From nobody Mon Jun  8 09:48:38 2026
Received: from CWXP265CU009.outbound.protection.outlook.com
 (mail-ukwestazon11021142.outbound.protection.outlook.com [52.101.100.142])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9244170809
	for <linux-kernel@vger.kernel.org>; Thu,  4 Jun 2026 02:01:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=52.101.100.142
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780538518; cv=fail;
 b=sD/sfjFdHkE8rvl6i0g4dHWkK3oWB/uv9HLKammEGcOFePpD6U+GE4cssA3VjifmZLFzuqx4oqVLYhK/+AvgzH8l7NLWDPC/jqGRFBMuXFxSjcUHiMhqJTMUWab2dLJOR7G+DnMfkVHK0wlASk2NcPjJdf3eiJK+mwK4Msa7hSg=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780538518; c=relaxed/simple;
	bh=WxA+wX9GeK+sjBH6SNvQo6hsB16fm8mAS9tGmll26AY=;
	h=From:To:Cc:Subject:Date:Message-ID:Content-Type:MIME-Version;
 b=Jr3nc4wJM1rI7SOW8+h5PsOEzOOQNRHUdBcqzY62fhhBA7zwT9wlNAn3Y/u5NWRSgwhNS7OLY6E1BMR6eyELJi/duNViN2eX5XAG4MpWKywjYjl1SEHkb40PvOoAWodYh66ppIy9gKjYla/fLOtnkBTsC9kcNeJsG4P7KsLsSaE=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=atomlin.com;
 spf=pass smtp.mailfrom=atomlin.com; arc=fail smtp.client-ip=52.101.100.142
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=atomlin.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=atomlin.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=TTeUwkXsSAPxmgsgL7gFyUkMksPrMdWobcTmd/9RMf41RIHVS4EljgBJBjQRidJrLm560o3ap4r9KBjdRvkdKdEqyC8Ev43mJhKr0WevOrLudFqyTVmQwsLmIDGFyXheG/Erfm9Q+jEapnGydXFNQOfXC2Z5ENb9AZhJOS0kkXcNHhunzQZHmLnHmB5XMEmWFhEfgv6Xc/o9pTaaFSur+Ree+Jw8/t5N7khA2sQd6mGl74Mk5kAqqf5lgkPemO3EGWLa9Nw3PACWC1aY760avBKBNjNMfh0R/bLG+RuIs7pwoU/yvdLrnjKEyUqWWBxW+JSXrXaLjWeJG/8iLEpYYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001; h=From:Date:Subject:Message-ID:MIME-Version;
 bh=o8glILR0Xvt4v+B4Ba1ztTOCshVdmGPNe2r8lSJ4Tao=;
 b=cr8ip4opOq0IHlHFoj2PLpVlxyAw0+aSSf9g5v3AxntJ3Y5/NnywYtTizKVkqTShxCtiFaIUVy/0l9LA5cgux0IcH8rEGDhn4y3IuiGsbvR3c09hsAzZLw0xAuRxxV6dxpOcZKlZn0BO70U55FjOI7H5n2PAlR24kqP6uVfDmxqHgGL2PKLHQTX74kNkSrbdl5oFZj8xVDhYYQ6GzL171lgib4gTujtAdpO52EmCdv0K24GbiBdhFy4hzgvJljtdbEQAI6coCElwgcMT/k9eB3ysuAVO0kFJaVleeEUnrtOKJLfM19wzCOkXFTV4acNVpiB/g3aXwJ51I1AZjTKOkw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=atomlin.com; dmarc=pass action=none header.from=atomlin.com;
 dkim=pass header.d=atomlin.com; arc=none
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=atomlin.com;
Received: from CWLP123MB6607.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:183::5)
