From nobody Mon May 25 05:54:08 2026 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E26AC38838A for ; Mon, 18 May 2026 05:09:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779080959; cv=none; b=SmWAm2av7XsII1NjBwkBhWR72XzAb7UVdJg7kQ0E6Aqeuag3gMRwskh3g2FvKOlRFtMdylAj+hPpgmjNJ2vquOXcnuVtG70RgKhLC6pdbFrnNOHh8w3ckAg/7DeBnw/yNQuwp47GEpSzD0s2rR32BEJ2Wm7JF6N7ROllSycqp+g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779080959; c=relaxed/simple; bh=1ws132ITa5JUmRAEYZtMPY/opx2Me3zdb5B4Bm0YmBo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=E5lpCkdqzGqxIlIh8NYD9qxDFRkeYN3duuOUekEaSoz0F19qAaM+78cdojtGCHhJLVBt3Y0WXTnDOdENxIMyUlx05T02DdOCnbeKXXJSFp7BC6ATAibVl0fdvRrssnQLIxgyEqDLXP00pci7kYpADyE7QMF/QiaGa9oPj4swhFw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=Dv1yZRKR; arc=none smtp.client-ip=148.163.158.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="Dv1yZRKR" Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64HBU4p64007147; Mon, 18 May 2026 05:09:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=lMu/vpDdNx6Ekr3hp vhDe81ynMbqgAMOjfYi7vjOm+g=; b=Dv1yZRKRNjSGTgevf9M1/H/S3YYID/QBq uWevtctWKgR5B9elr0UFYJP6gY1NBF9/YiZMBQL2WSsyVp5wr0bI3YO1Ny9tjWnt j1EWypNmeTR7az7dBnP/hhvjZAZPplTA/sherayvkqmTXxsOlVUb/EBUCvZb/eu0 boC9zv71LiHkBC1+SSGMXiYZdXBsD2aBhG1nLbPrQKpS9qw0ENLfTvZ59RDPXK1w nKHgLvLYmQDat6mrbuTcxgrD8u0Ma08sd5MEy7bzkXv8rozLkLsH+lbRR/OzY4A8 oilw9DpZLudHax+eEbh+KH5pFRNQNhCnKl5YS4xEPHDqMOmM/YoNg== Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4e6havwuar-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 May 2026 05:09:10 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 64I5931j026796; Mon, 18 May 2026 05:09:09 GMT Received: from smtprelay02.fra02v.mail.ibm.com ([9.218.2.226]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4e72wpveyd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 May 2026 05:09:09 +0000 (GMT) Received: from smtpav06.fra02v.mail.ibm.com (smtpav06.fra02v.mail.ibm.com [10.20.54.105]) by smtprelay02.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 64I596Bc31850918 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 May 2026 05:09:06 GMT Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EF6052004B; Mon, 18 May 2026 05:09:05 +0000 (GMT) Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 333A420049; Mon, 18 May 2026 05:09:03 +0000 (GMT) Received: from aboo.ibm.com.com (unknown [9.124.214.53]) by smtpav06.fra02v.mail.ibm.com (Postfix) with ESMTP; Mon, 18 May 2026 05:09:02 +0000 (GMT) From: Aboorva Devarajan To: Madhavan Srinivasan , linuxppc-dev@lists.ozlabs.org Cc: Athira Rajeev , Aboorva Devarajan , Christophe Leroy , linux-kernel@vger.kernel.org, Sourabh Jain , Ritesh Harjani , Shrikanth Hegde Subject: [PATCH 1/3] powerpc/perf: fix preempt count underflow in fsl_emb_pmu_del Date: Mon, 18 May 2026 10:38:53 +0530 Message-ID: <20260518050855.1147242-2-aboorvad@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260518050855.1147242-1-aboorvad@linux.ibm.com> References: <20260518050855.1147242-1-aboorvad@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Reinject: