irqchip/gic-v3: Ensure pseudo-NMIs have an ISB between ack and handling genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()
Mark Rutland (1): irqchip/gic-v3: Ensure pseudo-NMIs have an ISB between ack and handling
Sergey Shtylyov (1): genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()
drivers/irqchip/irq-gic-v3.c | 3 +++ kernel/irq/ipi.c | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-)
From: Sergey Shtylyov s.shtylyov@omp.ru
mainline inclusion from mainline-v6.3-rc1 commit feabecaff5902f896531dde90646ca5dfa9d4f7d category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9OZI6
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
If ipi_send_{mask|single}() is called with an invalid interrupt number, all the local variables there will be NULL. ipi_send_verify() which is invoked from these functions does verify its 'data' parameter, resulting in a kernel oops in irq_data_get_affinity_mask() as the passed NULL pointer gets dereferenced.
Add a missing NULL pointer check in ipi_send_verify()...
Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool.
Fixes: 3b8e29a82dd1 ("genirq: Implement ipi_send_mask/single()") Signed-off-by: Sergey Shtylyov s.shtylyov@omp.ru Signed-off-by: Thomas Gleixner tglx@linutronix.de Link: https://lore.kernel.org/r/b541232d-c2b6-1fe9-79b4-a7129459e4d0@omp.ru
Conflicts: kernel/irq/ipi.c [This conflict is caused by unmatched context]
Singed-off-by: Liao Chen liaochen4@huawei.com --- kernel/irq/ipi.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/kernel/irq/ipi.c b/kernel/irq/ipi.c index 8b778e37dc6d..0ca1331546e2 100644 --- a/kernel/irq/ipi.c +++ b/kernel/irq/ipi.c @@ -186,9 +186,9 @@ EXPORT_SYMBOL_GPL(ipi_get_hwirq); static int ipi_send_verify(struct irq_chip *chip, struct irq_data *data, const struct cpumask *dest, unsigned int cpu) { - struct cpumask *ipimask = irq_data_get_affinity_mask(data); + struct cpumask *ipimask;
- if (!chip || !ipimask) + if (!chip || !data) return -EINVAL;
if (!chip->ipi_send_single && !chip->ipi_send_mask) @@ -197,6 +197,10 @@ static int ipi_send_verify(struct irq_chip *chip, struct irq_data *data, if (cpu >= nr_cpu_ids) return -EINVAL;
+ ipimask = irq_data_get_affinity_mask(data); + if (!ipimask) + return -EINVAL; + if (dest) { if (!cpumask_subset(dest, ipimask)) return -EINVAL;
From: Mark Rutland mark.rutland@arm.com
mainline inclusion from mainline-v5.19-rc1 commit adf14453d2c037ab529040c1186ea32e277e783a category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9OZI6
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
There are cases where a context synchronization event is necessary between an IRQ being raised and being handled, and there are races such that we cannot rely upon the exception entry being subsequent to the interrupt being raised.
We identified and fixes this for regular IRQs in commit:
39a06b67c2c1256b ("irqchip/gic: Ensure we have an ISB between ack and ->handle_irq")
Unfortunately, we forgot to do the same for psuedo-NMIs when support for those was added in commit:
f32c926651dcd168 ("irqchip/gic-v3: Handle pseudo-NMIs")
Which means that when pseudo-NMIs are used for PMU support, we'll hit the same problem.
Apply the same fix as for regular IRQs. Note that when EOI mode 1 is in use, the call to gic_write_eoir() will provide an ISB.
Fixes: f32c926651dcd168 ("irqchip/gic-v3: Handle pseudo-NMIs") Signed-off-by: Mark Rutland mark.rutland@arm.com Cc: Marc Zyngier maz@kernel.org Cc: Thomas Gleixner tglx@linutronix.de Cc: Will Deacon will.deacon@arm.com Signed-off-by: Marc Zyngier maz@kernel.org Link: https://lore.kernel.org/r/20220513133038.226182-2-mark.rutland@arm.com Signed-off-by: Liao Chen liaochen4@huawei.com --- drivers/irqchip/irq-gic-v3.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c index 5d8658749c8c..26dddaa9f01a 100644 --- a/drivers/irqchip/irq-gic-v3.c +++ b/drivers/irqchip/irq-gic-v3.c @@ -498,6 +498,9 @@ static inline void gic_handle_nmi(u32 irqnr, struct pt_regs *regs)
if (static_branch_likely(&supports_deactivate_key)) gic_write_eoir(irqnr); + else + isb(); + /* * Leave the PSR.I bit set to prevent other NMIs to be * received while handling this one.
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/7220 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/S...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/7220 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/S...
-
Liao Chen -
patchwork bot