Commit 91951f98 authored Apr 21, 2016 by Paul Burton Committed by Thomas Gleixner Apr 21, 2016

irqchip/mips-gic: Don't overrun pcpu_masks array



Commit 2a078705 ("irqchip/mips-gic: Use gic_vpes instead of
NR_CPUS") & commit 78930f09 ("irqchip/mips-gic: Clear percpu_masks
correctly when mapping") both introduce code which accesses gic_vpes
entries in the pcpu_masks array. However, this array has length NR_CPUS.
If NR_CPUS is less than gic_vpes (ie. the kernel supports use of less
CPUs than are present in the system) then we overrun the array, clobber
some other data & generally die pretty promptly.

Most notably this affects uniprocessor kernels running on any multicore
or multithreaded Malta with a GIC (ie. the vast majority of real Malta
boards).

Fix this by only accessing up to min(gic_vpes, NR_CPUS) entries in the
pcpu_masks array, preventing the array overrun.

Fixes: 2a078705 ("irqchip/mips-gic: Use gic_vpes instead of NR_CPUS")
Fixes: 78930f09 ("irqchip/mips-gic: Clear percpu_masks correctly when mapping")
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: Jason Cooper <jason@lakedaemon.net>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Link: http://lkml.kernel.org/r/1461234714-9975-1-git-send-email-paul.burton@imgtec.com


Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

parent 4589f450

drivers/irqchip/irq-mips-gic.c

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -467,7 +467,7 @@ static int gic_set_affinity(struct irq_data d, const struct cpumask cpumask,
	gic_map_to_vpe(irq, mips_cm_vp_id(cpumask_first(&tmp)));		gic_map_to_vpe(irq, mips_cm_vp_id(cpumask_first(&tmp)));

	/* Update the pcpu_masks */		/* Update the pcpu_masks */
	for (i = 0; i < gic_vpes; i++)		for (i = 0; i < min(gic_vpes, NR_CPUS); i++)
	clear_bit(irq, pcpu_masks[i].pcpu_mask);		clear_bit(irq, pcpu_masks[i].pcpu_mask);
	set_bit(irq, pcpu_masks[cpumask_first(&tmp)].pcpu_mask);		set_bit(irq, pcpu_masks[cpumask_first(&tmp)].pcpu_mask);

	@@ -707,7 +707,7 @@ static int gic_shared_irq_domain_map(struct irq_domain *d, unsigned int virq,
	spin_lock_irqsave(&gic_lock, flags);		spin_lock_irqsave(&gic_lock, flags);
	gic_map_to_pin(intr, gic_cpu_pin);		gic_map_to_pin(intr, gic_cpu_pin);
	gic_map_to_vpe(intr, vpe);		gic_map_to_vpe(intr, vpe);
	for (i = 0; i < gic_vpes; i++)		for (i = 0; i < min(gic_vpes, NR_CPUS); i++)
	clear_bit(intr, pcpu_masks[i].pcpu_mask);		clear_bit(intr, pcpu_masks[i].pcpu_mask);
	set_bit(intr, pcpu_masks[vpe].pcpu_mask);		set_bit(intr, pcpu_masks[vpe].pcpu_mask);
	spin_unlock_irqrestore(&gic_lock, flags);		spin_unlock_irqrestore(&gic_lock, flags);