* [PATCH] genirq: Generic chip: verify irqs_per_chip <= 32
@ 2016-08-19 16:35 Sebastian Frias
0 siblings, 0 replies; 3+ messages in thread
From: Sebastian Frias @ 2016-08-19 16:35 UTC (permalink / raw)
To: Thomas Gleixner, Marc Zyngier, Jason Cooper; +Cc: LKML, Mason
Most (if not all) code here implicitly assumes that the maximum number of
IRQs per chip will be 32, and thus uses 'u32' or 'unsigned long' for many
tasks (for example "struct irq_data" declares its 'mask' field as 'u32',
and "struct irq_chip_generic" declares its 'installed' field as 'unsigned
long')
However, there is no check to verify that irqs_per_chip is <= 32.
Hence, calling irq_alloc_domain_generic_chips() with a bigger value would
result in unexpected results depending on how the 'mask' is accessed later
on.
For example, if set_bit() is used on the 'installed' field of "struct
irq_chip_generic", it would result in the next field (in this case
the 'unused' field) being overwritten, because set_bit() is designed to
treat its parameter as a field of bits of arbitrary size organised as
"unsigned long" words.
This patch renames irq_alloc_domain_generic_chips() to
__irq_alloc_domain_generic_chips() and creates a macro to replace it.
The macro uses MAYBE_BUILD_BUG_ON to check the irqs_per_chip parameter to
stop compilation (if the compiler can resolve the parameter to a constant
at compile time) or to warn during run-time, if the parameter given is
bigger than 32.
Signed-off-by: Sebastian Frias <sf84@laposte.net>
---
include/linux/irq.h | 20 +++++++++++++++-----
kernel/irq/generic-chip.c | 16 ++++++++--------
2 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/include/linux/irq.h b/include/linux/irq.h
index b52424e..2a527e6 100644
--- a/include/linux/irq.h
+++ b/include/linux/irq.h
@@ -916,11 +916,21 @@ void irq_remove_generic_chip(struct irq_chip_generic *gc, u32 msk,
unsigned int clr, unsigned int set);
struct irq_chip_generic *irq_get_domain_generic_chip(struct irq_domain *d, unsigned int hw_irq);
-int irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
- int num_ct, const char *name,
- irq_flow_handler_t handler,
- unsigned int clr, unsigned int set,
- enum irq_gc_flags flags);
+
+#define irq_alloc_domain_generic_chips(d, irqs_per_chip, num_ct, name, \
+ handler, clr, set, flags) \
+ ({ \
+ MAYBE_BUILD_BUG_ON(irqs_per_chip > 32); \
+ __irq_alloc_domain_generic_chips(d, irqs_per_chip, num_ct, \
+ name, handler, clr, set, \
+ flags); \
+ })
+
+int __irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
+ int num_ct, const char *name,
+ irq_flow_handler_t handler,
+ unsigned int clr, unsigned int set,
+ enum irq_gc_flags flags);
static inline struct irq_chip_type *irq_data_get_chip_type(struct irq_data *d)
diff --git a/kernel/irq/generic-chip.c b/kernel/irq/generic-chip.c
index abd286a..302ab659 100644
--- a/kernel/irq/generic-chip.c
+++ b/kernel/irq/generic-chip.c
@@ -260,9 +260,9 @@ irq_gc_init_mask_cache(struct irq_chip_generic *gc, enum irq_gc_flags flags)
}
/**
- * irq_alloc_domain_generic_chip - Allocate generic chips for an irq domain
+ * __irq_alloc_domain_generic_chip - Allocate generic chips for an irq domain
* @d: irq domain for which to allocate chips
- * @irqs_per_chip: Number of interrupts each chip handles
+ * @irqs_per_chip: Number of interrupts each chip handles (max 32)
* @num_ct: Number of irq_chip_type instances associated with this
* @name: Name of the irq chip
* @handler: Default flow handler associated with these chips
@@ -270,11 +270,11 @@ irq_gc_init_mask_cache(struct irq_chip_generic *gc, enum irq_gc_flags flags)
* @set: IRQ_* bits to set in the mapping function
* @gcflags: Generic chip specific setup flags
*/
-int irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
- int num_ct, const char *name,
- irq_flow_handler_t handler,
