  9:21 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-04  2:01 [RFC PATCH] genirq: Enforce monotonic increase contract in irq_get_next_irq() Aaron Tomlin
2026-06-04  9:21 ` Thomas Gleixner [this message]
2026-06-04 13:23   ` Aaron Tomlin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87fr3264qa.ffs@fw13 \
    --to=tglx@kernel.org \
    --cc=atomlin@atomlin.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mproche@gmail.com \
    --cc=neelx@suse.com \
    --cc=sean@ashe.io \
    --cc=steve@abita.co \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.