| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Aug 2022 15:43:28 +0200
From: Lorenzo Pieralisi <lpieralisi@...nel.org>
To: Pali Rohár <pali@...nel.org>
Cc: Bjorn Helgaas <helgaas@...nel.org>,
Thomas Petazzoni <thomas.petazzoni@...tlin.com>,
Rob Herring <robh@...nel.org>,
Krzysztof Wilczyński <kw@...ux.com>,
Bjorn Helgaas <bhelgaas@...gle.com>,
Hajo Noerenberg <hajo-linux-bugzilla@...renberg.de>,
linux-pci@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
linux-kernel@...r.kernel.org, maz@...nel.org
Subject: Re: [PATCH] PCI: mvebu: Dispose INTx irqs prior to removing INTx
domain
[+Marc]
On Tue, Aug 09, 2022 at 03:39:11PM +0200, Pali Rohár wrote:
[...]
> > Then we'll need either a strong argument that this is safe even if
> > drivers for endpoints below fail to dispose of their IRQ info
> > correctly, or an argument that the benefit of making the PCI
> > controller drivers removable outweighs that risk.
> >
> > I haven't been paying close attention recently, so I may have missed
> > the details here, but my superficial opinion is that removability of
> > PCI controller drivers is primarily useful to developers, not to end
> > users.
>
> For developers it is strong need. Hajo needed this patch for debugging
> SATA related issue.
>
> For end-users in more cases it is also needed because cards, card
> drivers or controller drivers can be buggy and calling rmmod && modprobe
> is the way how to reload PCIe bus with controller without need to reboot
> whole machine. This approach is lot of times suggested by admins and
> also on user forums, because it really helps.
>
> In my opinion, if hotplug capable kernel driver (for what ever reasons)
> leaks resources on unbind procedure, it is an big issue. It basically
> disallow proper next bind procedure; which is required for hotplug
> capable drivers and buses, which PCIe is. memory and interrupts are just
> example of resources which drivers use lot of.
>
> So I consider a bug if driver does not release resource properly and
> "parent" driver should not expect that something like it is normal.
>
> This particular patch was tested at least by two people that is really
> fixes resource-free issue with more endpoint drivers.
>
> I think that in this case for pci-mvebu.c it is safe because: At the
> first step of unbind procedure is called unregistraction of PCIe bus
> with all devices bound on it. This ensures that all PCIe endpoint
> drivers are unbind, devices removed and no new driver or device and
> appear. After that there should not be any remaining usage of PCIe
> resources (if there is then whole PCIe hotplug code is broken and we
> have other and bigger issue...). Next pci-mvebu.c manually disposes all
> remaining legacy interrupts (which PCI core code does not because legacy
> interrupts are shared and it does not know if they are used or not).
> This is safe because at these stage there are no PCI drivers bound,
> there is no PCI device for that controller registered. And after that is
> removed IRQ domain (which has finally disposed all interrupts).
> If you see there some logical issue, please let me know.
>
> Note that allowing doing device unbind and disallowing rmmod is useless
> as the whole issue happens during unbind, not during rmmod. So the
> discussion should have been about device unbinding, not rmmoding.
>
> I see very big benefit for both developers and end users to allow doing
> unbind procedure as explained above.
>
> But if you decide that unbind should be disallowed, then doing it
> properly should probably imply to also disallow doing PCIe hog-unplug.
> As unplugging device means to unbind endpoint card drivers. And I think
> hot-plug and hot-unplug is a PCIe feature which could be supported. But
> well, this is decision for you as maintainer.
I think that this is the right thing to do - CC'ed Marc here
in case I am missing something - I think this ought to be fixed,
for this controller and all others that are missing the
irq_dispose_mapping() call.
Lorenzo
> > Bjorn
> >
> > > On Saturday 09 July 2022 18:18:58 Pali Rohár wrote:
> > > > Documentation for irq_domain_remove() says that all mapping within the
> > > > domain must be disposed prior to domain remove.
