[tip:x86/urgent] x86/irq: Fix a race in x86_vector_free_irqs()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: tip-bot for Jiang Liu <tipbot@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: mingo@kernel.org, linux@roeck-us.net, jmmahler@gmail.com,
	joe.lawrence@stratus.com, hpa@zytor.com, tglx@linutronix.de,
	linux-kernel@vger.kernel.org, bp@alien8.de,
	jiang.liu@linux.intel.com
Subject: [tip:x86/urgent] x86/irq: Fix a race in x86_vector_free_irqs()
Date: Sat, 16 Jan 2016 13:16:15 -0800	[thread overview]
Message-ID: <tip-111abeba67e0dbdc26537429de9155e4f1d807d8@git.kernel.org> (raw)
In-Reply-To: <1450880014-11741-3-git-send-email-jiang.liu@linux.intel.com>

Commit-ID:  111abeba67e0dbdc26537429de9155e4f1d807d8
Gitweb:     http://git.kernel.org/tip/111abeba67e0dbdc26537429de9155e4f1d807d8
Author:     Jiang Liu <jiang.liu@linux.intel.com>
AuthorDate: Thu, 31 Dec 2015 16:30:44 +0000
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 15 Jan 2016 13:43:58 +0100

x86/irq: Fix a race in x86_vector_free_irqs()

There's a race condition between

x86_vector_free_irqs()
{
	free_apic_chip_data(irq_data->chip_data);
	xxxxx	//irq_data->chip_data has been freed, but the pointer
		//hasn't been reset yet
	irq_domain_reset_irq_data(irq_data);
}

and 

smp_irq_move_cleanup_interrupt()
{
	raw_spin_lock(&vector_lock);
	data = apic_chip_data(irq_desc_get_irq_data(desc));
	access data->xxxx	// may access freed memory
	raw_spin_unlock(&desc->lock);
}

which may cause smp_irq_move_cleanup_interrupt() to access freed memory.

Call irq_domain_reset_irq_data(), which clears the pointer with vector lock
held.

[ tglx: Free memory outside of lock held region. ]

Signed-off-by: Jiang Liu <jiang.liu@linux.intel.com>
Tested-by: Borislav Petkov <bp@alien8.de>
Tested-by: Joe Lawrence <joe.lawrence@stratus.com>
Cc: Jeremiah Mahler <jmmahler@gmail.com>
Cc: andy.shevchenko@gmail.com
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org #4.3+
Link: http://lkml.kernel.org/r/1450880014-11741-3-git-send-email-jiang.liu@linux.intel.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
---
 arch/x86/kernel/apic/vector.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c
index 908cb37..cf1e325 100644
--- a/arch/x86/kernel/apic/vector.c
+++ b/arch/x86/kernel/apic/vector.c
@@ -226,10 +226,8 @@ static int assign_irq_vector_policy(int irq, int node,
 static void clear_irq_vector(int irq, struct apic_chip_data *data)
 {
 	struct irq_desc *desc;
-	unsigned long flags;
 	int cpu, vector;
 
-	raw_spin_lock_irqsave(&vector_lock, flags);
 	BUG_ON(!data->cfg.vector);
 
 	vector = data->cfg.vector;
@@ -239,10 +237,8 @@ static void clear_irq_vector(int irq, struct apic_chip_data *data)
 	data->cfg.vector = 0;
 	cpumask_clear(data->domain);
 
-	if (likely(!data->move_in_progress)) {
-		raw_spin_unlock_irqrestore(&vector_lock, flags);
+	if (likely(!data->move_in_progress))
 		return;
-	}
 
 	desc = irq_to_desc(irq);
 	for_each_cpu_and(cpu, data->old_domain, cpu_online_mask) {
@@ -255,7 +251,6 @@ static void clear_irq_vector(int irq, struct apic_chip_data *data)
 		}
 	}
 	data->move_in_progress = 0;
-	raw_spin_unlock_irqrestore(&vector_lock, flags);
 }
 
 void init_irq_alloc_info(struct irq_alloc_info *info,
@@ -276,19 +271,24 @@ void copy_irq_alloc_info(struct irq_alloc_info *dst, struct irq_alloc_info *src)
 static void x86_vector_free_irqs(struct irq_domain *domain,
 				 unsigned int virq, unsigned int nr_irqs)
 {
+	struct apic_chip_data *apic_data;
 	struct irq_data *irq_data;
+	unsigned long flags;
 	int i;
 
