genirq: Validate action before dereferencing it in handle_irq_event_percpu()
This commit is contained in:
parent
2c538e26bc
commit
4db36a2b1c
|
@ -162,6 +162,8 @@ linux (4.4.3-1) UNRELEASED; urgency=medium
|
|||
[ Uwe Kleine-König ]
|
||||
* [armhf] enable AXP20X_POWER (Closes: #815971)
|
||||
* [rt] Update to 4.4.3-rt9
|
||||
* genirq: Validate action before dereferencing it in
|
||||
handle_irq_event_percpu()
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 28 Feb 2016 07:02:42 +0100
|
||||
|
||||
|
|
100
debian/patches/bugfix/all/genirq-Validate-action-before-dereferencing-it-in-ha.patch
vendored
Normal file
100
debian/patches/bugfix/all/genirq-Validate-action-before-dereferencing-it-in-ha.patch
vendored
Normal file
|
@ -0,0 +1,100 @@
|
|||
From: Thomas Gleixner <tglx@linutronix.de>
|
||||
Date: Wed, 13 Jan 2016 14:07:25 +0100
|
||||
Subject: [PATCH] genirq: Validate action before dereferencing it in
|
||||
handle_irq_event_percpu()
|
||||
Origin: v4.5-rc2, commit:570540d50710ed192e98e2f7f74578c9486b6b05
|
||||
|
||||
commit 71f64340fc0e changed the handling of irq_desc->action from
|
||||
|
||||
CPU 0 CPU 1
|
||||
free_irq() lock(desc)
|
||||
lock(desc) handle_edge_irq()
|
||||
if (desc->action) {
|
||||
handle_irq_event()
|
||||
action = desc->action
|
||||
unlock(desc)
|
||||
desc->action = NULL handle_irq_event_percpu(desc, action)
|
||||
action->xxx
|
||||
to
|
||||
|
||||
CPU 0 CPU 1
|
||||
free_irq() lock(desc)
|
||||
lock(desc) handle_edge_irq()
|
||||
if (desc->action) {
|
||||
handle_irq_event()
|
||||
unlock(desc)
|
||||
desc->action = NULL handle_irq_event_percpu(desc, action)
|
||||
action = desc->action
|
||||
action->xxx
|
||||
|
||||
So if free_irq manages to set the action to NULL between the unlock and before
|
||||
the readout, we happily dereference a null pointer.
|
||||
|
||||
We could simply revert 71f64340fc0e, but we want to preserve the better code
|
||||
generation. A simple solution is to change the action loop from a do {} while
|
||||
to a while {} loop.
|
||||
|
||||
This is safe because we either see a valid desc->action or NULL. If the action
|
||||
is about to be removed it is still valid as free_irq() is blocked on
|
||||
synchronize_irq().
|
||||
|
||||
CPU 0 CPU 1
|
||||
free_irq() lock(desc)
|
||||
lock(desc) handle_edge_irq()
|
||||
handle_irq_event(desc)
|
||||
set(INPROGRESS)
|
||||
unlock(desc)
|
||||
handle_irq_event_percpu(desc)
|
||||
action = desc->action
|
||||
desc->action = NULL while (action) {
|
||||
action->xxx
|
||||
...
|
||||
action = action->next;
|
||||
sychronize_irq()
|
||||
while(INPROGRESS); lock(desc)
|
||||
clr(INPROGRESS)
|
||||
free(action)
|
||||
|
||||
That's basically the same mechanism as we have for shared
|
||||
interrupts. action->next can become NULL while handle_irq_event_percpu()
|
||||
runs. Either it sees the action or NULL. It does not matter, because action
|
||||
itself cannot go away before the interrupt in progress flag has been cleared.
|
||||
|
||||
Fixes: commit 71f64340fc0e "genirq: Remove the second parameter from handle_irq_event_percpu()"
|
||||
Reported-by: zyjzyj2000@gmail.com
|
||||
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: Huang Shijie <shijie.huang@arm.com>
|
||||
Cc: Jiang Liu <jiang.liu@linux.intel.com>
|
||||
Cc: Peter Zijlstra <peterz@infradead.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1601131224190.3575@nanos
|
||||
---
|
||||
kernel/irq/handle.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/kernel/irq/handle.c b/kernel/irq/handle.c
|
||||
index a302cf9a2126..57bff7857e87 100644
|
||||
--- a/kernel/irq/handle.c
|
||||
+++ b/kernel/irq/handle.c
|
||||
@@ -138,7 +138,8 @@ irqreturn_t handle_irq_event_percpu(struct irq_desc *desc)
|
||||
unsigned int flags = 0, irq = desc->irq_data.irq;
|
||||
struct irqaction *action = desc->action;
|
||||
|
||||
- do {
|
||||
+ /* action might have become NULL since we dropped the lock */
|
||||
+ while (action) {
|
||||
irqreturn_t res;
|
||||
|
||||
trace_irq_handler_entry(irq, action);
|
||||
@@ -173,7 +174,7 @@ irqreturn_t handle_irq_event_percpu(struct irq_desc *desc)
|
||||
|
||||
retval |= res;
|
||||
action = action->next;
|
||||
- } while (action);
|
||||
+ }
|
||||
|
||||
add_interrupt_randomness(irq, flags);
|
||||
|
||||
--
|
||||
2.7.0
|
||||
|
|
@ -133,6 +133,7 @@ bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
|
|||
bugfix/all/revert-workqueue-make-sure-delayed-work-run-in-local-cpu.patch
|
||||
bugfix/all/af_unix-don-t-set-err-in-unix_stream_read_generic-unless-there-was-an-error.patch
|
||||
bugfix/all/bpf-fix-branch-offset-adjustment-on-backjumps-after-.patch
|
||||
bugfix/all/genirq-Validate-action-before-dereferencing-it-in-ha.patch
|
||||
bugfix/x86/x86-mm-page-align-the-_end-symbol-to-avoid-pfn-conve.patch
|
||||
bugfix/x86/x86-mm-pat-ensure-cpa-pfn-only-contains-page-frame-n.patch
|
||||
bugfix/x86/x86-efi-map-ram-into-the-identity-page-table-for-mix.patch
|
||||
|
|
Loading…
Reference in New Issue