loops=2 maxloops=12 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTE4MDA0NiBTYWx0ZWRfX5UZOUDpGfQKu BKtrDEaj304LX8VOwCorLdh2KmIGSxYqU09IihmwPCZPEJPUXZVCm43xebjeBnDMJwor7K6ymu1 NFiTiZkAfewaeKv8ez64UyqLN6YndL9gWneXJid9tEhthvn9QDllBIQ7+KHNbsu9els1SWkxZSU d6psjtYY7An5oWeSzXRoPmDJtymm3gX3A17r1fJBKvoKb8hPGtWV/PNd2P5ke4qwtBG+zIYQ0Lk VTfqdH6hpWD5oZF6JG0ZnyXAPIOFiqpP6cP6flY76W1gdZ3GwrGJlQgxZG1AvVGb3oOw+5MeH5/ mP5EcvaKOakUPc7qoaZsVfDnJyXUcv+/c2CovPtY3jTtXgKgcv5j4eXM70dqjVQsU0gurrBEfUV cFv+cdU/PlvguJcj2yd1YmeOP/lAju/dU5tt/dX4TGUfr9MGwcIjgXl3AFApQ/vYBRK2NeDKU9P EIjs0fLt079TAGxBHrg== X-Authority-Analysis: v=2.4 cv=Np/htcdJ c=1 sm=1 tr=0 ts=6a0a9ef6 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=-qzNKB2iBSQ2TZesQmUA:9 X-Proofpoint-ORIG-GUID: R5OLhjrXBAEml8L4J0j_p_RnDPsppf7_ X-Proofpoint-GUID: 3xCLEy9P5J4PAMny0CBofMXUJhW9L5P3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-18_01,2026-05-15_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 phishscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605130000 definitions=main-2605180046 Content-Type: text/plain; charset="utf-8" fsl_emb_pmu_del() unconditionally calls put_cpu_var(cpu_hw_events) at the 'out:' label, but only calls the matching get_cpu_var() after the 'i < 0' early-return check. When event->hw.idx is negative the function jumps to 'out:' without having taken get_cpu_var(), and the trailing put_cpu_var() then issues an unmatched preempt_enable(), underflowing preempt_count. On a CONFIG_PREEMPT=3Dy kernel preempt_count would underflow and eventually present as a 'scheduling while atomic' BUG. Move put_cpu_var() to pair with get_cpu_var() so the percpu access is correctly bracketed and the 'out:' label only handles perf_pmu_enable. Fixes: a11106544f33c ("powerpc/perf: e500 support") Signed-off-by: Aboorva Devarajan Reviewed-by: Shrikanth Hegde --- arch/powerpc/perf/core-fsl-emb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/perf/core-fsl-emb.c b/arch/powerpc/perf/core-fsl-= emb.c index 7120ab20cbfec..02b5dd74c187a 100644 --- a/arch/powerpc/perf/core-fsl-emb.c +++ b/arch/powerpc/perf/core-fsl-emb.c @@ -366,9 +366,10 @@ static void fsl_emb_pmu_del(struct perf_event *event, = int flags) =20 cpuhw->n_events--; =20 + put_cpu_var(cpu_hw_events); + out: perf_pmu_enable(event->pmu); - put_cpu_var(cpu_hw_events); } =20 static void fsl_emb_pmu_start(struct perf_event *event, int ef_flags) --=20 2.54.0 From nobody Mon May 25 05:54:08 2026 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D14F388375 for ; Mon, 18 May 2026 05:09:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779080961; cv=none; b=BwNwkRFK8T/JAaqTEXSlccfyaF0v+L6PGLwXrNf9tpwumR7lcaM8LDcFbl+kFJNm9zlHgA2ht2jtyWKSVOWx/k/PO1N8Ejmv34eX1h8Pky3KP1aYI9yiBHUAavFbv2gKEx+V6co8yVhTGZOj/SPf0bO8CWB+Xm7Am9mmt3+2+fM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779080961; c=relaxed/simple; bh=MtOXwuiGT3n1sgS769gO6TbLmatiiDJ2WpzO9cJCg64=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=LnE7JYkWNEWp1iXhAPegHbC9TFBPmi7EpXrnTmxsO+bQBKAryCpUyr+cchJu6erYNIXZUtCt/VSpMVlbKuqaDd3B1PkXs4PKJ5mt2wNrmjjWT0fTITvbgTQDGw6DIhHDoUylDj+hS6frKhgPigyNJDgmgqh7t/RRQSGlVO2FtXs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=DtrYhqB9; arc=none smtp.client-ip=148.163.158.