lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 31 Oct 2019 03:53:50 +0000
From:   Kar Hin Ong <kar.hin.ong@...com>
To:     "linux-rt-users@...r.kernel.org" <linux-rt-users@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-x86_64@...r.kernel.org" <linux-x86_64@...r.kernel.org>,
        "linux-pci@...r.kernel.org" <linux-pci@...r.kernel.org>
Subject: "oneshot" interrupt causes another interrupt to be fired erroneously
 in Haswell system

Hi,

I've an Intel Haswell system running Linux kernel v4.14 with preempt_rt patch. The system contain 2 IOAPICs: IOAPIC 1 is on the PCH where IOAPIC 2 is on the CPU.

I observed that whenever a PCI device is firing interrupt (INTx) to Pin 20 of IOAPIC 2 (GSI 44); the kernel will receives 2 interrupts: 
   1. Interrupt from Pin 20 of IOAPIC 2  -> Expected
   2. Interrupt from Pin 19 of IOAPIC 1  -> UNEXPECTED, erroneously triggered

The unexpected interrupt is unhandled eventually. When this scenario happen more than 99,000 times, kernel disables the interrupt line (Pin 19 of IOAPIC 1) and causing device that has requested it become malfunction.

I managed to also reproduced this issue on RHEL 8 and Ubuntu 19-04 (without preempt_rt patch) after added "threadirqs" to the kernel command line.

After digging further, I noticed that the said issue is happened whenever an interrupt pin on IOAPIC 2 is masked:
 - Masking Pin 20 of IOAPIC 2 triggers Pin 19 of IOAPIC 1  
 - Masking Pin 22 of IOAPIC 2 triggers Pin 18 of IOAPIC 1  

I also noticed that kernel will explicitly mask a specific interrupt pin before execute its handler, if the interrupt is configured as "oneshot" (i.e. threaded). See https://elixir.bootlin.com/linux/v4.14/source/kernel/irq/chip.c#L695  
This explained why it only happened on RTOS and Desktop Linux with "threadirqs" flag, because these configurations force the interrupt handler to be threaded.

>From Intel Xeon Processor E5/E7 v3 Product Family External Design Specification (EDS), Volume One: Architecture, section 13.1 (Legacy PCI Interrupt Handling), it mention:
"If the I/OxAPIC entry is masked (via the 'mask' bit in the corresponding Redirection Table Entry), then the corresponding PCI Express interrupt(s) is forwarded to the legacy PCH"

My interpretation is: when kernel receive a "oneshot" interrupt, it mask the line before start handling it (or sending the eoi signal). 
At this moment, if the interrupt line is still asserting, then the interrupt signal will be routed to the IOAPIC in PCH, and hence causing another interrupt to be fired erroneously.  

I would like to understand if my interpretation is make sense. If yes, should the "oneshot" algorithm need to be updated to support Haswell system?

Thanks.
Kar Hin Ong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