genirq: Prevent proc race against freeing of irq descriptors

Since the rework of the sparse interrupt code to actually free the unused interrupt descriptors there exists a race between the /proc interfaces to the irq subsystem and the code which frees the interrupt descriptor. CPU0 CPU1 show_interrupts() desc = irq_to_desc(X); free_desc(desc) remove_from_radix_tree(); kfree(desc); raw_spinlock_irq(&desc->lock); /proc/interrupts is the only interface which can actively corrupt kernel memory via the lock access. /proc/stat can only read from freed memory. Extremly hard to trigger, but possible. The interfaces in /proc/irq/N/ are not affected by this because the removal of the proc file is serialized in procfs against concurrent readers/writers. The removal happens before the descriptor is freed. For architectures which have CONFIG_SPARSE_IRQ=n this is a non issue as the descriptor is never freed. It's merely cleared out with the irq descriptor lock held. So any concurrent proc access will either see the old correct value or the cleared out ones. Protect the lookup and access to the irq descriptor in show_interrupts() with the sparse_irq_lock. Provide kstat_irqs_usr() which is protecting the lookup and access with sparse_irq_lock and switch /proc/stat to use it. Document the existing kstat_irqs interfaces so it's clear that the caller needs to take care about protection. The users of these interfaces are either not affected due to SPARSE_IRQ=n or already protected against removal. Fixes: 1f5a5b87f78f "genirq: Implement a sane sparse_irq allocator" Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org
author: Thomas Gleixner <tglx@linutronix.de> 2014-12-11 17:01:41 -0500
committer: Thomas Gleixner <tglx@linutronix.de> 2014-12-13 07:33:07 -0500
commit: c291ee622165cb2c8d4e7af63fffd499354a23be (patch)
tree: 40737c5d5d419d35ed386d46b77f979dd5900312 /kernel
parent: 3a5dc1fafb016560315fe45bb4ef8bde259dd1bc (diff)
3 files changed, 77 insertions, 1 deletions
diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h
index 4332d766619d..df553b0af936 100644
--- a/kernel/irq/internals.h
+++ b/kernel/irq/internals.h
@@ -78,8 +78,12 @@ extern void unmask_threaded_irq(struct irq_desc *desc);
 #ifdef CONFIG_SPARSE_IRQ
 static inline void irq_mark_irq(unsigned int irq) { }
+extern void irq_lock_sparse(void);
+extern void irq_unlock_sparse(void);
 #else
 extern void irq_mark_irq(unsigned int irq);
+static inline void irq_lock_sparse(void) { }
+static inline void irq_unlock_sparse(void) { }
 #endif
 extern void init_kstat_irqs(struct irq_desc *desc, int node, int nr);
diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c
index a1782f88f0af..99793b9b6d23 100644
--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -132,6 +132,16 @@ static void free_masks(struct irq_desc *desc)
 static inline void free_masks(struct irq_desc *desc) { }
 #endif
+void irq_lock_sparse(void)
+{
+        mutex_lock(&sparse_irq_lock);
+}
+void irq_unlock_sparse(void)
+{
+        mutex_unlock(&sparse_irq_lock);
+}
 static struct irq_desc *alloc_desc(int irq, int node, struct module *owner)
 {
        struct irq_desc *desc;
@@ -168,6 +178,12 @@ static void free_desc(unsigned int irq)
        unregister_irq_proc(irq, desc);
+        /*
+         * sparse_irq_lock protects also show_interrupts() and
+         * kstat_irq_usr(). Once we deleted the descriptor from the
+         * sparse tree we can free it. Access in proc will fail to
+         * lookup the descriptor.
+         */
        mutex_lock(&sparse_irq_lock);
        delete_irq_desc(irq);
        mutex_unlock(&sparse_irq_lock);
@@ -574,6 +590,15 @@ void kstat_incr_irq_this_cpu(unsigned int irq)
        kstat_incr_irqs_this_cpu(irq, irq_to_desc(irq));
 }
+/**
+ * kstat_irqs_cpu - Get the statistics for an interrupt on a cpu
+ * @irq:        The interrupt number
+ * @cpu:        The cpu number
+ *
+ * Returns the sum of interrupt counts on @cpu since boot for
+ * @irq. The caller must ensure that the interrupt is not removed
+ * concurrently.