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="DtrYhqB9" Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64HLIFpU2070048; Mon, 18 May 2026 05:09:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=tQawdGIr4hToOKuvy MmUEgu+J9Q/5uLFQGlnXpup290=; b=DtrYhqB9WxOeD9z1n00eNhdnZTc3afarM JjmQuBQwmFiKRq1UqwG0yuCKCutTToeyLB0CkGOL8PSVRhdqaLtUmZ+Dv1fbqSSl vqtw6LDammgu6kE1jFqpLHKiTSn+QEU3XDmq3VRfUnpJso9njLBlUlqZwPUpIc9I 9cBpKp/dbe8o60FDnnn2j1bP0Wgm1NGJzsl3q5DtSmSKH8+sRWNLl+eWuhgCVWOo Pnqp+M/brXkrAPOsJfvhJEGerBidxQU3pTa9cGXx/hwgeybtGxp7OIbOMrDlCAxV JrGdtM9UL2iB2ZSJNZqQ9VzVSsZ1I337dOstxzRpOVnEt9kt2J3YA== Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4e6h885un0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 May 2026 05:09:13 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 64I5944b024584; Mon, 18 May 2026 05:09:12 GMT Received: from smtprelay05.fra02v.mail.ibm.com ([9.218.2.225]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4e75kxv02m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 May 2026 05:09:12 +0000 (GMT) Received: from smtpav06.fra02v.mail.ibm.com (smtpav06.fra02v.mail.ibm.com [10.20.54.105]) by smtprelay05.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 64I599e634013472 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 May 2026 05:09:09 GMT Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 43F662004B; Mon, 18 May 2026 05:09:09 +0000 (GMT) Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 69ADE20049; Mon, 18 May 2026 05:09:06 +0000 (GMT) Received: from aboo.ibm.com.com (unknown [9.124.214.53]) by smtpav06.fra02v.mail.ibm.com (Postfix) with ESMTP; Mon, 18 May 2026 05:09:06 +0000 (GMT) From: Aboorva Devarajan To: Madhavan Srinivasan , linuxppc-dev@lists.ozlabs.org Cc: Athira Rajeev , Aboorva Devarajan , Christophe Leroy , linux-kernel@vger.kernel.org, Sourabh Jain , Ritesh Harjani , Shrikanth Hegde Subject: [PATCH 2/3] powerpc/powernv: fix preempt count leak in pnv_kexec_wait_secondaries_down Date: Mon, 18 May 2026 10:38:54 +0530 Message-ID: <20260518050855.1147242-3-aboorvad@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260518050855.1147242-1-aboorvad@linux.ibm.com> References: <20260518050855.1147242-1-aboorvad@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Reinject: loops=2 maxloops=12 X-Proofpoint-ORIG-GUID: CiCmeEF6BZAC0CSoh_sFje-gfEyFPl3z X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTE4MDA0NiBTYWx0ZWRfXyf8M8/yJRPjb KRnjrQibKNjBnRMM22NIZ+YojoOI0Sr56KDmLYOPJYRfpNP18W68N/8fkRXiMGsFFe8+zn/A6uH Z20MvQ6CKSpdHiAz7P2p19o3jCx4AX1B6b1o72FyPMdg12K08LrhnlVEw586tgTuRvRtrFbaHgZ nUoHT7eitfttxjIJ+VJyp2VKb+Bkme7OBbUtzTXJ08X1x2lPQ/rr6ItC+UF21QPDXMINJ2ak/3h qu2h8O7/5EsIyAm+zs2bHl3KJxggbcX7Ov4kWRxoW2ztdOAB5q6cTeODAsn0TRzPUKz0bSdeYKx 1Cmv15CukIldbIPX5WxiQY98KEiZQzFtLLe+8hWD2psPAKqB11eU2cZ1lOc6e74NXJpCT//vzob iymELWiFBQNJhfqbz8pBkB/R8RzgyjOYwgDvarBueRa4dDrJxQVgxfg7b5UDQU3FoLAgwRTR23G