1. 23 8月, 2017 1 次提交
  2. 30 6月, 2017 1 次提交
    • S
      irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity · 866d7c1b
      Suzuki K Poulose 提交于
      The GICv3 driver doesn't check if the target CPU for gic_set_affinity
      is valid before going ahead and making the changes. This triggers the
      following splat with KASAN:
      
      [  141.189434] BUG: KASAN: global-out-of-bounds in gic_set_affinity+0x8c/0x140
      [  141.189704] Read of size 8 at addr ffff200009741d20 by task swapper/1/0
      [  141.189958]
      [  141.190158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.12.0-rc7
      [  141.190458] Hardware name: Foundation-v8A (DT)
      [  141.190658] Call trace:
      [  141.190908] [<ffff200008089d70>] dump_backtrace+0x0/0x328
      [  141.191224] [<ffff20000808a1b4>] show_stack+0x14/0x20
      [  141.191507] [<ffff200008504c3c>] dump_stack+0xa4/0xc8
      [  141.191858] [<ffff20000826c19c>] print_address_description+0x13c/0x250
      [  141.192219] [<ffff20000826c5c8>] kasan_report+0x210/0x300
      [  141.192547] [<ffff20000826ad54>] __asan_load8+0x84/0x98
      [  141.192874] [<ffff20000854eeec>] gic_set_affinity+0x8c/0x140
      [  141.193158] [<ffff200008148b14>] irq_do_set_affinity+0x54/0xb8
      [  141.193473] [<ffff200008148d2c>] irq_set_affinity_locked+0x64/0xf0
      [  141.193828] [<ffff200008148e00>] __irq_set_affinity+0x48/0x78
      [  141.194158] [<ffff200008bc48a4>] arm_perf_starting_cpu+0x104/0x150
      [  141.194513] [<ffff2000080d73bc>] cpuhp_invoke_callback+0x17c/0x1f8
      [  141.194783] [<ffff2000080d94ec>] notify_cpu_starting+0x8c/0xb8
      [  141.195130] [<ffff2000080911ec>] secondary_start_kernel+0x15c/0x200
      [  141.195390] [<0000000080db81b4>] 0x80db81b4
      [  141.195603]
      [  141.195685] The buggy address belongs to the variable:
      [  141.196012]  __cpu_logical_map+0x200/0x220
      [  141.196176]
      [  141.196315] Memory state around the buggy address:
      [  141.196586]  ffff200009741c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  141.196913]  ffff200009741c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  141.197158] >ffff200009741d00: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
      [  141.197487]                                ^
      [  141.197758]  ffff200009741d80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
      [  141.198060]  ffff200009741e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  141.198358] ==================================================================
      [  141.198609] Disabling lock debugging due to kernel taint
      [  141.198961] CPU1: Booted secondary processor [410fd051]
      
      This patch adds the check to make sure the cpu is valid.
      
      Fixes: commit 021f6537 ("irqchip: gic-v3: Initial support for GICv3")
      Cc: stable@vger.kernel.org
      Signed-off-by: NSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      866d7c1b
  3. 25 12月, 2016 2 次提交
  4. 17 11月, 2016 1 次提交
  5. 14 10月, 2016 1 次提交
  6. 20 9月, 2016 1 次提交
    • J
      irqchip/gicv3: Silence noisy DEBUG_PER_CPU_MAPS warning · 727653d6
      James Morse 提交于
      gic_raise_softirq() walks the list of cpus using for_each_cpu(), it calls
      gic_compute_target_list() which advances the iterator by the number of
      CPUs in the cluster.
      
      If gic_compute_target_list() reaches the last CPU it leaves the iterator
      pointing at the last CPU. This means the next time round the for_each_cpu()
      loop cpumask_next() will be called with an invalid CPU.
      