+ */
 unsigned int kstat_irqs_cpu(unsigned int irq, int cpu)
 {
        struct irq_desc *desc = irq_to_desc(irq);
@@ -582,6 +607,14 @@ unsigned int kstat_irqs_cpu(unsigned int irq, int cpu)
                        *per_cpu_ptr(desc->kstat_irqs, cpu) : 0;
 }
+/**
+ * kstat_irqs - Get the statistics for an interrupt
+ * @irq:        The interrupt number
+ *
+ * Returns the sum of interrupt counts on all cpus since boot for
+ * @irq. The caller must ensure that the interrupt is not removed
+ * concurrently.
+ */
 unsigned int kstat_irqs(unsigned int irq)
 {
        struct irq_desc *desc = irq_to_desc(irq);
@@ -594,3 +627,22 @@ unsigned int kstat_irqs(unsigned int irq)
                sum += *per_cpu_ptr(desc->kstat_irqs, cpu);
        return sum;
 }
+/**
+ * kstat_irqs_usr - Get the statistics for an interrupt
+ * @irq:        The interrupt number
+ *
+ * Returns the sum of interrupt counts on all cpus since boot for
+ * @irq. Contrary to kstat_irqs() this can be called from any
+ * preemptible context. It's protected against concurrent removal of
+ * an interrupt descriptor when sparse irqs are enabled.
+ */
+unsigned int kstat_irqs_usr(unsigned int irq)
+{
+        int sum;
+        irq_lock_sparse();
+        sum = kstat_irqs(irq);
+        irq_unlock_sparse();
+        return sum;
+}
diff --git a/kernel/irq/proc.c b/kernel/irq/proc.c
index ac1ba2f11032..9dc9bfd8a678 100644
--- a/kernel/irq/proc.c
+++ b/kernel/irq/proc.c
@@ -15,6 +15,23 @@
 #include "internals.h"
+/*
+ * Access rules:
+ *
+ * procfs protects read/write of /proc/irq/N/ files against a
+ * concurrent free of the interrupt descriptor. remove_proc_entry()
+ * immediately prevents new read/writes to happen and waits for
+ * already running read/write functions to complete.
+ *
+ * We remove the proc entries first and then delete the interrupt
+ * descriptor from the radix tree and free it. So it is guaranteed
+ * that irq_to_desc(N) is valid as long as the read/writes are
+ * permitted by procfs.
+ *
+ * The read from /proc/interrupts is a different problem because there
+ * is no protection. So the lookup and the access to irqdesc
+ * information must be protected by sparse_irq_lock.
