Fix panic in panic in smp_irq_move_cleanup_interrupt

2012-11-15 11:00:40 -06:00 · 2012-11-15 11:00:40 -06:00 · c428a20204
parent de28018acf
commit c428a20204
2 changed files with 58 additions and 1 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 7
+%global baserelease 8
 %global fedora_build %{baserelease}

 # base_sublevel is the kernel version we're starting with and patching
@ -796,6 +796,8 @@ Patch22110: usb-audio-fix-crash-at-re-preparing-the-PCM-stream.patch
 Patch22111: USB-EHCI-urb-hcpriv-should-not-be-NULL.patch
 Patch22112: USB-report-submission-of-active-URBs.patch

+Patch22113: smp_irq_move_cleanup_interrupt.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1539,6 +1541,8 @@ ApplyPatch usb-audio-fix-crash-at-re-preparing-the-PCM-stream.patch
 ApplyPatch USB-EHCI-urb-hcpriv-should-not-be-NULL.patch
 ApplyPatch USB-report-submission-of-active-URBs.patch

+ApplyPatch smp_irq_move_cleanup_interrupt.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2404,6 +2408,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Thu Nov 15 2012 Justin M. Forbes <jforbes@redhat.com>
+- Fix panic in  panic in smp_irq_move_cleanup_interrupt
+
 * Wed Nov 14 2012 Josh Boyer <jwboyer@redhat.com>
 - Fix module signing of kernel flavours

--- a/smp_irq_move_cleanup_interrupt.patch
+++ b/smp_irq_move_cleanup_interrupt.patch
@ -0,0 +1,50 @@
+commit 94777fc51b3ad85ff9f705ddf7cdd0eb3bbad5a6
+Author: Dimitri Sivanich <sivanich@sgi.com>
+Date:   Tue Oct 16 07:50:21 2012 -0500
+
+    x86/irq/ioapic: Check for valid irq_cfg pointer in smp_irq_move_cleanup_interrupt
+    
+    Posting this patch to fix an issue concerning sparse irq's that
+    I raised a while back.  There was discussion about adding
+    refcounting to sparse irqs (to fix other potential race
+    conditions), but that does not appear to have been addressed
+    yet.  This covers the only issue of this type that I've
+    encountered in this area.
+    
+    A NULL pointer dereference can occur in
+    smp_irq_move_cleanup_interrupt() if we haven't yet setup the
+    irq_cfg pointer in the irq_desc.irq_data.chip_data.
+    
+    In create_irq_nr() there is a window where we have set
+    vector_irq in __assign_irq_vector(), but not yet called
+    irq_set_chip_data() to set the irq_cfg pointer.
+    
+    Should an IRQ_MOVE_CLEANUP_VECTOR hit the cpu in question during
+    this time, smp_irq_move_cleanup_interrupt() will attempt to
+    process the aforementioned irq, but panic when accessing
+    irq_cfg.
+    
+    Only continue processing the irq if irq_cfg is non-NULL.
+    
+    Signed-off-by: Dimitri Sivanich <sivanich@sgi.com>
+    Cc: Suresh Siddha <suresh.b.siddha@intel.com>
+    Cc: Joerg Roedel <joerg.roedel@amd.com>
+    Cc: Yinghai Lu <yinghai@kernel.org>
+    Cc: Alexander Gordeev <agordeev@redhat.com>
+    Link: http://lkml.kernel.org/r/20121016125021.GA22935@sgi.com
+    Signed-off-by: Ingo Molnar <mingo@kernel.org>
+
+diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
+index c265593..1817fa9 100644
+--- a/arch/x86/kernel/apic/io_apic.c
+++ b/arch/x86/kernel/apic/io_apic.c
+@@ -2257,6 +2257,9 @@ asmlinkage void smp_irq_move_cleanup_interrupt(void)
+ 			continue;
+
+ 		cfg = irq_cfg(irq);
+		if (!cfg)
+			continue;
+
+ 		raw_spin_lock(&desc->lock);
+
+ 		/*