      This triggers a warning when built with CONFIG_DEBUG_PER_CPU_MAPS:
      [    3.077738] GICv3: CPU1: found redistributor 1 region 0:0x000000002f120000
      [    3.077943] CPU1: Booted secondary processor [410fd0f0]
      [    3.078542] ------------[ cut here ]------------
      [    3.078746] WARNING: CPU: 1 PID: 0 at ../include/linux/cpumask.h:121 gic_raise_softirq+0x12c/0x170
      [    3.078812] Modules linked in:
      [    3.078869]
      [    3.078930] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-rc5+ #5188
      [    3.078994] Hardware name: Foundation-v8A (DT)
      [    3.079059] task: ffff80087a1a0080 task.stack: ffff80087a19c000
      [    3.079145] PC is at gic_raise_softirq+0x12c/0x170
      [    3.079226] LR is at gic_raise_softirq+0xa4/0x170
      [    3.079296] pc : [<ffff0000083ead24>] lr : [<ffff0000083eac9c>] pstate: 200001c9
      [    3.081139] Call trace:
      [    3.081202] Exception stack(0xffff80087a19fbe0 to 0xffff80087a19fd10)
      
      [    3.082269] [<ffff0000083ead24>] gic_raise_softirq+0x12c/0x170
      [    3.082354] [<ffff00000808e614>] smp_send_reschedule+0x34/0x40
      [    3.082433] [<ffff0000080e80a0>] resched_curr+0x50/0x88
      [    3.082512] [<ffff0000080e89d0>] check_preempt_curr+0x60/0xd0
      [    3.082593] [<ffff0000080e8a60>] ttwu_do_wakeup+0x20/0xe8
      [    3.082672] [<ffff0000080e8bb8>] ttwu_do_activate+0x90/0xc0
      [    3.082753] [<ffff0000080ea9a4>] try_to_wake_up+0x224/0x370
      [    3.082836] [<ffff0000080eabc8>] default_wake_function+0x10/0x18
      [    3.082920] [<ffff000008103134>] __wake_up_common+0x5c/0xa0
      [    3.083003] [<ffff0000081031f4>] __wake_up_locked+0x14/0x20
      [    3.083086] [<ffff000008103f80>] complete+0x40/0x60
      [    3.083168] [<ffff00000808df7c>] secondary_start_kernel+0x15c/0x1d0
      [    3.083240] [<00000000808911a4>] 0x808911a4
      [    3.113401] Detected PIPT I-cache on CPU2
      
      Avoid updating the iterator if the next call to cpumask_next() would
      cause the for_each_cpu() loop to exit.
      
      There is no change to gic_raise_softirq()'s behaviour, (cpumask_next()s
      eventual call to _find_next_bit() will return early as start >= nbits),
      this patch just silences the warning.
      
      Fixes: 021f6537 ("irqchip: gic-v3: Initial support for GICv3")
      Signed-off-by: NJames Morse <james.morse@arm.com>
      Acked-by: NMarc Zyngier <marc.zyngier@arm.com>
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: Jason Cooper <jason@lakedaemon.net>
      Link: http://lkml.kernel.org/r/1474306155-3303-1-git-send-email-james.morse@arm.comSigned-off-by: NThomas Gleixner <tglx@linutronix.de>
      727653d6
  7. 13 9月, 2016 2 次提交
  8. 18 8月, 2016 1 次提交
    • S
      irqchip/gicv3: Remove disabling redistributor and group1 non-secure interrupts · ccd9432a
      Sudeep Holla 提交于
      As per the GICv3 specification, to power down a processor using GICv3
      and allow automatic power-on if an interrupt must be sent to a processor,
      software must set Enable to zero for all interrupt groups(by writing
      to GICC_CTLR or ICC_IGRPEN{0,1}_EL1/3 as appropriate.
      
      When commit 3708d52f ("irqchip: gic-v3: Implement CPU PM notifier")
      was introduced there were no firmware implementations(in particular PSCI)
      handling this.
      
      Linux kernel may not be aware of the CPU power state details and might
      fail to identify the power states that require quiescing the CPU
      interface. Even if it can be aware of those details, it can't determine
      which CPU power state have been triggered at the platform level and how
      the power control is implemented.
      
      This patch make disabling redistributor and group1 non-secure interrupts
      in the power down path and re-enabling of redistributor in the power-up
      path conditional. It will be handled in the kernel if and only if the
      non-secure accesses are permitted to access and modify control registers.
      It is left to the platform implementation otherwise.
      
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Jason Cooper <jason@lakedaemon.net>
      Tested-by: NChristopher Covington <cov@codeaurora.org>
      Signed-off-by: NSudeep Holla <sudeep.holla@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      ccd9432a
  9. 14 7月, 2016 1 次提交
  10. 03 6月, 2016 1 次提交
  11. 11 5月, 2016 2 次提交
    • M
      irqchip/gic-v3: Configure all interrupts as non-secure Group-1 · 7c9b9730
      Marc Zyngier 提交于
      The GICv3 driver wrongly assumes that it runs on the non-secure
      side of a secure-enabled system, while it could be on a system
      with a single security state, or a GICv3 with GICD_CTLR.DS set.
      
