Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753435AbbBRRKT (ORCPT ); Wed, 18 Feb 2015 12:10:19 -0500 Received: from terminus.zytor.com ([198.137.202.10]:39064 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752510AbbBRRJH (ORCPT ); Wed, 18 Feb 2015 12:09:07 -0500 Date: Wed, 18 Feb 2015 09:08:24 -0800 From: tip-bot for Joerg Roedel Message-ID: Cc: tglx@linutronix.de, linux@rasmusvillemoes.dk, torvalds@linux-foundation.org, mingo@kernel.org, yinghai@kernel.org, linux-kernel@vger.kernel.org, kys@microsoft.com, jroedel@suse.de, prarit@redhat.com, jiang.liu@linux.intel.com, JBeulich@suse.com, peterz@infradead.org, hpa@zytor.com Reply-To: torvalds@linux-foundation.org, linux@rasmusvillemoes.dk, tglx@linutronix.de, linux-kernel@vger.kernel.org, yinghai@kernel.org, mingo@kernel.org, kys@microsoft.com, jroedel@suse.de, JBeulich@suse.com, jiang.liu@linux.intel.com, prarit@redhat.com, hpa@zytor.com, peterz@infradead.org In-Reply-To: <20150204132754.GA10078@suse.de> References: <20150204132754.GA10078@suse.de> To: linux-tip-commits@vger.kernel.org Subject: [tip:irq/urgent] x86/irq: Check for valid irq descriptor in check_irq_vectors_for_cpu_disable() Git-Commit-ID: d97eb8966c91f2c9d05f0a22eb89ed5b76d966d1 X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2643 Lines: 67 Commit-ID: d97eb8966c91f2c9d05f0a22eb89ed5b76d966d1 Gitweb: http://git.kernel.org/tip/d97eb8966c91f2c9d05f0a22eb89ed5b76d966d1 Author: Joerg Roedel AuthorDate: Wed, 4 Feb 2015 13:33:33 +0100 Committer: Ingo Molnar CommitDate: Wed, 18 Feb 2015 15:01:42 +0100 x86/irq: Check for valid irq descriptor in check_irq_vectors_for_cpu_disable() When an interrupt is migrated away from a cpu it will stay in its vector_irq array until smp_irq_move_cleanup_interrupt succeeded. The cfg->move_in_progress flag is cleared already when the IPI was sent. When the interrupt is destroyed after migration its 'struct irq_desc' is freed and the vector_irq arrays are cleaned up. But since cfg->move_in_progress is already 0 the references at cpus before the last migration will not be cleared. So this would leave a reference to an already destroyed irq alive. When the cpu is taken down at this point, the check_irq_vectors_for_cpu_disable() function finds a valid irq number in the vector_irq array, but gets NULL for its descriptor and dereferences it, causing a kernel panic. This has been observed on real systems at shutdown. Add a check to check_irq_vectors_for_cpu_disable() for a valid 'struct irq_desc' to prevent this issue. Signed-off-by: Joerg Roedel Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Jiang Liu Cc: H. Peter Anvin Cc: Jan Beulich Cc: K. Y. Srinivasan Cc: Linus Torvalds Cc: Prarit Bhargava Cc: Rasmus Villemoes Cc: Yinghai Lu Cc: alnovak@suse.com Cc: joro@8bytes.org Link: http://lkml.kernel.org/r/20150204132754.GA10078@suse.de Signed-off-by: Ingo Molnar --- arch/x86/kernel/irq.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c index 705ef8d..67b1cbe 100644 --- a/arch/x86/kernel/irq.c +++ b/arch/x86/kernel/irq.c @@ -302,6 +302,9 @@ int check_irq_vectors_for_cpu_disable(void) irq = __this_cpu_read(vector_irq[vector]); if (irq >= 0) { desc = irq_to_desc(irq); + if (!desc) + continue; + data = irq_desc_get_irq_data(desc); cpumask_copy(&affinity_new, data->affinity); cpu_clear(this_cpu, affinity_new); -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/