| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Mar 2019 21:21:40 +0800
From: Chen Jianguo <chenjianguo3@...wei.com>
To: Marc Zyngier <marc.zyngier@....com>
CC: Thomas Gleixner <tglx@...utronix.de>,
Jason Cooper <jason@...edaemon.net>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"Liyou (leeyou, RTOS)" <leeyou.li@...wei.com>,
"Joey Yan(Bo)" <joey.yanbo@...wei.com>,
"Xiaowei (C)" <xiaowei774@...wei.com>,
"zhanghan (Q)" <zhanghan23@...wei.com>,
Yangyingliang <yangyingliang@...wei.com>,
yaohongbo <yaohongbo@...wei.com>, Linuxarm <linuxarm@...wei.com>
Subject: Re: [PATCH] mbigen: don't clear eventid when free_irq
Hi Marc
On 2019/3/21 17:11, Marc Zyngier wrote:
> On Sat, 16 Mar 2019 11:15:03 +0000
> chenjianguo <chenjianguo3@...wei.com> wrote:
>
>> From: Jianguo Chen <chenjianguo3@...wei.com>
>>
>> mbigen_write_msg clears eventid bits of a mbigen register
>> when free a interrupt, because msi_domain_deactivate memset
>> struct msg to zero. Then multiple mbigen pins with zero eventid
>> will report the same interrupt number.
>>
>> The eventid clear call trace:
>> free_irq
>> __free_irq
>> irq_shutdown
>> irq_domain_deactivate_irq
>> __irq_domain_deactivate_irq
>> __irq_domain_deactivate_irq
>> msi_domain_deactivate
>> platform_msi_write_msg
>> mbigen_write_msg
>>
>> Signed-off-by: Jianguo Chen <chenjianguo3@...wei.com>
>> ---
>> drivers/irqchip/irq-mbigen.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c
>> index 567b29c..fad7291 100644
>> --- a/drivers/irqchip/irq-mbigen.c
>> +++ b/drivers/irqchip/irq-mbigen.c
>> @@ -161,6 +161,9 @@ static void mbigen_write_msg(struct msi_desc *desc,
>> struct msi_msg *msg)
>> void __iomem *base = d->chip_data;
>> u32 val;
>>
>> + if (!msg->address_lo && !msg->address_hi)
>> + return;
>> +
>> base += get_mbigen_vec_reg(d->hwirq);
>> val = readl_relaxed(base);
>>
>
> For whatever reason, I couldn't apply this patch (even when fishing a
> copy of this email from the archives). It seems to be corrupted is
> various ways, so I had to write the patch from scratch, which is not the
> most reliable way to work. Good thing this was something trivial, I
> wouldn't do it for something more complicated.
>
> In the future, please make sure to use 'git send-email' to send your
> patches, as it is known to work correctly.
>
> Thanks,
>
> M.
>
Mbigen vector register and pin structure shows as below:
event id 0 1 2 127
vector register reg0 reg1 reg2 reg127
| | | |
MBIGEN pin0 pin1 pin2 ... pin127
|-----|-----|-----|-----|
| | | | |
device interrupt num0 num1 num2 num127
Suppose a device driver requested irq num0 and num1 at the beginning,
and for some reason it freed irq num1, mbigen_write_msg will write reg1
with event id 0. Then the pin1 probably mistakenly report interrupt num0
to device driver if there is a signal on the pin.
event id 0 0 2 127
vector register reg0 reg1 reg2 reg127
| | | |
MBIGEN pin0 pin1 pin2 ... pin127
|-----|-----|-----|-----|
| | | | |
device interrup num0 num1 num2 num127
Thanks,
Jianguo Chen
Powered by blists - more mailing lists