Z3kZzKPX/OXhPcsklcg== X-Proofpoint-GUID: VdaoM-S7813Xeq8EZmREkRSikfHjV2aL X-Authority-Analysis: v=2.4 cv=apyCzyZV c=1 sm=1 tr=0 ts=6a0a9ef9 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=AoYj4kKG8rnORiwU5IoA:9 a=O8hF6Hzn-FEA:10 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-18_01,2026-05-15_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 impostorscore=0 bulkscore=0 suspectscore=0 adultscore=0 spamscore=0 phishscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605130000 definitions=main-2605180046 Content-Type: text/plain; charset="utf-8" pnv_kexec_wait_secondaries_down() calls get_cpu() to obtain the current CPU id but never calls the matching put_cpu(), leaking one preempt_disable() nesting level on every invocation. In practice the imbalance does not trigger a visible splat because the kexec teardown path is a one-way trip: IRQs are already disabled, no schedule() occurs after the leak, and default_machine_kexec() overwrites preempt_count with HARDIRQ_OFFSET before jumping into kexec_sequence() which never returns. However the bookkeeping is still wrong. In the kexec teardown path IRQs are already disabled and the CPU is pinned, so get_cpu()'s preempt_disable() side-effect is unnecessary. Replace get_cpu() with raw_smp_processor_id() which returns the CPU id without touching preempt_count. Fixes: 298b34d7d578 ("powerpc/powernv: Fix kexec races going back to OPAL") Signed-off-by: Aboorva Devarajan --- arch/powerpc/platforms/powernv/setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/powerpc/platforms/powernv/setup.c b/arch/powerpc/platform= s/powernv/setup.c index 4dbb47ddbdcc4..177da0defcb36 100644 --- a/arch/powerpc/platforms/powernv/setup.c +++ b/arch/powerpc/platforms/powernv/setup.c @@ -396,7 +396,7 @@ static void pnv_kexec_wait_secondaries_down(void) { int my_cpu, i, notified =3D -1; =20 - my_cpu =3D get_cpu(); + my_cpu =3D raw_smp_processor_id(); =20 for_each_online_cpu(i) { uint8_t status; --=20 2.54.0 From nobody Mon May 25 05:54:08 2026 Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BA4D3815C6 for ; Mon, 18 May 2026 05:09:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=148.163.158.5 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779080964; cv=none; b=O1Bor+H1jjzPibNshjjQx9BVabMVDNqC8ES4Y7rBpWZcjfWxGRG0VQCp4xJp24deQRuYWJsEJLqs93V+u9RaMpkU/gIzjNqQnIV6gZUObC3LDpbLeupxiwvPEpet/TFBhi7ufrLs+c1iLhvDME1ZCeCSY4OFJvSq3oMQAG1wVW8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779080964; c=relaxed/simple; bh=zLb2Qrw+1Mo33sKUiljwD4Rs3NbwWduk2JOml709xOw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=eaufXcvHkkr+IsPEq/St/TcyJQWQYNHRJNEkjxrXRuXAa7bCh+KgDgNBp0c0fSFawialyHAGldZXJFre2FSBVKqK5krUgK28zvAQoad9bvOA2CP6C3zIaSy77RWfRCkCOSBLM0sVhg48p3ldoENEc9xX7yPK3xNPNFrnqpPh5e8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com; spf=pass smtp.mailfrom=linux.ibm.com; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b=XsCNic2f; arc=none smtp.client-ip=148.163.158.