Patch "genirq/matrix: Prevent allocation counter corruption" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 07 May 2021 23:34:35 -0400

This is a note to let you know that I've just added the patch titled

    genirq/matrix: Prevent allocation counter corruption

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     genirq-matrix-prevent-allocation-counter-corruption.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2851398385c9a65a5680207947b9ca4494ae0473
Author: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
Date:   Fri Mar 19 12:18:23 2021 +0100

    genirq/matrix: Prevent allocation counter corruption
    
    [ Upstream commit c93a5e20c3c2dabef8ea360a3d3f18c6f68233ab ]
    
    When irq_matrix_free() is called for an unallocated vector the
    managed_allocated and total_allocated counters get out of sync with the
    real state of the matrix. Later, when the last interrupt is freed, these
    counters will underflow resulting in UINTMAX because the counters are
    unsigned.
    
    While this is certainly a problem of the calling code, this can be catched
    in the allocator by checking the allocation bit for the to be freed vector
    which simplifies debugging.
    
    An example of the problem described above:
    https://lore.kernel.org/lkml/20210318192819.636943062@xxxxxxxxxxxxx/
    
    Add the missing sanity check and emit a warning when it triggers.
    
    Suggested-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
    Signed-off-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
    Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20210319111823.1105248-1-vkuznets@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/irq/matrix.c b/kernel/irq/matrix.c
index 651a4ad6d711..8e586858bcf4 100644
--- a/kernel/irq/matrix.c
+++ b/kernel/irq/matrix.c
@@ -423,7 +423,9 @@ void irq_matrix_free(struct irq_matrix *m, unsigned int cpu,
 	if (WARN_ON_ONCE(bit < m->alloc_start || bit >= m->alloc_end))
 		return;
 
-	clear_bit(bit, cm->alloc_map);
+	if (WARN_ON_ONCE(!test_and_clear_bit(bit, cm->alloc_map)))
+		return;
+
 	cm->allocated--;
 	if(managed)
 		cm->managed_allocated--;