> > > >
> > > > Currently INTx irqs are not disposed in pci-mvebu.c device unbind callback
> > > > which cause that kernel crashes after unloading driver and trying to read
> > > > /sys/kernel/debug/irq/irqs/<num> or /proc/interrupts.
> > > >
> > > > Fixes: ec075262648f ("PCI: mvebu: Implement support for legacy INTx interrupts")
> > > > Reported-by: Hajo Noerenberg <hajo-linux-bugzilla@...renberg.de>
> > > > Signed-off-by: Pali Rohár <pali@...nel.org>
> > > > ---
> > > > Depends on patch:
> > > > https://lore.kernel.org/linux-pci/20220524122817.7199-1-pali@kernel.org/
> > > >
> > > > Here is the captured kernel crash which happens without this patch:
> > > >
> > > > $ cat /sys/kernel/debug/irq/irqs/64
> > > > [ 301.571370] 8<--- cut here ---
> > > > [ 301.574496] Unable to handle kernel paging request at virtual address 0a00002a
> > > > [ 301.581736] [0a00002a] *pgd=00000000
> > > > [ 301.585323] Internal error: Oops: 80000005 [#1] SMP ARM
> > > > [ 301.590560] Modules linked in:
> > > > [ 301.593621] CPU: 1 PID: 4641 Comm: cat Not tainted 5.16.0-rc1+ #192
> > > > [ 301.599905] Hardware name: Marvell Armada 380/385 (Device Tree)
> > > > [ 301.605836] PC is at 0xa00002a
> > > > [ 301.608896] LR is at irq_debug_show+0x210/0x2d4
> > > > [ 301.613440] pc : [<0a00002a>] lr : [<c018ca40>] psr: 200000b3
> > > > [ 301.619721] sp : c797fdd8 ip : 0000000b fp : 0a00002b
> > > > [ 301.624957] r10: c0d9a364 r9 : 00000001 r8 : 00000000
> > > > [ 301.630192] r7 : c18fee18 r6 : c0da2a74 r5 : c18fee00 r4 : c66ec050
> > > > [ 301.636734] r3 : 00000001 r2 : c18fee18 r1 : 00000000 r0 : c66ec050
> > > > [ 301.643275] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA Thumb Segment none
> > > > [ 301.650689] Control: 10c5387d Table: 0790c04a DAC: 00000051
> > > > [ 301.656446] Register r0 information: slab seq_file start c66ec050 pointer offset 0
> > > > [ 301.664040] Register r1 information: NULL pointer
> > > > [ 301.668755] Register r2 information: slab kmalloc-256 start c18fee00 pointer offset 24 size 256
> > > > [ 301.677480] Register r3 information: non-paged memory
> > > > [ 301.682543] Register r4 information: slab seq_file start c66ec050 pointer offset 0
> > > > [ 301.690133] Register r5 information: slab kmalloc-256 start c18fee00 pointer offset 0 size 256
> > > > [ 301.698770] Register r6 information: non-slab/vmalloc memory
> > > > [ 301.704442] Register r7 information: slab kmalloc-256 start c18fee00 pointer offset 24 size 256
> > > > [ 301.713165] Register r8 information: NULL pointer
> > > > [ 301.717879] Register r9 information: non-paged memory
> > > > [ 301.722941] Register r10 information: non-slab/vmalloc memory
> > > > [ 301.728699] Register r11 information: non-paged memory
> > > > [ 301.733848] Register r12 information: non-paged memory
> > > > [ 301.738997] Process cat (pid: 4641, stack limit = 0xf591166e)
> > > > [ 301.744756] Stack: (0xc797fdd8 to 0xc7980000)
> > > > [ 301.749123] fdc0: 0000000a 830d3f3e
