diff options
author | Greg Edwards <gedwards@ddn.com> | 2014-07-23 12:13:26 -0400 |
---|---|---|
committer | Joerg Roedel <jroedel@suse.de> | 2014-07-31 07:45:05 -0400 |
commit | af437469d14e91e8b4273606cac4c08f05bf056e (patch) | |
tree | 303694d6ef5d040a1e683c9319f347c5bee4b2e0 /drivers/iommu | |
parent | c875d2c1b8083cd627ea0463e20bf22c2d7421ee (diff) |
iommu/vt-d: Fix race setting IRQ CPU affinity while freeing IRQ
A user process setting the CPU affinity of an IRQ for a KVM
direct-assigned device via /proc/irq/<IRQ#>/smp_affinity can race with
the IRQ being released by QEMU, resulting in a NULL iommu pointer
dereference in get_irte(), causing this crash:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000090
IP: [<ffffffff8190a652>] intel_ioapic_set_affinity+0x82/0x1b0
PGD 99172e067 PUD 1026979067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 1 PID: 3354 Comm: affin Not tainted 3.16.0-rc7-00007-g31dab71 #1
Hardware name: Supermicro SYS-F617R2-RT+/X9DRFR, BIOS 3.0a 01/29/2014
task: ffff881025b0e720 ti: ffff88099173c000 task.ti: ffff88099173c000
RIP: 0010:[<ffffffff8190a652>] [<ffffffff8190a652>] intel_ioapic_set_affinity+0x82/0x1b0
RSP: 0018:ffff88099173fdb0 EFLAGS: 00010046
RAX: 0000000000000082 RBX: ffff880a36294600 RCX: 0000000000000082
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8266af00
RBP: ffff88099173fdf8 R08: 0000000000000000 R09: ffff88103ec00490
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88099173fe90
R13: 000000000000005f R14: ffff880faa38fe80 R15: ffff880faa38fe80
FS: 00007f7161f05740(0000) GS:ffff88107fc40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000090 CR3: 000000099140d000 CR4: 00000000001427e0
Stack:
ffffffff81c44740 ffff88099173fdc8 ffffffff00000000 00000000c991fd3b
ffff880a36294600 ffff88099173fe90 ffff88099173fe90 0000000000000000
0000000000000286 ffff88099173fe08 ffffffff8190aac5 ffff88099173fe28
Call Trace:
[<ffffffff8190aac5>] set_remapped_irq_affinity+0x25/0x40
[<ffffffff811322dc>] irq_do_set_affinity+0x1c/0x50
[<ffffffff81132458>] irq_set_affinity_locked+0x98/0xd0
[<ffffffff811324d6>] __irq_set_affinity+0x46/0x70
[<ffffffff811362dc>] write_irq_affinity.isra.6+0xdc/0x100
[<ffffffff8113631c>] irq_affinity_list_proc_write+0x1c/0x20
[<ffffffff8129f30d>] proc_reg_write+0x3d/0x80
[<ffffffff812384a7>] vfs_write+0xb7/0x1f0
[<ffffffff81243619>] ? putname+0x29/0x40
[<ffffffff812390c5>] SyS_write+0x55/0xd0
[<ffffffff81adc729>] system_call_fastpath+0x16/0x1b
Code: ff 48 85 d2 74 68 4c 8b 7a 30 4d 85 ff 74 5f 48 c7 c7 00 af 66 82 e8 9e 1b 1d 00 49 8b 57 20 41 0f b7 77 28 48 c7 c7 00 af 66 82 <48> 8b 8a 90 00 00 00 41 0f b7 57 2a 01 f2 48 89 c6 48 63 d2 48
RIP [<ffffffff8190a652>] intel_ioapic_set_affinity+0x82/0x1b0
RSP <ffff88099173fdb0>
CR2: 0000000000000090
Signed-off-by: Greg Edwards <gedwards@ddn.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Diffstat (limited to 'drivers/iommu')
-rw-r--r-- | drivers/iommu/intel_irq_remapping.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c index 757e0b0d19ff..0df41f6264f5 100644 --- a/drivers/iommu/intel_irq_remapping.c +++ b/drivers/iommu/intel_irq_remapping.c | |||
@@ -70,6 +70,11 @@ static int get_irte(int irq, struct irte *entry) | |||
70 | 70 | ||
71 | raw_spin_lock_irqsave(&irq_2_ir_lock, flags); | 71 | raw_spin_lock_irqsave(&irq_2_ir_lock, flags); |
72 | 72 | ||
73 | if (unlikely(!irq_iommu->iommu)) { | ||
74 | raw_spin_unlock_irqrestore(&irq_2_ir_lock, flags); | ||
75 | return -1; | ||
76 | } | ||
77 | |||
73 | index = irq_iommu->irte_index + irq_iommu->sub_handle; | 78 | index = irq_iommu->irte_index + irq_iommu->sub_handle; |
74 | *entry = *(irq_iommu->iommu->ir_table->base + index); | 79 | *entry = *(irq_iommu->iommu->ir_table->base + index); |
75 | 80 | ||