diff options
| author | Jan Kiszka <jan.kiszka@siemens.com> | 2014-01-27 14:14:06 -0500 |
|---|---|---|
| committer | Ingo Molnar <mingo@kernel.org> | 2014-03-11 07:03:31 -0400 |
| commit | ea7bdc65bca8cf837a63e0ff7b75daed83222511 (patch) | |
| tree | d67398dcdacf14f473de2db3f1dcf6a1c69ef782 | |
| parent | dc9788f40a769d967de3eb5a7aee8c1a70094d32 (diff) | |
x86/apic: Plug racy xAPIC access of CPU hotplug code
apic_icr_write() and its users in smpboot.c were apparently
written under the assumption that this code would only run
during early boot. But nowadays we also execute it when onlining
a CPU later on while the system is fully running. That will make
wakeup_cpu_via_init_nmi and, thus, also native_apic_icr_write
run in plain process context. If we migrate the caller to a
different CPU at the wrong time or interrupt it and write to
ICR/ICR2 to send unrelated IPIs, we can end up sending INIT,
SIPI or NMIs to wrong CPUs.
Fix this by disabling interrupts during the write to the ICR
halves and disable preemption around waiting for ICR
availability and using it.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Tested-By: Igor Mammedov <imammedo@redhat.com>
Link: http://lkml.kernel.org/r/52E6AFFE.3030004@siemens.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
| -rw-r--r-- | arch/x86/kernel/apic/apic.c | 4 | ||||
| -rw-r--r-- | arch/x86/kernel/smpboot.c | 11 |
2 files changed, 13 insertions, 2 deletions
diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c index f824d697db19..53e20531470e 100644 --- a/arch/x86/kernel/apic/apic.c +++ b/arch/x86/kernel/apic/apic.c | |||
| @@ -286,8 +286,12 @@ u32 native_safe_apic_wait_icr_idle(void) | |||
| 286 | 286 | ||
| 287 | void native_apic_icr_write(u32 low, u32 id) | 287 | void native_apic_icr_write(u32 low, u32 id) |
| 288 | { | 288 | { |
| 289 | unsigned long flags; | ||
| 290 | |||
| 291 | local_irq_save(flags); | ||
| 289 | apic_write(APIC_ICR2, SET_APIC_DEST_FIELD(id)); | 292 | apic_write(APIC_ICR2, SET_APIC_DEST_FIELD(id)); |
| 290 | apic_write(APIC_ICR, low); | 293 | apic_write(APIC_ICR, low); |
| 294 | local_irq_restore(flags); | ||
| 291 | } | 295 | } |
| 292 | 296 | ||
| 293 | u64 native_apic_icr_read(void) | 297 | u64 native_apic_icr_read(void) |
diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c index c77acc69ecf6..60179ec39d4c 100644 --- a/arch/x86/kernel/smpboot.c +++ b/arch/x86/kernel/smpboot.c | |||
| @@ -702,11 +702,15 @@ wakeup_cpu_via_init_nmi(int cpu, unsigned long start_ip, int apicid, | |||
| 702 | int id; | 702 | int id; |
| 703 | int boot_error; | 703 | int boot_error; |
| 704 | 704 | ||
| 705 | preempt_disable(); | ||
| 706 | |||
| 705 | /* | 707 | /* |
| 706 | * Wake up AP by INIT, INIT, STARTUP sequence. | 708 | * Wake up AP by INIT, INIT, STARTUP sequence. |
| 707 | */ | 709 | */ |
| 708 | if (cpu) | 710 | if (cpu) { |
| 709 | return wakeup_secondary_cpu_via_init(apicid, start_ip); | 711 | boot_error = wakeup_secondary_cpu_via_init(apicid, start_ip); |
| 712 | goto out; | ||
| 713 | } | ||
| 710 | 714 | ||
| 711 | /* | 715 | /* |
| 712 | * Wake up BSP by nmi. | 716 | * Wake up BSP by nmi. |
| @@ -726,6 +730,9 @@ wakeup_cpu_via_init_nmi(int cpu, unsigned long start_ip, int apicid, | |||
| 726 | boot_error = wakeup_secondary_cpu_via_nmi(id, start_ip); | 730 | boot_error = wakeup_secondary_cpu_via_nmi(id, start_ip); |
| 727 | } | 731 | } |
| 728 | 732 | ||
| 733 | out: | ||
| 734 | preempt_enable(); | ||
| 735 | |||
| 729 | return boot_error; | 736 | return boot_error; |
| 730 | } | 737 | } |
| 731 | 738 | ||