- unsigned int clr, unsigned int set,
- enum irq_gc_flags gcflags)
+int __irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
+ int num_ct, const char *name,
+ irq_flow_handler_t handler,
+ unsigned int clr, unsigned int set,
+ enum irq_gc_flags gcflags)
{
struct irq_domain_chip_generic *dgc;
struct irq_chip_generic *gc;
@@ -326,7 +326,7 @@ int irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
d->name = name;
return 0;
}
-EXPORT_SYMBOL_GPL(irq_alloc_domain_generic_chips);
+EXPORT_SYMBOL_GPL(__irq_alloc_domain_generic_chips);
/**
* irq_get_domain_generic_chip - Get a pointer to the generic chip of a hw_irq
--
1.7.11.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] genirq: Generic chip: verify irqs_per_chip <= 32
2016-08-16 14:05 Sebastian Frias
@ 2016-09-02 15:53 ` Thomas Gleixner
0 siblings, 0 replies; 3+ messages in thread
From: Thomas Gleixner @ 2016-09-02 15:53 UTC (permalink / raw)
To: Sebastian Frias; +Cc: Marc Zyngier, Jason Cooper, LKML, Mason
On Tue, 16 Aug 2016, Sebastian Frias wrote:
> Most (if not all) code here implicitly assumes that the maximum number of
> IRQs per chip will be 32, and thus uses 'u32' or 'unsigned long' for many
> tasks (for example "struct irq_data" declares its 'mask' field as 'u32',
> and "struct irq_chip_generic" declares its 'installed' field as 'unsigned
> long')
>
> However, there is no check to verify that irqs_per_chip is <= 32.
> Hence, calling irq_alloc_domain_generic_chips() with a bigger value would
> result in unexpected results depending on how the 'mask' is accessed later
> on.
> For example, if set_bit() is used on the 'installed' field of "struct
> irq_chip_generic", it would result in the next field (in this case
> the 'unused' field) being overwritten, because set_bit() is designed to
> treat its parameter as a field of bits of arbitrary size organised as
> "unsigned long" words.
We really do not need examples for the potential wreckage. Your explanation
that the code has implict assumptions about the maximum number of
interrupts per chip is sufficient. We all know what out of bound access can
cause.
> This patch renames irq_alloc_domain_generic_chips() to
> __irq_alloc_domain_generic_chips() and creates a macro to replace it.
> The macro uses MAYBE_BUILD_BUG_ON to check the irqs_per_chip parameter to
> stop compilation (if the compiler can resolve the parameter to a constant
> at compile time) or to warn during run-time, if the parameter given is
> bigger than 32.
There is no point in explaining the implementation in the changelog. It's
obvious from the patch itself.
I'll fix that up as well.
Thanks,
tglx
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] genirq: Generic chip: verify irqs_per_chip <= 32
@ 2016-08-16 14:05 Sebastian Frias
2016-09-02 15:53 ` Thomas Gleixner
0 siblings, 1 reply; 3+ messages in thread
From: Sebastian Frias @ 2016-08-16 14:05 UTC (permalink / raw)
To: Thomas Gleixner, Marc Zyngier, Jason Cooper; +Cc: LKML, Mason
Most (if not all) code here implicitly assumes that the maximum number of
IRQs per chip will be 32, and thus uses 'u32' or 'unsigned long' for many
tasks (for example "struct irq_data" declares its 'mask' field as 'u32',
and "struct irq_chip_generic" declares its 'installed' field as 'unsigned
long')
However, there is no check to verify that irqs_per_chip is <= 32.
Hence, calling irq_alloc_domain_generic_chips() with a bigger value would
result in unexpected results depending on how the 'mask' is accessed later
on.
For example, if set_bit() is used on the 'installed' field of "struct
irq_chip_generic", it would result in the next field (in this case
the 'unused' field) being overwritten, because set_bit() is designed to
treat its parameter as a field of bits of arbitrary size organised as
"unsigned long" words.