      Either way, it is important to configure this properly, or
      interrupts will simply not be delivered on this HW.
      
      Cc: stable@vger.kernel.org
      Reported-by: NPeter Maydell <peter.maydell@linaro.org>
      Tested-by: NPeter Maydell <peter.maydell@linaro.org>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      7c9b9730
    • W
      irqchip/gic: Ensure ordering between read of INTACK and shared data · f86c4fbd
      Will Deacon 提交于
      When an IPI is generated by a CPU, the pattern looks roughly like:
      
        <write shared data>
        smp_wmb();
        <write to GIC to signal SGI>
      
      On the receiving CPU we rely on the fact that, once we've taken the
      interrupt, then the freshly written shared data must be visible to us.
      Put another way, the CPU isn't going to speculate taking an interrupt.
      
      Unfortunately, this assumption turns out to be broken.
      
      Consider that CPUx wants to send an IPI to CPUy, which will cause CPUy
      to read some shared_data. Before CPUx has done anything, a random
      peripheral raises an IRQ to the GIC and the IRQ line on CPUy is raised.
      CPUy then takes the IRQ and starts executing the entry code, heading
      towards gic_handle_irq. Furthermore, let's assume that a bunch of the
      previous interrupts handled by CPUy were SGIs, so the branch predictor
      kicks in and speculates that irqnr will be <16 and we're likely to
      head into handle_IPI. The prefetcher then grabs a speculative copy of
      shared_data which contains a stale value.
      
      Meanwhile, CPUx gets round to updating shared_data and asking the GIC
      to send an SGI to CPUy. Internally, the GIC decides that the SGI is
      more important than the peripheral interrupt (which hasn't yet been
      ACKed) but doesn't need to do anything to CPUy, because the IRQ line
      is already raised.
      
      CPUy then reads the ACK register on the GIC, sees the SGI value which
      confirms the branch prediction and we end up with a stale shared_data
      value.
      
      This patch fixes the problem by adding an smp_rmb() to the IPI entry
      code in gic_handle_irq. As it turns out, the combination of a control
      dependency and an ISB instruction from the EOI in the GICv3 driver is
      enough to provide the ordering we need, so we add a comment there
      justifying the absence of an explicit smp_rmb().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      f86c4fbd
  12. 03 5月, 2016 3 次提交
  13. 02 5月, 2016 1 次提交
  14. 09 3月, 2016 4 次提交
  15. 15 10月, 2015 1 次提交
  16. 14 10月, 2015 2 次提交
  17. 10 10月, 2015 4 次提交
  18. 29 9月, 2015 2 次提交
  19. 16 9月, 2015 2 次提交
    • R
      irqchip: Kill off set_irq_flags usage · d17cab44
      Rob Herring 提交于
      set_irq_flags is ARM specific with custom flags which have genirq
      equivalents. Convert drivers to use the genirq interfaces directly, so we
      can kill off set_irq_flags. The translation of flags is as follows:
      
