From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alexey Kardashevskiy <aik@ozlabs.ru>,
Paul Mackerras <paulus@samba.org>,
Michael Ellerman <mpe@ellerman.id.au>
Subject: [PATCH 3.14 65/79] powerpc/MSI: Fix race condition in tearing down MSI interrupts
Date: Sat, 17 Oct 2015 19:05:57 -0700 [thread overview]
Message-ID: <20151018020216.221261520@linuxfoundation.org> (raw)
In-Reply-To: <20151018020213.322172837@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul Mackerras <paulus@ozlabs.org>
commit e297c939b745e420ef0b9dc989cb87bda617b399 upstream.
This fixes a race which can result in the same virtual IRQ number
being assigned to two different MSI interrupts. The most visible
consequence of that is usually a warning and stack trace from the
sysfs code about an attempt to create a duplicate entry in sysfs.
The race happens when one CPU (say CPU 0) is disposing of an MSI
while another CPU (say CPU 1) is setting up an MSI. CPU 0 calls
(for example) pnv_teardown_msi_irqs(), which calls
msi_bitmap_free_hwirqs() to indicate that the MSI (i.e. its
hardware IRQ number) is no longer in use. Then, before CPU 0 gets
to calling irq_dispose_mapping() to free up the virtal IRQ number,
CPU 1 comes in and calls msi_bitmap_alloc_hwirqs() to allocate an
MSI, and gets the same hardware IRQ number that CPU 0 just freed.
CPU 1 then calls irq_create_mapping() to get a virtual IRQ number,
which sees that there is currently a mapping for that hardware IRQ
number and returns the corresponding virtual IRQ number (which is
the same virtual IRQ number that CPU 0 was using). CPU 0 then
calls irq_dispose_mapping() and frees that virtual IRQ number.
Now, if another CPU comes along and calls irq_create_mapping(), it
is likely to get the virtual IRQ number that was just freed,
resulting in the same virtual IRQ number apparently being used for
two different hardware interrupts.
To fix this race, we just move the call to msi_bitmap_free_hwirqs()
to after the call to irq_dispose_mapping(). Since virq_to_hw()
doesn't work for the virtual IRQ number after irq_dispose_mapping()
has been called, we need to call it before irq_dispose_mapping() and
remember the result for the msi_bitmap_free_hwirqs() call.
The pattern of calling msi_bitmap_free_hwirqs() before
irq_dispose_mapping() appears in 5 places under arch/powerpc, and
appears to have originated in commit 05af7bd2d75e ("[POWERPC] MPIC
U3/U4 MSI backend") from 2007.
Fixes: 05af7bd2d75e ("[POWERPC] MPIC U3/U4 MSI backend")
Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/powernv/pci.c | 5 +++--
arch/powerpc/sysdev/fsl_msi.c | 5 +++--
arch/powerpc/sysdev/mpic_pasemi_msi.c | 6 ++++--
arch/powerpc/sysdev/mpic_u3msi.c | 5 +++--
arch/powerpc/sysdev/ppc4xx_msi.c | 5 +++--
5 files changed, 16 insertions(+), 10 deletions(-)
--- a/arch/powerpc/platforms/powernv/pci.c
+++ b/arch/powerpc/platforms/powernv/pci.c
@@ -109,6 +109,7 @@ static void pnv_teardown_msi_irqs(struct
struct pci_controller *hose = pci_bus_to_host(pdev->bus);
struct pnv_phb *phb = hose->private_data;
struct msi_desc *entry;
+ irq_hw_number_t hwirq;
if (WARN_ON(!phb))
return;
@@ -116,10 +117,10 @@ static void pnv_teardown_msi_irqs(struct
list_for_each_entry(entry, &pdev->msi_list, list) {
if (entry->irq == NO_IRQ)
continue;
+ hwirq = virq_to_hw(entry->irq);
irq_set_msi_desc(entry->irq, NULL);
- msi_bitmap_free_hwirqs(&phb->msi_bmp,
- virq_to_hw(entry->irq) - phb->msi_base, 1);
irq_dispose_mapping(entry->irq);
+ msi_bitmap_free_hwirqs(&phb->msi_bmp, hwirq - phb->msi_base, 1);
}
}
#endif /* CONFIG_PCI_MSI */
--- a/arch/powerpc/sysdev/fsl_msi.c
+++ b/arch/powerpc/sysdev/fsl_msi.c
@@ -121,15 +121,16 @@ static void fsl_teardown_msi_irqs(struct
{
struct msi_desc *entry;
struct fsl_msi *msi_data;
+ irq_hw_number_t hwirq;
list_for_each_entry(entry, &pdev->msi_list, list) {
if (entry->irq == NO_IRQ)
continue;
+ hwirq = virq_to_hw(entry->irq);
msi_data = irq_get_chip_data(entry->irq);
irq_set_msi_desc(entry->irq, NULL);
- msi_bitmap_free_hwirqs(&msi_data->bitmap,
- virq_to_hw(entry->irq), 1);
irq_dispose_mapping(entry->irq);
+ msi_bitmap_free_hwirqs(&msi_data->bitmap, hwirq, 1);
}
return;
--- a/arch/powerpc/sysdev/mpic_pasemi_msi.c
+++ b/arch/powerpc/sysdev/mpic_pasemi_msi.c
@@ -74,6 +74,7 @@ static int pasemi_msi_check_device(struc
static void pasemi_msi_teardown_msi_irqs(struct pci_dev *pdev)
{
struct msi_desc *entry;
+ irq_hw_number_t hwirq;
pr_debug("pasemi_msi_teardown_msi_irqs, pdev %p\n", pdev);
@@ -81,10 +82,11 @@ static void pasemi_msi_teardown_msi_irqs
if (entry->irq == NO_IRQ)
continue;
+ hwirq = virq_to_hw(entry->irq);
irq_set_msi_desc(entry->irq, NULL);
- msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap,
- virq_to_hw(entry->irq), ALLOC_CHUNK);
irq_dispose_mapping(entry->irq);
+ msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap,
+ hwirq, ALLOC_CHUNK);
}
return;
--- a/arch/powerpc/sysdev/mpic_u3msi.c
+++ b/arch/powerpc/sysdev/mpic_u3msi.c
@@ -124,15 +124,16 @@ static int u3msi_msi_check_device(struct
static void u3msi_teardown_msi_irqs(struct pci_dev *pdev)
{
struct msi_desc *entry;
+ irq_hw_number_t hwirq;
list_for_each_entry(entry, &pdev->msi_list, list) {
