diff options
| author | Thomas Gleixner <tglx@linutronix.de> | 2016-01-13 08:07:25 -0500 |
|---|---|---|
| committer | Thomas Gleixner <tglx@linutronix.de> | 2016-01-14 14:09:49 -0500 |
| commit | 570540d50710ed192e98e2f7f74578c9486b6b05 (patch) | |
| tree | f14cfa6dfd9ce7f65e0240d7a99876cc1fbec3bd | |
| parent | 3d116a66ed9df0271b8d267093b3bfde2be19b3a (diff) | |
genirq: Validate action before dereferencing it in handle_irq_event_percpu()
commit 71f64340fc0e changed the handling of irq_desc->action from
CPU 0 CPU 1
free_irq() lock(desc)
lock(desc) handle_edge_irq()
if (desc->action) {
handle_irq_event()
action = desc->action
unlock(desc)
desc->action = NULL handle_irq_event_percpu(desc, action)
action->xxx
to
CPU 0 CPU 1
free_irq() lock(desc)
lock(desc) handle_edge_irq()
if (desc->action) {
handle_irq_event()
unlock(desc)
desc->action = NULL handle_irq_event_percpu(desc, action)
action = desc->action
action->xxx
So if free_irq manages to set the action to NULL between the unlock and before
the readout, we happily dereference a null pointer.
We could simply revert 71f64340fc0e, but we want to preserve the better code
generation. A simple solution is to change the action loop from a do {} while
to a while {} loop.
This is safe because we either see a valid desc->action or NULL. If the action
is about to be removed it is still valid as free_irq() is blocked on
synchronize_irq().
CPU 0 CPU 1
free_irq() lock(desc)
lock(desc) handle_edge_irq()
handle_irq_event(desc)
set(INPROGRESS)
unlock(desc)
handle_irq_event_percpu(desc)
action = desc->action
desc->action = NULL while (action) {
action->xxx
...
action = action->next;
sychronize_irq()
while(INPROGRESS); lock(desc)
clr(INPROGRESS)
free(action)
That's basically the same mechanism as we have for shared
interrupts. action->next can become NULL while handle_irq_event_percpu()
runs. Either it sees the action or NULL. It does not matter, because action
itself cannot go away before the interrupt in progress flag has been cleared.
Fixes: commit 71f64340fc0e "genirq: Remove the second parameter from handle_irq_event_percpu()"
Reported-by: zyjzyj2000@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Huang Shijie <shijie.huang@arm.com>
Cc: Jiang Liu <jiang.liu@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1601131224190.3575@nanos
| -rw-r--r-- | kernel/irq/handle.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/kernel/irq/handle.c b/kernel/irq/handle.c index a302cf9a2126..57bff7857e87 100644 --- a/kernel/irq/handle.c +++ b/kernel/irq/handle.c | |||
| @@ -138,7 +138,8 @@ irqreturn_t handle_irq_event_percpu(struct irq_desc *desc) | |||
| 138 | unsigned int flags = 0, irq = desc->irq_data.irq; | 138 | unsigned int flags = 0, irq = desc->irq_data.irq; |
| 139 | struct irqaction *action = desc->action; | 139 | struct irqaction *action = desc->action; |
| 140 | 140 | ||
| 141 | do { | 141 | /* action might have become NULL since we dropped the lock */ |
| 142 | while (action) { | ||
| 142 | irqreturn_t res; | 143 | irqreturn_t res; |
| 143 | 144 | ||
| 144 | trace_irq_handler_entry(irq, action); | 145 | trace_irq_handler_entry(irq, action); |
| @@ -173,7 +174,7 @@ irqreturn_t handle_irq_event_percpu(struct irq_desc *desc) | |||
| 173 | 174 | ||
| 174 | retval |= res; | 175 | retval |= res; |
| 175 | action = action->next; | 176 | action = action->next; |
| 176 | } while (action); | 177 | } |
| 177 | 178 | ||
| 178 | add_interrupt_randomness(irq, flags); | 179 | add_interrupt_randomness(irq, flags); |
| 179 | 180 | ||