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.ibm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=ibm.com header.i=@ibm.com header.b="XsCNic2f" Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64HKohq6896528; Mon, 18 May 2026 05:09:17 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=94KWRNC8OKvPEX0+y u/PKUH/bkCG2KrNhd9mwu7tC6g=; b=XsCNic2f9QZr6R1bjevEvBf3rUiiT/W67 mj27S7y2tRNjuVw0sPs4hJSZob+FtYaNArI1d3zJeTfrE+dlyZf3WaD+NOe7mdwP DffBF3DEJel8CkYzeEHdcS24gGnjV6sFJ5OTrwosUB+m3O9QtQHb06NW8qRpOL+i 5eYoXV5asFdz8hYI0+ccRtudyQuBsVvPPE+aVn7jFadLHTycUJ2MLF+cRIKgTiy1 aRUueO0cDbc/4AERkgWKtnoI/uBx6xS824U7UuAMz6iRocO99i8ACiM6QyctZh3U I+OlUvXyTK+KKvjRY5MIM5Z47z4RSNINfAk22mquplVJ/AIXdO/ZA== Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4e6havwub3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 May 2026 05:09:16 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 64I5931n026796; Mon, 18 May 2026 05:09:16 GMT Received: from smtprelay04.fra02v.mail.ibm.com ([9.218.2.228]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4e72wpveyr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 May 2026 05:09:15 +0000 (GMT) Received: from smtpav06.fra02v.mail.ibm.com (smtpav06.fra02v.mail.ibm.com [10.20.54.105]) by smtprelay04.fra02v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 64I59Cme23528106 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 May 2026 05:09:12 GMT Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 57F5D2004D; Mon, 18 May 2026 05:09:12 +0000 (GMT) Received: from smtpav06.fra02v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C01FC20049; Mon, 18 May 2026 05:09:09 +0000 (GMT) Received: from aboo.ibm.com.com (unknown [9.124.214.53]) by smtpav06.fra02v.mail.ibm.com (Postfix) with ESMTP; Mon, 18 May 2026 05:09:09 +0000 (GMT) From: Aboorva Devarajan To: Madhavan Srinivasan , linuxppc-dev@lists.ozlabs.org Cc: Athira Rajeev , Aboorva Devarajan , Christophe Leroy , linux-kernel@vger.kernel.org, Sourabh Jain , Ritesh Harjani , Shrikanth Hegde Subject: [PATCH 3/3] powerpc/kexec: fix double get_cpu() imbalance in kexec_prepare_cpus Date: Mon, 18 May 2026 10:38:55 +0530 Message-ID: <20260518050855.1147242-4-aboorvad@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260518050855.1147242-1-aboorvad@linux.ibm.com> References: <20260518050855.1147242-1-aboorvad@linux.ibm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Reinject: loops=2 maxloops=12 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTE4MDA0NiBTYWx0ZWRfX6vlLF8cI/gdx NCfSRaTq7ovQwNujtzzYQn7XpS0OyNNIvpx5UbC8YkE1Qe3doj9jsS6NCT1Q06sQhTQ/xpDNy1L 8bphdQMJYycu3teU0RJIWVeaaAuvqHguP6naDwF330RWu+rpCyrFMQhH8fMsuk1sFl3RszEntAz yLQZ1RLNF5EkQZbzMwrpV8hK4PJvXCC6WI8JFsNWKHnGzMUChUVx7rSOzl2ynyDsapIISn0ClsQ QP2f+rhpVwC9O0azQIuGqsu7pYwVTqFpNiMAbrKNUmMDw0JQaxDP2KdECTv5NzcTshThq2AhUKi CooYuPhorGSgWtfMhrysx8jzKXTyZRA7AKTgb0vxL1wLCZF9zU2tBMtnGnsjuQxb9r1ih1xKjO7 /u02W3RByurbGv0Je/xJNAaYTZSbVgRmvPtZ9STzCWpwW2BOPhkYZpo7stB6hrYV+6I3hnYKSe6 ENKAtEWVDWQTUJUK6eQ== X-Authority-Analysis: v=2.4 cv=Np/htcdJ c=1 sm=1 tr=0 ts=6a0a9efd cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=axsVtGY85TFwrCMB_VEA:9 a=O8hF6Hzn-FEA:10 X-Proofpoint-ORIG-GUID: 1ge_qtbov3H-6wEiunApsu3qbZsLB4QB