 by LO8P123MB7475.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:3a9::20) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.7; Thu, 4 Jun 2026
 02:01:53 +0000
Received: from CWLP123MB6607.GBRP123.PROD.OUTLOOK.COM
 ([fe80::cec4:77ab:262e:d230]) by CWLP123MB6607.GBRP123.PROD.OUTLOOK.COM
 ([fe80::cec4:77ab:262e:d230%4]) with mapi id 15.21.0092.006; Thu, 4 Jun 2026
 02:01:53 +0000
From: Aaron Tomlin <atomlin@atomlin.com>
To: tglx@kernel.org
Cc: neelx@suse.com,
	sean@ashe.io,
	steve@abita.co,
	mproche@gmail.com,
	linux-kernel@vger.kernel.org
Subject: [RFC PATCH] genirq: Enforce monotonic increase contract in
 irq_get_next_irq()
Date: Wed,  3 Jun 2026 22:01:49 -0400
Message-ID: <20260604020149.1148697-1-atomlin@atomlin.com>
X-Mailer: git-send-email 2.51.0
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: BN9PR03CA0049.namprd03.prod.outlook.com
 (2603:10b6:408:fb::24) To CWLP123MB6607.GBRP123.PROD.OUTLOOK.COM
 (2603:10a6:400:183::5)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CWLP123MB6607:EE_|LO8P123MB7475:EE_
X-MS-Office365-Filtering-Correlation-Id: 27868716-a6d0-4a6b-ab6a-08dec1dd3f61
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|376014|366016|1800799024|6133799003|18002099003|56012099006;
X-Microsoft-Antispam-Message-Info: 
	J1bWQP/rscrOd9RaFmHk7NofUtw+qJOrKk4InduuI8oHTTovjeSyuUs1CpI69pNmq3DzhIX3LBDXsR20/Mui8GTlvsIekSb/0c6F2pyL5cIdlp+T5GSofm4wiOw2QcKuycXpjfOFzSh6GbMKfV8RknFj13w5VE03eBNe6/v9pyNHPMDTUUEs2M9TTLzmtGuchP/E9zWfR3z7HOBi9MSUt5OWtHSJUoPjzI+NwXjaWt5uARdw3WrhOatosNTN/Fy8i1sjPEjvLJITPdigzrL96Fbu0/Ov2dKeswPyf656cxvItv2kBhTKO8slfyaSX7jIZ34YJoD2h8LMTI8ckA81KUY+k6d3PYvF5QuY21B5fQcUkBv0q2WURe5E47NEiyeVD7mxvVbHtDsxF1sNG2t+0YNMnacBPDv3wIrwgSyWniZYOni427lyK5O8uJBL5UNnMQ1wE9uNQoAFz2BoHsAX4q/7fbYPq+UZwfV5tlStyvjAIPMs81MBfKotnn9/PDoNqp5gwMfLLoyYSAd6VeG8fKb3laoY+PtlrmIxXEN4Sb4dvl4dB/Jg9+jwKc+mQNLhWIp5oxXafjLYbXekFUbDTJ17nBq+HLHLKLeKrmmQbjJwkMZtUL0D5Tm/dxt4ziUAs1/YAZLobYZ5zTUUkgw8NkYi/myVbiK0dZwepQJyjAPGlxZgIYlxSMRvk05g4hq8
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CWLP123MB6607.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(6133799003)(18002099003)(56012099006);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
	=?us-ascii?Q?SsBIrNHJkDpQhB0cqf0GbhDDf377+KV/FZcHxNbMYLHWZabXOZjW0G/BrLhZ?=
 =?us-ascii?Q?amY24EIzawa5eLruD2LlmA4QTBy2mWKg1ItWalHsJJp05zCu7/s6QwOc3cOQ?=
 =?us-ascii?Q?j00Kpq/TaB+V2V+l81bQY5iEk3IHfmv9cS+mFdkGXc0q8eohPEJXNW9bUGvF?=
 =?us-ascii?Q?5pdPmM3VY4IcYYBY8Y723VdmWCbtkW03n5NVXC0pZydVXYY6z+edygMY8j3t?=