if (entry->irq == NO_IRQ)
continue;
+ hwirq = virq_to_hw(entry->irq);
irq_set_msi_desc(entry->irq, NULL);
- msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap,
- virq_to_hw(entry->irq), 1);
irq_dispose_mapping(entry->irq);
+ msi_bitmap_free_hwirqs(&msi_mpic->msi_bitmap, hwirq, 1);
}
return;
--- a/arch/powerpc/sysdev/ppc4xx_msi.c
+++ b/arch/powerpc/sysdev/ppc4xx_msi.c
@@ -121,16 +121,17 @@ void ppc4xx_teardown_msi_irqs(struct pci
{
struct msi_desc *entry;
struct ppc4xx_msi *msi_data = &ppc4xx_msi;
+ irq_hw_number_t hwirq;
dev_dbg(&dev->dev, "PCIE-MSI: tearing down msi irqs\n");
list_for_each_entry(entry, &dev->msi_list, list) {
if (entry->irq == NO_IRQ)
continue;
+ hwirq = virq_to_hw(entry->irq);
irq_set_msi_desc(entry->irq, NULL);
- msi_bitmap_free_hwirqs(&msi_data->bitmap,
- virq_to_hw(entry->irq), 1);
irq_dispose_mapping(entry->irq);
+ msi_bitmap_free_hwirqs(&msi_data->bitmap, hwirq, 1);
}
}
next prev parent reply other threads:[~2015-10-18 2:05 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-18 2:04 [PATCH 3.14 00/79] 3.14.55-stable review Greg Kroah-Hartman
2015-10-18 2:04 ` [PATCH 3.14 01/79] kvm: fix zero length mmio searching Greg Kroah-Hartman
2015-10-18 2:04 ` [PATCH 3.14 02/79] scsi: fix scsi_error_handler vs. scsi_host_dev_release race Greg Kroah-Hartman
2015-10-18 2:04 ` [PATCH 3.14 03/79] iser-target: remove command with state ISTATE_REMOVE Greg Kroah-Hartman
2015-10-18 2:04 ` [PATCH 3.14 04/79] perf tools: Fix copying of /proc/kcore Greg Kroah-Hartman
2015-10-18 2:04 ` [PATCH 3.14 05/79] perf hists: Update the column width for the "srcline" sort key Greg Kroah-Hartman
2015-10-18 2:04 ` [PATCH 3.14 06/79] perf stat: Get correct cpu id for print_aggr Greg Kroah-Hartman
2015-10-18 2:04 ` [PATCH 3.14 07/79] perf header: Fixup reading of HEADER_NRCPUS feature Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 08/79] hwmon: (nct6775) Swap STEP_UP_TIME and STEP_DOWN_TIME registers for most chips Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 09/79] ARM: fix Thumb2 signal handling when ARMv6 is enabled Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 10/79] ARM: 8429/1: disable GCC SRA optimization Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 11/79] windfarm: decrement client count when unregistering Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 12/79] ARM: dts: omap5-uevm.dts: fix i2c5 pinctrl offsets Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 13/79] dmaengine: dw: properly read DWC_PARAMS register Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 14/79] x86/apic: Serialize LVTT and TSC_DEADLINE writes Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 15/79] x86/platform: Fix Geode LX timekeeping in the generic x86 build Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 16/79] x86/paravirt: Replace the paravirt nop with a bona fide empty function Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 17/79] x86/nmi/64: Fix a paravirt stack-clobbering bug in the NMI code Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 18/79] Use WARN_ON_ONCE for missing X86_FEATURE_NRIPS Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 19/79] x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at runtime, instead of top-down Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 20/79] x86/mm: Set NX on gap between __ex_table and rodata Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 21/79] x86/xen: Support kexec/kdump in HVM guests by doing a soft reset Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 22/79] sched/core: Fix TASK_DEAD race in finish_task_switch() Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 23/79] spi: Fix documentation of spi_alloc_master() Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 24/79] spi: spi-pxa2xx: Check status register to determine if SSSR_TINT is disabled Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 25/79] mm: hugetlbfs: skip shared VMAs when unmapping private pages to satisfy a fault Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 26/79] ALSA: synth: Fix conflicting OSS device registration on AWE32 Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 27/79] ALSA: hda - Apply SPDIF pin ctl to MacBookPro 12,1 Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 28/79] ASoC: pxa: pxa2xx-ac97: fix dma requestor lines Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 29/79] ASoC: fix broken pxa SoC support Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 30/79] ASoC: dwc: correct irq clear method Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 31/79] btrfs: skip waiting on ordered range for special files Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 32/79] Btrfs: fix read corruption of compressed and shared extents Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 33/79] Btrfs: update fix for " Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 34/79] dm btree: add ref counting ops for the leaves of top level btrees Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 35/79] staging: ion: fix corruption of ion_import_dma_buf Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 36/79] USB: option: add ZTE PIDs Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 37/79] dm raid: fix round up of default region size Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 38/79] netfilter: nf_conntrack: Support expectations in different zones Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 39/79] netfilter: ctnetlink: put back references to master ct and expect objects Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 40/79] netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 41/79] disabling oplocks/leases via module parm enable_oplocks broken for SMB3 Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 42/79] drm/qxl: only report first monitor as connected if we have no state Greg Kroah-Hartman