X-Proofpoint-GUID: aBxZ37yXKtQSS6vZrZdCs4qGCQL_AiiP X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-18_01,2026-05-15_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 spamscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 phishscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605130000 definitions=main-2605180046 Content-Type: text/plain; charset="utf-8" kexec_prepare_cpus_wait() calls get_cpu() internally to obtain the current CPU id. kexec_prepare_cpus() calls kexec_prepare_cpus_wait() twice -- once for KEXEC_STATE_IRQS_OFF and once for KEXEC_STATE_REAL_MODE -- but only issues a single put_cpu() at the end, leaving preempt_count elevated by one extra nesting level. In practice the imbalance does not trigger a 'scheduling while atomic' splat because the kexec path is a one-way trip: IRQs are already disabled, no schedule() occurs after the leak, and default_machine_kexec() overwrites preempt_count with HARDIRQ_OFFSET before jumping into kexec_sequence() which never returns. However the bookkeeping is still wrong. Lift the get_cpu()/put_cpu() pair into kexec_prepare_cpus() so it is called exactly once, and pass the CPU id to kexec_prepare_cpus_wait() as a parameter. This keeps preempt_count correctly balanced. Fixes: 1fc711f7ffb01 ("powerpc/kexec: Fix race in kexec shutdown") Signed-off-by: Aboorva Devarajan --- arch/powerpc/kexec/core_64.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/arch/powerpc/kexec/core_64.c b/arch/powerpc/kexec/core_64.c index 825ab8a88f18e..9d7e5a1e6e5b8 100644 --- a/arch/powerpc/kexec/core_64.c +++ b/arch/powerpc/kexec/core_64.c @@ -164,12 +164,11 @@ static void kexec_smp_down(void *arg) /* NOTREACHED */ } =20 -static void kexec_prepare_cpus_wait(int wait_state) +static void kexec_prepare_cpus_wait(int wait_state, int my_cpu) { - int my_cpu, i, notified=3D-1; + int i, notified =3D -1; =20 hw_breakpoint_disable(); - my_cpu =3D get_cpu(); /* Make sure each CPU has at least made it to the state we need. * * FIXME: There is a (slim) chance of a problem if not all of the CPUs @@ -246,6 +245,8 @@ static void wake_offline_cpus(void) =20 static void kexec_prepare_cpus(void) { + int my_cpu; + wake_offline_cpus(); smp_call_function(kexec_smp_down, NULL, /* wait */0); local_irq_disable(); @@ -254,7 +255,8 @@ static void kexec_prepare_cpus(void) mb(); /* make sure IRQs are disabled before we say they are */ get_paca()->kexec_state =3D KEXEC_STATE_IRQS_OFF; =20 - kexec_prepare_cpus_wait(KEXEC_STATE_IRQS_OFF); + my_cpu =3D get_cpu(); + kexec_prepare_cpus_wait(KEXEC_STATE_IRQS_OFF, my_cpu); /* we are sure every CPU has IRQs off at this point */ kexec_all_irq_disabled =3D 1; =20 @@ -262,13 +264,12 @@ static void kexec_prepare_cpus(void) * Before removing MMU mappings make sure all CPUs have entered real * mode: */ - kexec_prepare_cpus_wait(KEXEC_STATE_REAL_MODE); + kexec_prepare_cpus_wait(KEXEC_STATE_REAL_MODE, my_cpu); + put_cpu(); =20 /* after we tell the others to go down */ if (ppc_md.kexec_cpu_down) ppc_md.kexec_cpu_down(0, 0); - - put_cpu(); } =20 #else /* ! SMP */ --=20 2.54.0