mirror of
https://github.com/FEX-Emu/linux.git
synced 2025-01-15 06:00:41 +00:00
570540d507
commit 71f64340fc0e changed the handling of irq_desc->action from CPU 0 CPU 1 free_irq() lock(desc) lock(desc) handle_edge_irq() if (desc->action) { handle_irq_event() action = desc->action unlock(desc) desc->action = NULL handle_irq_event_percpu(desc, action) action->xxx to CPU 0 CPU 1 free_irq() lock(desc) lock(desc) handle_edge_irq() if (desc->action) { handle_irq_event() unlock(desc) desc->action = NULL handle_irq_event_percpu(desc, action) action = desc->action action->xxx So if free_irq manages to set the action to NULL between the unlock and before the readout, we happily dereference a null pointer. We could simply revert 71f64340fc0e, but we want to preserve the better code generation. A simple solution is to change the action loop from a do {} while to a while {} loop. This is safe because we either see a valid desc->action or NULL. If the action is about to be removed it is still valid as free_irq() is blocked on synchronize_irq(). CPU 0 CPU 1 free_irq() lock(desc) lock(desc) handle_edge_irq() handle_irq_event(desc) set(INPROGRESS) unlock(desc) handle_irq_event_percpu(desc) action = desc->action desc->action = NULL while (action) { action->xxx ... action = action->next; sychronize_irq() while(INPROGRESS); lock(desc) clr(INPROGRESS) free(action) That's basically the same mechanism as we have for shared interrupts. action->next can become NULL while handle_irq_event_percpu() runs. Either it sees the action or NULL. It does not matter, because action itself cannot go away before the interrupt in progress flag has been cleared. Fixes: commit 71f64340fc0e "genirq: Remove the second parameter from handle_irq_event_percpu()" Reported-by: zyjzyj2000@gmail.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Huang Shijie <shijie.huang@arm.com> Cc: Jiang Liu <jiang.liu@linux.intel.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1601131224190.3575@nanos
200 lines
5.1 KiB
C
200 lines
5.1 KiB
C
/*
|
|
* linux/kernel/irq/handle.c
|
|
*
|
|
* Copyright (C) 1992, 1998-2006 Linus Torvalds, Ingo Molnar
|
|
* Copyright (C) 2005-2006, Thomas Gleixner, Russell King
|
|
*
|
|
* This file contains the core interrupt handling code.
|
|
*
|
|
* Detailed information is available in Documentation/DocBook/genericirq
|
|
*
|
|
*/
|
|
|
|
#include <linux/irq.h>
|
|
#include <linux/random.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/interrupt.h>
|
|
#include <linux/kernel_stat.h>
|
|
|
|
#include <trace/events/irq.h>
|
|
|
|
#include "internals.h"
|
|
|
|
/**
|
|
* handle_bad_irq - handle spurious and unhandled irqs
|
|
* @desc: description of the interrupt
|
|
*
|
|
* Handles spurious and unhandled IRQ's. It also prints a debugmessage.
|
|
*/
|
|
void handle_bad_irq(struct irq_desc *desc)
|
|
{
|
|
unsigned int irq = irq_desc_get_irq(desc);
|
|
|
|
print_irq_desc(irq, desc);
|
|
kstat_incr_irqs_this_cpu(desc);
|
|
ack_bad_irq(irq);
|
|
}
|
|
EXPORT_SYMBOL_GPL(handle_bad_irq);
|
|
|
|
/*
|
|
* Special, empty irq handler:
|
|
*/
|
|
irqreturn_t no_action(int cpl, void *dev_id)
|
|
{
|
|
return IRQ_NONE;
|
|
}
|
|
EXPORT_SYMBOL_GPL(no_action);
|
|
|
|
static void warn_no_thread(unsigned int irq, struct irqaction *action)
|
|
{
|
|
if (test_and_set_bit(IRQTF_WARNED, &action->thread_flags))
|
|
return;
|
|
|
|
printk(KERN_WARNING "IRQ %d device %s returned IRQ_WAKE_THREAD "
|
|
"but no thread function available.", irq, action->name);
|
|
}
|
|
|
|
void __irq_wake_thread(struct irq_desc *desc, struct irqaction *action)
|
|
{
|
|
/*
|
|
* In case the thread crashed and was killed we just pretend that
|
|
* we handled the interrupt. The hardirq handler has disabled the
|
|
* device interrupt, so no irq storm is lurking.
|
|
*/
|
|
if (action->thread->flags & PF_EXITING)
|
|
return;
|
|
|
|
/*
|
|
* Wake up the handler thread for this action. If the
|
|
* RUNTHREAD bit is already set, nothing to do.
|
|
*/
|
|
if (test_and_set_bit(IRQTF_RUNTHREAD, &action->thread_flags))
|
|
return;
|
|
|
|
/*
|
|
* It's safe to OR the mask lockless here. We have only two
|
|
* places which write to threads_oneshot: This code and the
|
|
* irq thread.
