lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260204-implosion-defuse-f0bb02febc77@spud>
Date: Wed, 4 Feb 2026 17:46:37 +0000
From: Conor Dooley <conor@...nel.org>
To: Yangyu Chen <cyy@...self.name>
Cc: linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org,
	Anup Patel <anup.patel@....qualcomm.com>,
	Samuel Holland <samuel.holland@...ive.com>,
	Charles Mirabile <cmirabil@...hat.com>,
	Lucas Zampieri <lzampier@...hat.com>,
	Thomas Gleixner <tglx@...nel.org>, Paul Walmsley <pjw@...nel.org>,
	Palmer Dabbelt <palmer@...belt.com>,
	Mason Huo <mason.huo@...rfivetech.com>,
	Zhang Xincheng <zhangxincheng@...rarisc.com>,
	Charlie Jenkins <charlie@...osinc.com>,
	Marc Zyngier <maz@...nel.org>,
	Sia Jee Heng <jeeheng.sia@...rfivetech.com>,
	Ley Foon Tan <leyfoon.tan@...rfivetech.com>,
	Krzysztof Kozlowski <krzk+dt@...nel.org>,
	Rob Herring <robh@...nel.org>, Conor Dooley <conor+dt@...nel.org>,
	Alexandre Ghiti <alex@...ti.fr>, devicetree@...r.kernel.org,
	Jia Wang <wangjia@...rarisc.com>
Subject: Re: [PATCH v3 1/2] irqchip/sifive-plic: Fix wrong nr_irqs handling

On Wed, Feb 04, 2026 at 01:21:16AM +0800, Yangyu Chen wrote:
> Since the first irq source is 1 instead of 0, when the number of
> irqs is multiple of 32, the last irq group will be ignored during
> allocation, saving, and restoring. This lead to memory corruption
> when accessing enable_save beyond allocated memory after commit
> 14ff9e54dd14 ("irqchip/sifive-plic: Cache the interrupt enable state")
> which will access enable_save for all sources during plic_probe.
> Thus, we should allocate irq_groups based on (nr_irqs + 1) instead of
> nr_irqs to avoid this issue. This commit also fixes related loops
> to have all consumer of nr_irqs consistent.
> 
> This is an long standing bug since Linux v5.6 but since the last irq
> source is rarely used, it may not be triggered in practice until commit

FWIW, on mpfs the 186th and last source is used by the hardware but it's
used by the platform's m-mode firmware not linux.

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