This patch renames irq_alloc_domain_generic_chips() to
__irq_alloc_domain_generic_chips() and creates a macro to replace it.
The macro uses MAYBE_BUILD_BUG_ON to check the irqs_per_chip parameter to
stop compilation (if the compiler can resolve the parameter to a constant
at compile time) or to warn during run-time, if the parameter given is
bigger than 32.
Signed-off-by: Sebastian Frias <sf84@laposte.net>
---
include/linux/irq.h | 20 +++++++++++++++-----
kernel/irq/generic-chip.c | 16 ++++++++--------
2 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/include/linux/irq.h b/include/linux/irq.h
index b52424e..2a527e6 100644
--- a/include/linux/irq.h
+++ b/include/linux/irq.h
@@ -916,11 +916,21 @@ void irq_remove_generic_chip(struct irq_chip_generic *gc, u32 msk,
unsigned int clr, unsigned int set);
struct irq_chip_generic *irq_get_domain_generic_chip(struct irq_domain *d, unsigned int hw_irq);
-int irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
- int num_ct, const char *name,
- irq_flow_handler_t handler,
- unsigned int clr, unsigned int set,
- enum irq_gc_flags flags);
+
+#define irq_alloc_domain_generic_chips(d, irqs_per_chip, num_ct, name, \
+ handler, clr, set, flags) \
+ ({ \
+ MAYBE_BUILD_BUG_ON(irqs_per_chip > 32); \
+ __irq_alloc_domain_generic_chips(d, irqs_per_chip, num_ct, \
+ name, handler, clr, set, \
+ flags); \
+ })
+
+int __irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
+ int num_ct, const char *name,
+ irq_flow_handler_t handler,
+ unsigned int clr, unsigned int set,
+ enum irq_gc_flags flags);
static inline struct irq_chip_type *irq_data_get_chip_type(struct irq_data *d)
diff --git a/kernel/irq/generic-chip.c b/kernel/irq/generic-chip.c
index abd286a..302ab659 100644
--- a/kernel/irq/generic-chip.c
+++ b/kernel/irq/generic-chip.c
@@ -260,9 +260,9 @@ irq_gc_init_mask_cache(struct irq_chip_generic *gc, enum irq_gc_flags flags)
}
/**
- * irq_alloc_domain_generic_chip - Allocate generic chips for an irq domain
+ * __irq_alloc_domain_generic_chip - Allocate generic chips for an irq domain
* @d: irq domain for which to allocate chips
- * @irqs_per_chip: Number of interrupts each chip handles
+ * @irqs_per_chip: Number of interrupts each chip handles (max 32)
* @num_ct: Number of irq_chip_type instances associated with this
* @name: Name of the irq chip
* @handler: Default flow handler associated with these chips
@@ -270,11 +270,11 @@ irq_gc_init_mask_cache(struct irq_chip_generic *gc, enum irq_gc_flags flags)
* @set: IRQ_* bits to set in the mapping function
* @gcflags: Generic chip specific setup flags
*/
-int irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
- int num_ct, const char *name,
- irq_flow_handler_t handler,
- unsigned int clr, unsigned int set,
- enum irq_gc_flags gcflags)
+int __irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
+ int num_ct, const char *name,
+ irq_flow_handler_t handler,
+ unsigned int clr, unsigned int set,
+ enum irq_gc_flags gcflags)
{
struct irq_domain_chip_generic *dgc;
struct irq_chip_generic *gc;
@@ -326,7 +326,7 @@ int irq_alloc_domain_generic_chips(struct irq_domain *d, int irqs_per_chip,
d->name = name;
return 0;
}
-EXPORT_SYMBOL_GPL(irq_alloc_domain_generic_chips);
+EXPORT_SYMBOL_GPL(__irq_alloc_domain_generic_chips);
/**
* irq_get_domain_generic_chip - Get a pointer to the generic chip of a hw_irq
--
1.7.11.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-09-02 15:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-19 16:35 [PATCH] genirq: Generic chip: verify irqs_per_chip <= 32 Sebastian Frias
-- strict thread matches above, loose matches on Subject: below --
2016-08-16 14:05 Sebastian Frias
2016-09-02 15:53 ` Thomas Gleixner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).