 	for (i = 0; i < nr_irqs; i++) {
 		irq_data = irq_domain_get_irq_data(x86_vector_domain, virq + i);
 		if (irq_data && irq_data->chip_data) {
+			raw_spin_lock_irqsave(&vector_lock, flags);
 			clear_irq_vector(virq + i, irq_data->chip_data);
-			free_apic_chip_data(irq_data->chip_data);
+			apic_data = irq_data->chip_data;
+			irq_domain_reset_irq_data(irq_data);
+			raw_spin_unlock_irqrestore(&vector_lock, flags);
+			free_apic_chip_data(apic_data);
 #ifdef	CONFIG_X86_IO_APIC
 			if (virq + i < nr_legacy_irqs())
 				legacy_irq_data[virq + i] = NULL;
 #endif
-			irq_domain_reset_irq_data(irq_data);
 		}
 	}
 }

next prev parent reply	other threads:[~2016-01-16 21:18 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-11  7:49 [x86/irq] 4c24cee6b2: IP-Config: Auto-configuration of network failed kernel test robot
2015-12-11  7:49 ` [lkp] " kernel test robot
2015-12-14  6:38 ` Jiang Liu
2015-12-14  6:38   ` [lkp] " Jiang Liu
2015-12-14  6:54   ` Huang, Ying
2015-12-14  6:54     ` [LKP] [lkp] " Huang, Ying
2015-12-14  9:54     ` Borislav Petkov
2015-12-14  9:54       ` [LKP] [lkp] " Borislav Petkov
2015-12-15  7:55       ` Jiang Liu
2015-12-15  7:55         ` [LKP] [lkp] " Jiang Liu
2015-12-15 10:08         ` Borislav Petkov
2015-12-15 10:08           ` [LKP] [lkp] " Borislav Petkov
2015-12-19 20:31         ` Thomas Gleixner
2015-12-19 20:31           ` [LKP] [lkp] " Thomas Gleixner
2015-12-23 14:13           ` [Bugfix v2 1/5] x86/irq: Do not reuse struct apic_chip_data.old_domain as temporary buffer Jiang Liu
2015-12-23 14:13             ` [Bugfix v2 2/5] x86/irq: Enhance __assign_irq_vector() to rollback in case of failure Jiang Liu
2015-12-30 18:52               ` Thomas Gleixner
2015-12-23 14:13             ` [Bugfix v2 3/5] x86/irq: Fix a race window in x86_vector_free_irqs() Jiang Liu
2015-12-29 13:39               ` Thomas Gleixner
2016-01-16 21:16               ` tip-bot for Jiang Liu [this message]
2015-12-23 14:13             ` [Bugfix v2 4/5] x86/irq: Fix a race condition between vector assigning and cleanup Jiang Liu
2015-12-23 18:41               ` Borislav Petkov
2015-12-30 17:25               ` Thomas Gleixner
2015-12-30 22:50               ` Thomas Gleixner
2015-12-23 14:13             ` [Bugfix v2 5/5] x86/irq: Trivial cleanups for x86 vector allocation code Jiang Liu
2015-12-23 19:10             ` [Bugfix v2 1/5] x86/irq: Do not reuse struct apic_chip_data.old_domain as temporary buffer Borislav Petkov
2015-12-24  5:15             ` Jeremiah Mahler
2015-12-28  8:24               ` Jiang Liu
2015-12-29  3:26                 ` Jeremiah Mahler
2015-12-24 14:34             ` Joe Lawrence
2016-01-16 21:16             ` [tip:x86/urgent] x86/irq: Do not use " tip-bot for Jiang Liu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:908cb37 dfblob:cf1e325 )
 OR (
bs:"[tip:x86/urgent] x86/irq: Fix a race in x86_vector_free_irqs()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=tip-111abeba67e0dbdc26537429de9155e4f1d807d8@git.kernel.org \
    --to=tipbot@zytor.com \
    --cc=bp@alien8.de \
    --cc=hpa@zytor.com \
    --cc=jiang.liu@linux.intel.com \
    --cc=jmmahler@gmail.com \
    --cc=joe.lawrence@stratus.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=linux@roeck-us.net \
    --cc=mingo@kernel.org \
    --cc=tglx@linutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.