> > > > [ 301.757321] fde0: c1004f48 c0d9a374 c7a9cc10 c66ec050 00000000 c88af900 c797fe80 7ffff000
> > > > [ 301.765518] fe00: 00400cc0 c66ec068 00000001 c02c5cb8 00000000 00000000 c66ec078 c797fe68
> > > > [ 301.773715] fe20: c1cdf6c0 c7a9cc10 ffffffea c88af900 00000010 00000000 00000000 c88af900
> > > > [ 301.781911] fe40: c1004f48 c797ff78 00001000 00004004 c03efcb8 c02c6100 00001000 00000000
> > > > [ 301.790108] fe60: bec73e04 00001000 00000000 00000000 00001000 c797fe60 00000001 00000000
> > > > [ 301.798304] fe80: c88af900 00000000 00000000 00000000 00000000 00000000 00000000 40040000
> > > > [ 301.806501] fea0: 00000000 00000000 c1004f48 830d3f3e c88af900 c02c6018 c1c7a770 bec73e04
> > > > [ 301.814697] fec0: 00001000 c797ff78 00000001 c03efd0c 00001000 c88af900 00000000 bec73e04
> > > > [ 301.822894] fee0: c1004f48 c797ff78 00000001 c029c728 c887ca20 01100cca 0000004f 0045f000
> > > > [ 301.831091] ff00: 00000254 c790c010 c790c010 00000000 00000000 00000000 c5f6117c eeece9b8
> > > > [ 301.839288] ff20: 00000000 830d3f3e 00000000 c797ffb0 c79fc000 80000007 0045f5b8 00000254
> > > > [ 301.847484] ff40: c79fc040 00000004 c887ca20 830d3f3e 00000000 c1004f48 c88af900 00000000
> > > > [ 301.855681] ff60: 00000000 c88af900 bec73e04 00001000 00000000 c029cd68 00000000 00000000
> > > > [ 301.863877] ff80: 00000000 830d3f3e 00000000 00000000 01000000 00000003 c0100284 c1b8abc0
> > > > [ 301.872074] ffa0: 00000003 c0100060 00000000 00000000 00000003 bec73e04 00001000 00000000
> > > > [ 301.880270] ffc0: 00000000 00000000 01000000 00000003 00000003 00000001 00000001 00000000
> > > > [ 301.888468] ffe0: bec73d98 bec73d88 b6f81f88 b6f81410 60000010 00000003 00000000 00000000
> > > > [ 301.896666] [<c018ca40>] (irq_debug_show) from [<c02c5cb8>] (seq_read_iter+0x1a4/0x504)
> > > > [ 301.904700] [<c02c5cb8>] (seq_read_iter) from [<c02c6100>] (seq_read+0xe8/0x12c)
> > > > [ 301.912117] [<c02c6100>] (seq_read) from [<c03efd0c>] (full_proxy_read+0x54/0x70)
> > > > [ 301.919623] [<c03efd0c>] (full_proxy_read) from [<c029c728>] (vfs_read+0xa0/0x2c8)
> > > > [ 301.927214] [<c029c728>] (vfs_read) from [<c029cd68>] (ksys_read+0x58/0xd0)
> > > > [ 301.934195] [<c029cd68>] (ksys_read) from [<c0100060>] (ret_fast_syscall+0x0/0x54)
> > > > [ 301.941785] Exception stack(0xc797ffa8 to 0xc797fff0)
> > > > [ 301.946849] ffa0: 00000000 00000000 00000003 bec73e04 00001000 00000000
> > > > [ 301.955045] ffc0: 00000000 00000000 01000000 00000003 00000003 00000001 00000001 00000000
> > > > [ 301.963241] ffe0: bec73d98 bec73d88 b6f81f88 b6f81410
> > > > [ 301.968304] Code: bad PC value
> > > > [ 301.971365] ---[ end trace fe25fd26d042b605 ]---
> > > > [ 301.975992] Kernel panic - not syncing: Fatal exception
> > > > [ 301.981229] CPU0: stopping
> > > > [ 301.983946] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G D 5.16.0-rc1+ #192
> > > > [ 301.991884] Hardware name: Marvell Armada 380/385 (Device Tree)
