lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 9 Apr 2015 14:00:23 +0200
From:	Ingo Molnar <mingo@...nel.org>
To:	jiang.liu@...ux.intel.com, linux-kernel@...r.kernel.org,
	marc.zyngier@....com, hpa@...or.com, tglx@...utronix.de
Cc:	linux-tip-commits@...r.kernel.org
Subject: Re: [tip:irq/core] genirq: MSI: Fix freeing of unallocated MSI


* tip-bot for Marc Zyngier <tipbot@...or.com> wrote:

> Commit-ID:  fe0c52fc003bc046380e52fe6799c96d770770cc
> Gitweb:     http://git.kernel.org/tip/fe0c52fc003bc046380e52fe6799c96d770770cc
> Author:     Marc Zyngier <marc.zyngier@....com>
> AuthorDate: Mon, 26 Jan 2015 19:10:19 +0000
> Committer:  Thomas Gleixner <tglx@...utronix.de>
> CommitDate: Wed, 8 Apr 2015 23:28:28 +0200
> 
> genirq: MSI: Fix freeing of unallocated MSI
> 
> While debugging an unrelated issue with the GICv3 ITS driver, the
> following trace triggered:
> 
> WARNING: CPU: 1 PID: 1 at kernel/irq/irqdomain.c:1121 irq_domain_free_irqs+0x160/0x17c()
> NULL pointer, cannot free irq
> Modules linked in:
> CPU: 1 PID: 1 Comm: swapper/0 Tainted: G        W      3.19.0-rc6+ #3690
> Hardware name: FVP Base (DT)
> Call trace:
> [<ffffffc000089398>] dump_backtrace+0x0/0x13c
> [<ffffffc0000894e4>] show_stack+0x10/0x1c
> [<ffffffc00066d134>] dump_stack+0x74/0x94
> [<ffffffc0000a92f8>] warn_slowpath_common+0x9c/0xd4
> [<ffffffc0000a938c>] warn_slowpath_fmt+0x5c/0x80
> [<ffffffc0000ee04c>] irq_domain_free_irqs+0x15c/0x17c
> [<ffffffc0000ef918>] msi_domain_free_irqs+0x58/0x74
> [<ffffffc000386f58>] free_msi_irqs+0xb4/0x1c0
> 
>     // The msi_prepare callback fails here
> 
> [<ffffffc0003872c0>] pci_enable_msix+0x25c/0x3d4
> [<ffffffc00038746c>] pci_enable_msix_range+0x34/0x80
> [<ffffffc0003924ac>] vp_try_to_find_vqs+0xec/0x528
> [<ffffffc000392954>] vp_find_vqs+0x6c/0xa8
> [<ffffffc0003ee2a8>] init_vq+0x120/0x248
> [<ffffffc0003eefb0>] virtblk_probe+0xb0/0x6bc
> [<ffffffc00038fc34>] virtio_dev_probe+0x17c/0x214
> [<ffffffc0003d4a04>] driver_probe_device+0x7c/0x23c
> [<ffffffc0003d4cb0>] __driver_attach+0x98/0xa0
> [<ffffffc0003d2c60>] bus_for_each_dev+0x60/0xb4
> [<ffffffc0003d455c>] driver_attach+0x1c/0x28
> [<ffffffc0003d41b0>] bus_add_driver+0x150/0x208
> [<ffffffc0003d54c0>] driver_register+0x64/0x130
> [<ffffffc00038f9e8>] register_virtio_driver+0x24/0x68
> [<ffffffc00091320c>] init+0x70/0xac
> [<ffffffc0000828f0>] do_one_initcall+0x94/0x1d0
> [<ffffffc0008e9b00>] kernel_init_freeable+0x144/0x1e4
> [<ffffffc00066a434>] kernel_init+0xc/0xd8
> ---[ end trace f9ee562a77cc7bae ]---
> 
> The ITS msi_prepare callback having failed, we end-up trying to
> free MSIs that have never been allocated. Oddly enough, the kernel
> is pretty upset about it.
> 
> It turns out that this behaviour was expected before the MSI domain
> was introduced (and dealt with in arch_teardown_msi_irqs).
> 
> The obvious fix is to detect this early enough and bail out.
> 
> Signed-off-by: Marc Zyngier <marc.zyngier@....com>
> Reviewed-by: Jiang Liu <jiang.liu@...ux.intel.com>
> Link: http://lkml.kernel.org/r/1422299419-6051-1-git-send-email-marc.zyngier@arm.com
> Signed-off-by: Thomas Gleixner <tglx@...utronix.de>
> ---
>  kernel/irq/msi.c | 11 +++++++++--
>  1 file changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/irq/msi.c b/kernel/irq/msi.c
> index 3e18163..474de5c 100644
> --- a/kernel/irq/msi.c
> +++ b/kernel/irq/msi.c
> @@ -310,8 +310,15 @@ void msi_domain_free_irqs(struct irq_domain *domain, struct device *dev)
>  	struct msi_desc *desc;
>  
>  	for_each_msi_entry(desc, dev) {
> -		irq_domain_free_irqs(desc->irq, desc->nvec_used);
> -		desc->irq = 0;
> +		/*
> +		 * We might have failed to allocate an MSI early

nit:

s/an MSI/an MSI interrupt

> +		 * enough that there is no IRQ associated to this

nit:

s/to/with

> +		 * entry. If that's the case, don't do anything.
> +		 */
> +		if (desc->irq) {
> +			irq_domain_free_irqs(desc->irq, desc->nvec_used);
> +			desc->irq = 0;
> +		}

Hm, so this appears to be the first time that 'irq == 0' assumptions 
are getting into the genirq core. Is NO_IRQ dead? I realize that the 
MSI code uses '!irq' as a flag, but still, quite a few architectures 
define NO_IRQ so it appears to matter to them.

Thanks,

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