+ */
 static struct proc_dir_entry *root_irq_dir;
 #ifdef CONFIG_SMP
@@ -437,9 +454,10 @@ int show_interrupts(struct seq_file *p, void *v)
                seq_putc(p, '\n');
        }
+        irq_lock_sparse();
        desc = irq_to_desc(i);
        if (!desc)
-                return 0;
+                goto outsparse;
        raw_spin_lock_irqsave(&desc->lock, flags);
        for_each_online_cpu(j)
@@ -479,6 +497,8 @@ int show_interrupts(struct seq_file *p, void *v)
        seq_putc(p, '\n');
 out:
        raw_spin_unlock_irqrestore(&desc->lock, flags);
+outsparse:
+        irq_unlock_sparse();
        return 0;
 }
 #endif
author	Thomas Gleixner <tglx@linutronix.de>	2014-12-11 17:01:41 -0500
committer	Thomas Gleixner <tglx@linutronix.de>	2014-12-13 07:33:07 -0500
commit	c291ee622165cb2c8d4e7af63fffd499354a23be (patch)
tree	40737c5d5d419d35ed386d46b77f979dd5900312 /kernel
parent	3a5dc1fafb016560315fe45bb4ef8bde259dd1bc (diff)

diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h index 4332d766619d..df553b0af936 100644 --- a/kernel/irq/internals.h +++ b/kernel/irq/internals.h
@@ -78,8 +78,12 @@ extern void unmask_threaded_irq(struct irq_desc *desc);
78		78
79	#ifdef CONFIG_SPARSE_IRQ	79	#ifdef CONFIG_SPARSE_IRQ
80	static inline void irq_mark_irq(unsigned int irq) { }	80	static inline void irq_mark_irq(unsigned int irq) { }
		81	extern void irq_lock_sparse(void);
		82	extern void irq_unlock_sparse(void);
81	#else	83	#else
82	extern void irq_mark_irq(unsigned int irq);	84	extern void irq_mark_irq(unsigned int irq);
		85	static inline void irq_lock_sparse(void) { }
		86	static inline void irq_unlock_sparse(void) { }
83	#endif	87	#endif
84		88
85	extern void init_kstat_irqs(struct irq_desc *desc, int node, int nr);	89	extern void init_kstat_irqs(struct irq_desc *desc, int node, int nr);


diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c index a1782f88f0af..99793b9b6d23 100644 --- a/kernel/irq/irqdesc.c +++ b/kernel/irq/irqdesc.c
@@ -132,6 +132,16 @@ static void free_masks(struct irq_desc *desc)
132	static inline void free_masks(struct irq_desc *desc) { }	132	static inline void free_masks(struct irq_desc *desc) { }
133	#endif	133	#endif
134		134
		135	void irq_lock_sparse(void)
		136	{
		137	mutex_lock(&sparse_irq_lock);
		138	}
		139
		140	void irq_unlock_sparse(void)
		141	{
		142	mutex_unlock(&sparse_irq_lock);
		143	}
		144
135	static struct irq_desc alloc_desc(int irq, int node, struct module owner)	145	static struct irq_desc alloc_desc(int irq, int node, struct module owner)
136	{	146	{
137	struct irq_desc *desc;	147	struct irq_desc *desc;
@@ -168,6 +178,12 @@ static void free_desc(unsigned int irq)
168		178
169	unregister_irq_proc(irq, desc);	179	unregister_irq_proc(irq, desc);
170		180
		181	/*
		182	* sparse_irq_lock protects also show_interrupts() and
		183	* kstat_irq_usr(). Once we deleted the descriptor from the
		184	* sparse tree we can free it. Access in proc will fail to
		185	* lookup the descriptor.
		186	*/
171	mutex_lock(&sparse_irq_lock);	187	mutex_lock(&sparse_irq_lock);
172	delete_irq_desc(irq);	188	delete_irq_desc(irq);
173	mutex_unlock(&sparse_irq_lock);	189	mutex_unlock(&sparse_irq_lock);
@@ -574,6 +590,15 @@ void kstat_incr_irq_this_cpu(unsigned int irq)
574	kstat_incr_irqs_this_cpu(irq, irq_to_desc(irq));	590	kstat_incr_irqs_this_cpu(irq, irq_to_desc(irq));
575	}	591	}
576		592
		593	/**
		594	* kstat_irqs_cpu - Get the statistics for an interrupt on a cpu
		595	* @irq: The interrupt number
		596	* @cpu: The cpu number
		597	*
		598	* Returns the sum of interrupt counts on @cpu since boot for
		599	* @irq. The caller must ensure that the interrupt is not removed
		600	* concurrently.
		601	*/
577	unsigned int kstat_irqs_cpu(unsigned int irq, int cpu)	602	unsigned int kstat_irqs_cpu(unsigned int irq, int cpu)
578	{	603	{
579	struct irq_desc *desc = irq_to_desc(irq);	604	struct irq_desc *desc = irq_to_desc(irq);
@@ -582,6 +607,14 @@ unsigned int kstat_irqs_cpu(unsigned int irq, int cpu)
582	*per_cpu_ptr(desc->kstat_irqs, cpu) : 0;	607	*per_cpu_ptr(desc->kstat_irqs, cpu) : 0;
583	}	608	}
584		609
		610	/**
		611	* kstat_irqs - Get the statistics for an interrupt
		612	* @irq: The interrupt number
		613	*
		614	* Returns the sum of interrupt counts on all cpus since boot for
		615	* @irq. The caller must ensure that the interrupt is not removed
		616	* concurrently.