2016-05-27 11:06 ` Jiri Slaby
2016-05-27 11:13 ` Jiri Slaby
2016-08-14 14:51 ` Greg Kroah-Hartman
2016-08-16 8:21 ` Jiri Slaby
2015-10-18 2:05 ` [PATCH 3.14 44/79] drm: Reject DRI1 hw lock ioctl functions for kms drivers Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 45/79] USB: whiteheat: fix potential null-deref at probe Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 46/79] usb: xhci: Clear XHCI_STATE_DYING on start Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 47/79] xhci: change xhci 1.0 only restrictions to support xhci 1.1 Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 48/79] usb: xhci: Add support for URB_ZERO_PACKET to bulk/sg transfers Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 49/79] Initialize msg/shm IPC objects before doing ipc_addid() Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 50/79] ipvs: do not use random local source address for tunnels Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 51/79] ipvs: fix crash with sync protocol v0 and FTP Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 52/79] cifs: use server timestamp for ntlmv2 authentication Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 53/79] mtd: pxa3xx_nand: add a default chunk size Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 54/79] regmap: debugfs: Ensure we dont underflow when printing access masks Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 55/79] regmap: debugfs: Dont bother actually printing when calculating max length Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 56/79] security: fix typo in security_task_prctl Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 57/79] usb: Use the USB_SS_MULT() macro to get the burst multiplier Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 58/79] usb: Add device quirk for Logitech PTZ cameras Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 59/79] USB: Add reset-resume quirk for two Plantronics usb headphones Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 60/79] MIPS: dma-default: Fix 32-bit fall back to GFP_DMA Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 61/79] arch,hexagon: Convert smp_mb__*() Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 62/79] staging: comedi: usbduxsigma: dont clobber ai_timer in command test Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 63/79] staging: comedi: usbduxsigma: dont clobber ao_timer " Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 64/79] md: flush ->event_work before stopping array Greg Kroah-Hartman
2015-10-18 2:05 ` Greg Kroah-Hartman [this message]
2015-10-18 2:05 ` [PATCH 3.14 66/79] UBI: Validate data_size Greg Kroah-Hartman
2015-10-18 2:05 ` [PATCH 3.14 67/79] UBI: return ENOSPC if no enough space available Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 68/79] dcache: Handle escaped paths in prepend_path Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 69/79] vfs: Test for and handle paths that are unreachable from their mnt_root Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 70/79] arm64: readahead: fault retry breaks mmap file read random detection Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 71/79] m68k: Define asmlinkage_protect Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 72/79] fib_rules: Fix dump_rules() not to exit early Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 73/79] genirq: Fix race in register_irq_proc() Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 74/79] jbd2: avoid infinite loop when destroying aborted journal Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 75/79] clk: ti: fix dual-registration of uart4_ick Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 76/79] dm cache: fix NULL pointer when switching from cleaner policy Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 77/79] staging: speakup: fix speakup-r regression Greg Kroah-Hartman
2015-10-18 2:06 ` [PATCH 3.14 78/79] mm/slab: fix unexpected index mapping result of kmalloc_size(INDEX_NODE+1) Greg Kroah-Hartman
2015-10-19 4:10 ` [PATCH 3.14 00/79] 3.14.55-stable review Guenter Roeck
2015-10-19 15:14 ` Greg Kroah-Hartman
2015-10-19 19:13 ` Richard Kuo
2015-10-19 20:09 ` Greg Kroah-Hartman
2015-10-19 21:31 ` Richard Kuo
2015-10-19 15:20 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151018020216.221261520@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aik@ozlabs.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).