Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753039AbcDUTTK (ORCPT ); Thu, 21 Apr 2016 15:19:10 -0400 Received: from terminus.zytor.com ([198.137.202.10]:46056 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751878AbcDUTTI (ORCPT ); Thu, 21 Apr 2016 15:19:08 -0400 Date: Thu, 21 Apr 2016 12:18:35 -0700 From: tip-bot for Paul Burton Message-ID: Cc: ralf@linux-mips.org, jason@lakedaemon.net, paul.burton@imgtec.com, tglx@linutronix.de, marc.zyngier@arm.com, hpa@zytor.com, mingo@kernel.org, linux-kernel@vger.kernel.org Reply-To: marc.zyngier@arm.com, paul.burton@imgtec.com, tglx@linutronix.de, mingo@kernel.org, linux-kernel@vger.kernel.org, hpa@zytor.com, jason@lakedaemon.net, ralf@linux-mips.org In-Reply-To: <1461234714-9975-1-git-send-email-paul.burton@imgtec.com> References: <1461234714-9975-1-git-send-email-paul.burton@imgtec.com> To: linux-tip-commits@vger.kernel.org Subject: [tip:irq/urgent] irqchip/mips-gic: Don't overrun pcpu_masks array Git-Commit-ID: 91951f980e521d8f7e92283735b99fb9f4b05d93 X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2677 Lines: 60 Commit-ID: 91951f980e521d8f7e92283735b99fb9f4b05d93 Gitweb: http://git.kernel.org/tip/91951f980e521d8f7e92283735b99fb9f4b05d93 Author: Paul Burton AuthorDate: Thu, 21 Apr 2016 11:31:54 +0100 Committer: Thomas Gleixner CommitDate: Thu, 21 Apr 2016 21:04:29 +0200 irqchip/mips-gic: Don't overrun pcpu_masks array Commit 2a0787051182 ("irqchip/mips-gic: Use gic_vpes instead of NR_CPUS") & commit 78930f09b940 ("irqchip/mips-gic: Clear percpu_masks correctly when mapping") both introduce code which accesses gic_vpes entries in the pcpu_masks array. However, this array has length NR_CPUS. If NR_CPUS is less than gic_vpes (ie. the kernel supports use of less CPUs than are present in the system) then we overrun the array, clobber some other data & generally die pretty promptly. Most notably this affects uniprocessor kernels running on any multicore or multithreaded Malta with a GIC (ie. the vast majority of real Malta boards). Fix this by only accessing up to min(gic_vpes, NR_CPUS) entries in the pcpu_masks array, preventing the array overrun. Fixes: 2a0787051182 ("irqchip/mips-gic: Use gic_vpes instead of NR_CPUS") Fixes: 78930f09b940 ("irqchip/mips-gic: Clear percpu_masks correctly when mapping") Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Cc: Jason Cooper Cc: Marc Zyngier Cc: Ralf Baechle Link: http://lkml.kernel.org/r/1461234714-9975-1-git-send-email-paul.burton@imgtec.com Signed-off-by: Thomas Gleixner --- drivers/irqchip/irq-mips-gic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/irqchip/irq-mips-gic.c b/drivers/irqchip/irq-mips-gic.c index 94a30da..4dffccf 100644 --- a/drivers/irqchip/irq-mips-gic.c +++ b/drivers/irqchip/irq-mips-gic.c @@ -467,7 +467,7 @@ static int gic_set_affinity(struct irq_data *d, const struct cpumask *cpumask, gic_map_to_vpe(irq, mips_cm_vp_id(cpumask_first(&tmp))); /* Update the pcpu_masks */ - for (i = 0; i < gic_vpes; i++) + for (i = 0; i < min(gic_vpes, NR_CPUS); i++) clear_bit(irq, pcpu_masks[i].pcpu_mask); set_bit(irq, pcpu_masks[cpumask_first(&tmp)].pcpu_mask); @@ -707,7 +707,7 @@ static int gic_shared_irq_domain_map(struct irq_domain *d, unsigned int virq, spin_lock_irqsave(&gic_lock, flags); gic_map_to_pin(intr, gic_cpu_pin); gic_map_to_vpe(intr, vpe); - for (i = 0; i < gic_vpes; i++) + for (i = 0; i < min(gic_vpes, NR_CPUS); i++) clear_bit(intr, pcpu_masks[i].pcpu_mask); set_bit(intr, pcpu_masks[vpe].pcpu_mask); spin_unlock_irqrestore(&gic_lock, flags);