		617	*/
585	unsigned int kstat_irqs(unsigned int irq)	618	unsigned int kstat_irqs(unsigned int irq)
586	{	619	{
587	struct irq_desc *desc = irq_to_desc(irq);	620	struct irq_desc *desc = irq_to_desc(irq);
@@ -594,3 +627,22 @@ unsigned int kstat_irqs(unsigned int irq)
594	sum += *per_cpu_ptr(desc->kstat_irqs, cpu);	627	sum += *per_cpu_ptr(desc->kstat_irqs, cpu);
595	return sum;	628	return sum;
596	}	629	}
		630
		631	/**
		632	* kstat_irqs_usr - Get the statistics for an interrupt
		633	* @irq: The interrupt number
		634	*
		635	* Returns the sum of interrupt counts on all cpus since boot for
		636	* @irq. Contrary to kstat_irqs() this can be called from any
		637	* preemptible context. It's protected against concurrent removal of
		638	* an interrupt descriptor when sparse irqs are enabled.
		639	*/
		640	unsigned int kstat_irqs_usr(unsigned int irq)
		641	{
		642	int sum;
		643
		644	irq_lock_sparse();
		645	sum = kstat_irqs(irq);
		646	irq_unlock_sparse();
		647	return sum;
		648	}


diff --git a/kernel/irq/proc.c b/kernel/irq/proc.c index ac1ba2f11032..9dc9bfd8a678 100644 --- a/kernel/irq/proc.c +++ b/kernel/irq/proc.c
@@ -15,6 +15,23 @@
15		15
16	#include "internals.h"	16	#include "internals.h"
17		17
		18	/*
		19	* Access rules:
		20	*
		21	* procfs protects read/write of /proc/irq/N/ files against a
		22	* concurrent free of the interrupt descriptor. remove_proc_entry()
		23	* immediately prevents new read/writes to happen and waits for
		24	* already running read/write functions to complete.
		25	*
		26	* We remove the proc entries first and then delete the interrupt
		27	* descriptor from the radix tree and free it. So it is guaranteed
		28	* that irq_to_desc(N) is valid as long as the read/writes are
		29	* permitted by procfs.
		30	*
		31	* The read from /proc/interrupts is a different problem because there
		32	* is no protection. So the lookup and the access to irqdesc
		33	* information must be protected by sparse_irq_lock.
		34	*/
18	static struct proc_dir_entry *root_irq_dir;	35	static struct proc_dir_entry *root_irq_dir;
19		36
20	#ifdef CONFIG_SMP	37	#ifdef CONFIG_SMP
@@ -437,9 +454,10 @@ int show_interrupts(struct seq_file p, void v)
437	seq_putc(p, '\n');	454	seq_putc(p, '\n');
438	}	455	}
439		456
		457	irq_lock_sparse();
440	desc = irq_to_desc(i);	458	desc = irq_to_desc(i);
441	if (!desc)	459	if (!desc)
442	return 0;	460	goto outsparse;
443		461
444	raw_spin_lock_irqsave(&desc->lock, flags);	462	raw_spin_lock_irqsave(&desc->lock, flags);
445	for_each_online_cpu(j)	463	for_each_online_cpu(j)
@@ -479,6 +497,8 @@ int show_interrupts(struct seq_file p, void v)
479	seq_putc(p, '\n');	497	seq_putc(p, '\n');
480	out:	498	out:
481	raw_spin_unlock_irqrestore(&desc->lock, flags);	499	raw_spin_unlock_irqrestore(&desc->lock, flags);
		500	outsparse:
		501	irq_unlock_sparse();
482	return 0;	502	return 0;
483	}	503	}
484	#endif	504	#endif