      IRQF_VALID -> !IRQ_NOREQUEST
      IRQF_PROBE -> !IRQ_NOPROBE
      IRQF_NOAUTOEN -> IRQ_NOAUTOEN
      
      For IRQs managed by an irqdomain, the irqdomain core code handles clearing
      and setting IRQ_NOREQUEST already, so there is no need to do this in
      .map() functions and we can simply remove the set_irq_flags calls. Some
      users also modify IRQ_NOPROBE and this has been maintained although it
      is not clear that is really needed. There appears to be a great deal of
      blind copy and paste of this code.
      Signed-off-by: NRob Herring <robh@kernel.org>
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: Russell King <linux@arm.linux.org.uk>
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Kukjin Kim <kgene@kernel.org>
      Cc: Krzysztof Kozlowski <k.kozlowski@samsung.com>
      Cc: Stephen Warren <swarren@wwwdotorg.org>
      Cc: Lee Jones <lee@kernel.org>
      Cc: Alexander Shiyan <shc_work@mail.ru>
      Cc: Maxime Ripard <maxime.ripard@free-electrons.com>
      Cc: linux-rpi-kernel@lists.infradead.org
      Cc: linux-samsung-soc@vger.kernel.org
      Link: http://lkml.kernel.org/r/1440889285-5637-3-git-send-email-robh@kernel.orgSigned-off-by: NThomas Gleixner <tglx@linutronix.de>
      d17cab44
    • T
      irqchip/gic-v3: Use IRQD_FORWARDED_TO_VCPU flag · 4df7f54d
      Thomas Gleixner 提交于
      Get rid of the handler_data abuse.
      Signed-off-by: NThomas Gleixner <tglx@linutronix.de>
      Acked-by: NMarc Zyngier <marc.zyngier@arm.com>
      4df7f54d
  20. 27 8月, 2015 2 次提交
  21. 12 7月, 2015 1 次提交
  22. 06 6月, 2015 1 次提交
  23. 09 4月, 2015 1 次提交
  24. 08 3月, 2015 1 次提交
    • V
      irqchip: gic-v3: Fix out of bounds access to cpu_logical_map · 614be385
      Vladimir Murzin 提交于
      While playing with KASan support for arm64/arm the following appeared on boot:
      
      ==================================================================
      BUG: AddressSanitizer: out of bounds access in __asan_load8+0x14/0x1c at addr ffffffc000ad0dc0
      Read of size 8 by task swapper/0/1
      page:ffffffbdc202b400 count:1 mapcount:0 mapping:          (null) index:0x0
      flags: 0x400(reserved)
      page dumped because: kasan: bad access detected
      Address belongs to variable __cpu_logical_map+0x200/0x220
      CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.19.0-rc6-next-20150129+ #481
      Hardware name: FVP Base (DT)
      Call trace:
      [<ffffffc00008a794>] dump_backtrace+0x0/0x184
      [<ffffffc00008a928>] show_stack+0x10/0x1c
      [<ffffffc00075e46c>] dump_stack+0xa0/0xf8
      [<ffffffc0001df490>] kasan_report_error+0x23c/0x264
      [<ffffffc0001e0188>] check_memory_region+0xc0/0xe4
      [<ffffffc0001dedf0>] __asan_load8+0x10/0x1c
      [<ffffffc000431294>] gic_raise_softirq+0xc4/0x1b4
      [<ffffffc000091fc0>] smp_send_reschedule+0x30/0x3c
      [<ffffffc0000f0d1c>] try_to_wake_up+0x394/0x434
      [<ffffffc0000f0de8>] wake_up_process+0x2c/0x6c
      [<ffffffc0000d9570>] wake_up_worker+0x38/0x48
      [<ffffffc0000dbb50>] insert_work+0xac/0xec
      [<ffffffc0000dbd38>] __queue_work+0x1a8/0x374
      [<ffffffc0000dbf60>] queue_work_on+0x5c/0x7c
      [<ffffffc0000d8a78>] call_usermodehelper_exec+0x170/0x188
      [<ffffffc0004037b8>] kobject_uevent_env+0x650/0x6bc
      [<ffffffc000403830>] kobject_uevent+0xc/0x18
      [<ffffffc00040292c>] kset_register+0xa8/0xc8
      [<ffffffc0004d6c88>] bus_register+0x134/0x2e8
      [<ffffffc0004d73b4>] subsys_virtual_register+0x2c/0x5c
      [<ffffffc000a76a4c>] wq_sysfs_init+0x14/0x20
      [<ffffffc000082a28>] do_one_initcall+0xa8/0x1fc
      [<ffffffc000a70db4>] kernel_init_freeable+0x1ec/0x294
      [<ffffffc00075aa5c>] kernel_init+0xc/0xec
      Memory state around the buggy address:
       ffffff80003e0820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
       ffffff80003e0830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffffff80003e0840: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
                         ^
       ffffff80003e0850: 00 00 fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      ==================================================================
      
      The reason for that cpumask_next() returns >= nr_cpu_ids if no further cpus
      set, but "==" condition is checked only, so we end up with out-of-bounds
      access to cpu_logical_map.
      
      Fix is by using the condition check for cpumask_next.
      Signed-off-by: NVladimir Murzin <vladimir.murzin@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Link: https://lkml.kernel.org/r/1425659870-11832-7-git-send-email-marc.zyngier@arm.comSigned-off-by: NJason Cooper <jason@lakedaemon.net>
      614be385
  25. 05 3月, 2015 1 次提交