> > > > [ 301.997817] [<c010e120>] (unwind_backtrace) from [<c010a170>] (show_stack+0x10/0x14)
> > > > [ 302.005587] [<c010a170>] (show_stack) from [<c0bbf108>] (dump_stack_lvl+0x40/0x4c)
> > > > [ 302.013179] [<c0bbf108>] (dump_stack_lvl) from [<c010c3f8>] (do_handle_IPI+0xf4/0x128)
> > > > [ 302.021117] [<c010c3f8>] (do_handle_IPI) from [<c010c444>] (ipi_handler+0x18/0x20)
> > > > [ 302.028707] [<c010c444>] (ipi_handler) from [<c0185c5c>] (handle_percpu_devid_irq+0x78/0x124)
> > > > [ 302.037256] [<c0185c5c>] (handle_percpu_devid_irq) from [<c017ffb8>] (generic_handle_domain_irq+0x44/0x88)
> > > > [ 302.046938] [<c017ffb8>] (generic_handle_domain_irq) from [<c05f051c>] (gic_handle_irq+0x74/0x88)
> > > > [ 302.055839] [<c05f051c>] (gic_handle_irq) from [<c0bc7ef8>] (generic_handle_arch_irq+0x34/0x44)
> > > > [ 302.064564] [<c0bc7ef8>] (generic_handle_arch_irq) from [<c0100b10>] (__irq_svc+0x50/0x68)
> > > > [ 302.072851] Exception stack(0xc1001f00 to 0xc1001f48)
> > > > [ 302.077916] 1f00: 000d6830 00000000 00000001 c0116be0 c1004f90 c1004fd4 00000001 00000000
> > > > [ 302.086114] 1f20: c1004f48 c0f5d2a8 c1009e80 00000000 00000000 c1001f50 c01076f4 c01076f8
> > > > [ 302.094309] 1f40: 60000013 ffffffff
> > > > [ 302.097804] [<c0100b10>] (__irq_svc) from [<c01076f8>] (arch_cpu_idle+0x38/0x3c)
> > > > [ 302.105223] [<c01076f8>] (arch_cpu_idle) from [<c0bcf3a0>] (default_idle_call+0x1c/0x2c)
> > > > [ 302.113338] [<c0bcf3a0>] (default_idle_call) from [<c015db34>] (do_idle+0x1c8/0x218)
> > > > [ 302.121106] [<c015db34>] (do_idle) from [<c015de40>] (cpu_startup_entry+0x18/0x20)
> > > > [ 302.128697] [<c015de40>] (cpu_startup_entry) from [<c0f00fec>] (start_kernel+0x650/0x694)
> > > > [ 302.136901] Rebooting in 3 seconds..
> > > > ---
> > > > drivers/pci/controller/pci-mvebu.c | 9 ++++++++-
> > > > 1 file changed, 8 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c
> > > > index 31f53a019b8f..951030052358 100644
> > > > --- a/drivers/pci/controller/pci-mvebu.c
> > > > +++ b/drivers/pci/controller/pci-mvebu.c
> > > > @@ -1713,8 +1713,15 @@ static int mvebu_pcie_remove(struct platform_device *pdev)
> > > > mvebu_writel(port, ~PCIE_INT_ALL_MASK, PCIE_INT_CAUSE_OFF);
> > > >
> > > > /* Remove IRQ domains. */
> > > > - if (port->intx_irq_domain)
> > > > + if (port->intx_irq_domain) {
> > > > + int virq, j;
> > > > + for (j = 0; j < PCI_NUM_INTX; j++) {
> > > > + virq = irq_find_mapping(port->intx_irq_domain, j);
> > > > + if (virq > 0)
> > > > + irq_dispose_mapping(virq);
> > > > + }
> > > > irq_domain_remove(port->intx_irq_domain);
> > > > + }
> > > >
> > > > /* Free config space for emulated root bridge. */
> > > > pci_bridge_emul_cleanup(&port->bridge);
> > > > --
> > > > 2.20.1
> > > >
> > >
> > > _______________________________________________
> > > linux-arm-kernel mailing list
> > > linux-arm-kernel@...ts.infradead.org
> > > http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
Powered by blists - more mailing lists