[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2] x86/apic: Avoid infinite loop in io_apic_level_ack_pending()

To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
From: Jason Andryuk <jason.andryuk@xxxxxxx>
Date: Tue, 14 Oct 2025 08:24:38 -0400
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=citrix.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vpc+bz3p67kLMc0zFi4sTqbc9eciCbNZG1ZmbGL+7Rs=; b=c9lpWb+hqXy2bW9/81ZsoFSuuNIjKsunZBXiwVS3K0Lmtz2IJygWoWu/ip0H03IUDOTtDsSkLRreQO4+I6cyWe+aC79IDi13BlDTK6TOzRas4nubKoeFBQHlRcIyiB4hE79C2/5zHGWHEzz5Z3SzsrqnV2zdcYOL6z/aGY43hFBtKtl7WYIwXAXmI9eOS70A/MnGyjQ0rO6goKHVGR6s9EAxdWVHyLI6M3d++zGJL55RAANLcH4rT1wjYxShkjTCRDAAeWt1/RUsZhJpvccXvcPcAzpcoh/wMYzLC/HtSaRcum9NfsUAvrCbr5fVgidfCMGSZCnyWCPbAOJ+OZwpQQ==
Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=i24+U+EQhslDEOuSWviYg4GCegp68DlSAaE25nXnemxr5Bv1xbPz5kMhwWZ+ve9NeYqFKum7qq/wQ2OqshMgwEMMJ1WuaHbK87x+bUMwW+eFv5p+6vxWmUcEGNZPvVEdXFS6MLK4gJ0QsJdAQmzWcgynK4eS2rc2V4GZun/nD8apyY3hZAyYq6GMTt1W4NKDIBZMKf8A2WvV7oZp08SX62wR0YME42kYrZ24bH7xe9QydoINYeT9MRA4m+uFPMIoQ08dBlWUXHrYUyKeXaCdSf3MNE0PrYTsomjjf3rmrZlj5MHjZOw1w3w03TUzswl4TDSLAJl2+1eH3cWQfJHp2Q==
Cc: <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Delivery-date: Tue, 14 Oct 2025 12:25:11 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Roger,

On 2025-10-14 03:37, Roger Pau Monné wrote:

On Mon, Oct 13, 2025 at 05:11:06PM -0400, Jason Andryuk wrote:

io_apic_level_ack_pending() will end up in an infinite loop if
entry->pin == -1.  entry does not change, so it will keep reading -1.


Do you know how you end up with an entry with pin == -1 on the
irq_pin_list? Are there systems with gaps in the GSI space between
IO-APICs?  So far everything I saw had the IO-APIC in contiguous GSI
space.

I only noticed this potential infinite loop during code inspection. Imentioned that in a v1 post commit comment, but I forgot it in v2.

Convert to a proper for loop so that continue works.  Add a new helper,
next_entry(), to handle advancing to the next irq_pin_list entry.

Fixes: f821102450a1 ("x86: IRQ Migration logic enhancement.")
Signed-off-by: Jason Andryuk <jason.andryuk@xxxxxxx>
---
v2:
continue (not break) for pin == -1.

I added the next_entry() helper since putting the expression in the for
loop is a little cluttered.  The helper can also be re-used for other
instances within the file.
---
  xen/arch/x86/io_apic.c | 14 +++++++++-----
  1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
index c384f10c1b..7b58345c96 100644
--- a/xen/arch/x86/io_apic.c
+++ b/xen/arch/x86/io_apic.c
@@ -1586,14 +1586,21 @@ static int __init cf_check setup_ioapic_ack(const char 
*s)
  }
  custom_param("ioapic_ack", setup_ioapic_ack);

+static struct irq_pin_list *next_entry(struct irq_pin_list *entry)


I think you can make the entry parameter const?

Ok.

+{
+    if ( !entry->next )
+        return NULL;
+
+    return irq_2_pin + entry->next;
+}
+
  static bool io_apic_level_ack_pending(unsigned int irq)
  {
      struct irq_pin_list *entry;
      unsigned long flags;

spin_lock_irqsave(&ioapic_lock, flags);

-    entry = &irq_2_pin[irq];
-    for (;;) {
+    for ( entry = &irq_2_pin[irq]; entry ; entry = next_entry(entry) ) {


I'm not sure where we stand regarding coding style here, but it looks
you either want to remove the space between parentheses (my
preference), or place the opening for braces on a newline.  I would
possibly do:

for (entry = &irq_2_pin[irq]; entry; entry = next_entry(entry)) {
...

As I think it fits better given the small change and the surrounding
coding style.


That works for me.

          unsigned int reg;
          int pin;


Below here you can remove the:

         if (!entry)
             break;

Chunk, as the for loop already checks for this condition.


Yes, thanks for catching that.

Regards,
Jason

References:
- [PATCH v2] x86/apic: Avoid infinite loop in io_apic_level_ack_pending()
  - From: Jason Andryuk
- Re: [PATCH v2] x86/apic: Avoid infinite loop in io_apic_level_ack_pending()
  - From: Roger Pau Monné

Prev by Date: Re: [PATCH] hw/display/xenfb: Replace unreachable code by abort()
Next by Date: Re: [PATCH] hw/display/xenfb: Replace unreachable code by abort()
Previous by thread: Re: [PATCH v2] x86/apic: Avoid infinite loop in io_apic_level_ack_pending()
Next by thread: Re: [PATCH v2] x86/apic: Avoid infinite loop in io_apic_level_ack_pending()
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.