linux/kernel/irq
Thomas Gleixner c1ee626428 genirq: Prevent access beyond allocated_irqs bitmap
Lars-Peter Clausen pointed out:

   I stumbled upon this while looking through the existing archs using
   SPARSE_IRQ.  Even with SPARSE_IRQ the NR_IRQS is still the upper
   limit for the number of IRQs.

   Both PXA and MMP set NR_IRQS to IRQ_BOARD_START, with
   IRQ_BOARD_START being the number of IRQs used by the core.

   In various machine files the nr_irqs field of the ARM machine
   defintion struct is then set to "IRQ_BOARD_START + NR_BOARD_IRQS".

   As a result "nr_irqs" will greater then NR_IRQS which then again
   causes the "allocated_irqs" bitmap in the core irq code to be
   accessed beyond its size overwriting unrelated data.

The core code really misses a sanity check there.

This went unnoticed so far as by chance the compiler/linker places
data behind that bitmap which gets initialized later on those affected
platforms.

So the obvious fix would be to add a sanity check in early_irq_init()
and break all affected platforms. Though that check wants to be
backported to stable as well, which will require to fix all known
problematic platforms and probably some more yet not known ones as
well. Lots of churn.

A way simpler solution is to allocate a slightly larger bitmap and
avoid the whole churn w/o breaking anything. Add a few warnings when
an arch returns utter crap.

Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@kernel.org # .37
Cc: Haojian Zhuang <haojian.zhuang@marvell.com>
Cc: Eric Miao <eric.y.miao@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
2011-02-19 12:10:51 +01:00
..
autoprobe.c genirq: Provide compat handling for chip->set_type() 2010-10-04 12:43:47 +02:00
chip.c genirq: Sanitize dynamic irq handling 2010-10-12 16:53:44 +02:00
devres.c devres/irq: Fix devm_irq_match comment 2010-02-11 16:01:02 +01:00
dummychip.c genirq: Fix CONFIG_GENIRQ_NO_DEPRECATED=y build 2010-10-12 21:59:55 +02:00
handle.c genirq: Remove __do_IRQ 2011-01-21 11:55:31 +01:00
internals.h genirq: Prevent access beyond allocated_irqs bitmap 2011-02-19 12:10:51 +01:00
irqdesc.c genirq: Prevent access beyond allocated_irqs bitmap 2011-02-19 12:10:51 +01:00
Kconfig genirq: Remove __do_IRQ 2011-01-21 11:55:31 +01:00
Makefile genirq: Remove the now unused sparse irq leftovers 2010-10-12 16:53:44 +02:00
manage.c sched: Constify function scope static struct sched_param usage 2011-01-07 15:55:45 +01:00
migration.c genirq: Prevent irq storm on migration 2011-02-02 22:15:08 +01:00
pm.c genirq: Convert irq_desc.lock to raw_spinlock 2009-12-14 23:55:33 +01:00
proc.c genirq: Fix incorrect proc spurious output 2010-12-01 08:44:26 +01:00
resend.c genirq: Prevent access beyond allocated_irqs bitmap 2011-02-19 12:10:51 +01:00
spurious.c genirq: Provide config option to disable deprecated code 2010-10-04 13:40:24 +02:00