|
|
*
|
|
* This code is the hard irq context and can never run on two
|
|
* cpus in parallel. If it ever does we have more serious
|
|
* problems than this bitmask.
|
|
*
|
|
* The irq threads of this irq which clear their "running" bit
|
|
* in threads_oneshot are serialized via desc->lock against
|
|
* each other and they are serialized against this code by
|
|
* IRQS_INPROGRESS.
|
|
*
|
|
* Hard irq handler:
|
|
*
|
|
* spin_lock(desc->lock);
|
|
* desc->state |= IRQS_INPROGRESS;
|
|
* spin_unlock(desc->lock);
|
|
* set_bit(IRQTF_RUNTHREAD, &action->thread_flags);
|
|
* desc->threads_oneshot |= mask;
|
|
* spin_lock(desc->lock);
|
|
* desc->state &= ~IRQS_INPROGRESS;
|
|
* spin_unlock(desc->lock);
|
|
*
|
|
* irq thread:
|
|
*
|
|
* again:
|
|
* spin_lock(desc->lock);
|
|
* if (desc->state & IRQS_INPROGRESS) {
|
|
* spin_unlock(desc->lock);
|
|
* while(desc->state & IRQS_INPROGRESS)
|
|
* cpu_relax();
|
|
* goto again;
|
|
* }
|
|
* if (!test_bit(IRQTF_RUNTHREAD, &action->thread_flags))
|
|
* desc->threads_oneshot &= ~mask;
|
|
* spin_unlock(desc->lock);
|
|
*
|
|
* So either the thread waits for us to clear IRQS_INPROGRESS
|
|
* or we are waiting in the flow handler for desc->lock to be
|
|
* released before we reach this point. The thread also checks
|
|
* IRQTF_RUNTHREAD under desc->lock. If set it leaves
|
|
* threads_oneshot untouched and runs the thread another time.
|
|
*/
|
|
desc->threads_oneshot |= action->thread_mask;
|
|
|
|
/*
|
|
* We increment the threads_active counter in case we wake up
|
|
* the irq thread. The irq thread decrements the counter when
|
|
* it returns from the handler or in the exit path and wakes
|
|
* up waiters which are stuck in synchronize_irq() when the
|
|
* active count becomes zero. synchronize_irq() is serialized
|
|
* against this code (hard irq handler) via IRQS_INPROGRESS
|
|
* like the finalize_oneshot() code. See comment above.
|
|
*/
|
|
atomic_inc(&desc->threads_active);
|
|
|
|
wake_up_process(action->thread);
|
|
}
|
|
|
|
irqreturn_t handle_irq_event_percpu(struct irq_desc *desc)
|
|
{
|
|
irqreturn_t retval = IRQ_NONE;
|
|
unsigned int flags = 0, irq = desc->irq_data.irq;
|
|
struct irqaction *action = desc->action;
|
|
|
|
/* action might have become NULL since we dropped the lock */
|
|
while (action) {
|
|
irqreturn_t res;
|
|
|
|
trace_irq_handler_entry(irq, action);
|
|
res = action->handler(irq, action->dev_id);
|
|
trace_irq_handler_exit(irq, action, res);
|
|
|
|
if (WARN_ONCE(!irqs_disabled(),"irq %u handler %pF enabled interrupts\n",
|
|
irq, action->handler))
|
|
local_irq_disable();
|
|
|
|
switch (res) {
|
|
case IRQ_WAKE_THREAD:
|
|
/*
|
|
* Catch drivers which return WAKE_THREAD but
|
|
* did not set up a thread function
|
|
*/
|
|
if (unlikely(!action->thread_fn)) {
|
|
warn_no_thread(irq, action);
|
|
break;
|
|
}
|
|
|
|
__irq_wake_thread(desc, action);
|
|
|
|
/* Fall through to add to randomness */
|
|
case IRQ_HANDLED:
|
|
flags |= action->flags;
|
|
break;
|
|
|
|
default:
|
|
break;
|
|
}
|
|
|
|
retval |= res;
|
|
action = action->next;
|
|
}
|
|
|
|
add_interrupt_randomness(irq, flags);
|
|
|
|
if (!noirqdebug)
|
|
note_interrupt(desc, retval);
|
|
return retval;
|
|
}
|
|
|
|
irqreturn_t handle_irq_event(struct irq_desc *desc)
|
|
{
|
|
irqreturn_t ret;
|
|
|
|
desc->istate &= ~IRQS_PENDING;
|
|
irqd_set(&desc->irq_data, IRQD_IRQ_INPROGRESS);
|
|
raw_spin_unlock(&desc->lock);
|
|
|
|
ret = handle_irq_event_percpu(desc);
|
|
|
|
raw_spin_lock(&desc->lock);
|
|
irqd_clear(&desc->irq_data, IRQD_IRQ_INPROGRESS);
|
|
return ret;
|
|
}
|