writing to "/proc/irq/xxxx/smp_affinity" produces a kernel crash on 2.6.7 version

From: Francois Wellenreiter <Francois.Wellenreiter_at_Ext.Bull.Net>
Date: 2004-08-17 22:50:46
				Dear all,

	Apparently a little bug was introduced in 2.6.7 kernel dealing with IRQ
redirection managemant via proc filesystem.
The behavior is quite simple, just type :

echo "r 00000001" > /proc/irq/{xy}/smp_affinity

where {xy} is a valid irq, and your kernel will crash.

The bug is located in the file arch/ia64/kernel/irq.c , function 
at the following line we set a value called irq :

         if (copy_from_user(rbuf, buffer, rlen))
                 return -EFAULT;
         rbuf[rlen] = 0;
         prelen = 0;
         if (tolower(*rbuf) == 'r') {
                 prelen = strspn(rbuf, "Rr ");
                 irq |= IA64_IRQ_REDIRECTED; <----- IA64_IRQ_REDIRECTED
= 1<31 !!!!!


and later it is written :

         spin_lock_irqsave(&desc->lock, flags);
         pending_irq_cpumask[irq] = new_value; <----- code generating a 
fatal page fault
         spin_unlock_irqrestore(&desc->lock, flags);

reading this code, a trouble clearly exists around the irq notion.
The "irq" corresponding to irq number programmed in IOSAPIC
(taking into account the IA64_IRQ_REDIRECTED bit) is mixed with the
the irq index in the irq_affinity table.

Best regards,


To unsubscribe from this list: send the line "unsubscribe linux-ia64" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Received on Tue Aug 17 08:51:11 2004

This archive was generated by hypermail 2.1.8 : 2005-08-02 09:20:29 EST