 =?us-ascii?Q?7ibRSaImgCDAM3L7x/BvHqtuFQHGQzYpPKP1UE+9hiGIAIyfnpXA5AvGztAD?=
 =?us-ascii?Q?zT2iy0X23PlTfl9/qBsJ9gwjwcbsxOtDRbB0x+ufjUallJIXuKdCVFknHGSb?=
 =?us-ascii?Q?iM4lVOwjFUlOo06Awle5TrtXQaOdfr1ANfhOwomBThyD82h+oWHmUKS4Yadl?=
 =?us-ascii?Q?fTIbAAi89+LMc+TYRpFRdl5CYO8dU45lx+reIZM3ah9uCLPnLopx6EIgmsdq?=
 =?us-ascii?Q?0sY8Aizi9oGs0ZBrmBESlVx5Bg32DfFs1wNe2MptCkkylf3BTHhdWTUlyQ4M?=
 =?us-ascii?Q?P8FezQ/CqFN0xVtw5H5nRooYxULp4Q0u7T7X6+cb1gAbisG/gQaGLJAyLiTA?=
 =?us-ascii?Q?UmwkBamIIIel8LTneGMe9HOATkQDnXPtyfz1Qs1bJm13JZHKAQRiJMnwhSUE?=
 =?us-ascii?Q?tWGpHPy87SMlFygl5HXQPBYWTiqRG7uKwQbrPpj0DTMrYxOA1P2k1/AAoxHk?=
 =?us-ascii?Q?0XCV5HLGWl0lFeos3k5a6kIeh6mRighEar4syYhPddcCfRFjjkygu0djp6tA?=
 =?us-ascii?Q?rl2PVBq2Z/gUQf4yL++8IHTgEvtpGxmms0LDDwrOgyE4gqMdLANPL4KbjNZP?=
 =?us-ascii?Q?ysvmlnMmQQheJV0trxektCzkrZk3yZkmW3m8+9soWR/n3Bx6tuqMfq1Qh4Zm?=
 =?us-ascii?Q?mcs8XHVybEO6RT7XmVz1l3bSiNpMO2mTakx4zB1n5i4FmtYvqAdWlnd7hjH1?=
 =?us-ascii?Q?gOedI9P6mc6/I6qM/giya1jmhX/axW8o9fjjbLTI5Zu8CwvTEb8MFo/Uxkar?=
 =?us-ascii?Q?cgB1rOlMUuUA7hjaMO4psOXUrTDZEtLg+2ftH4aHDjEu79HGq4wDYCNYbZ0d?=
 =?us-ascii?Q?RsgNwBggTPqoanigofYDST6Zpq5nYrAMOnyqAdILqYXlqxQpaIJODbKYQm1A?=
 =?us-ascii?Q?kDU0P7KPd+z/m9XiCwRix2S/+5+ZqTrhpyk2OpCQ4o8N1c+UwMBSiFwu+KDt?=
 =?us-ascii?Q?qRcAovh7+Fg+GfEt81G1MgPTsj/TCnz/spkUlPqAGoXbMmiqsEY92VUxr/fy?=
 =?us-ascii?Q?M0HS28VoRL+CJCMZu5leJGBdENsJoiiknHJfda0yOna1GRpfldDhhzGWlYKw?=
 =?us-ascii?Q?UCQ9kXy2xE2w/Zpr7pYYrHjs0PLbQLs2r8us+ddnUuykxqqL/0r2DXlpTX6i?=
 =?us-ascii?Q?kyAVXIHMycodab03ShG09AmnQkHf4YFxorAcp/aQtv5P5R6a6Ozxb4KpdbQ0?=
 =?us-ascii?Q?SWtu5gs77W7s47KKKXcamOofS2S5FFztmHvQSE2yRmfFGX/TW41IzJslhLxD?=
 =?us-ascii?Q?f8vWwcxDs4qyzynKwwFfLET6tJSY66KODjpk4aV38kPbo+uKNPnvYw3Ldhuz?=
 =?us-ascii?Q?4cGLuIUGKPI1WiHkYIvtzKDsp4bjA16i2v6pv9ULA7M7xpsfJ7YOjkVfaWT1?=
 =?us-ascii?Q?hX4mk8EB5Kd1yKYMhtD+NUL//4Dqlk5BzGBtnUY2g8iJhMHsr7QJHOlxToH5?=
 =?us-ascii?Q?wvP2rGqyzJHD9HOQlibxlqcQ1X762HrUBeOFJwT0PVcFIRRuTXRp1JxKK+B2?=
 =?us-ascii?Q?Id4k1rPRLw=3D=3D?=
X-OriginatorOrg: atomlin.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 27868716-a6d0-4a6b-ab6a-08dec1dd3f61
X-MS-Exchange-CrossTenant-AuthSource: CWLP123MB6607.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Jun 2026 02:01:53.0397
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: e6a32402-7d7b-4830-9a2b-76945bbbcb57
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 l0Uk4jmVh87+9LEkaeZcGWPCw5XzEKgRP5Mg3gqgGZiCmaNo1b/n0ZGHLfW/cylnMwYe/917VeDXU5YbLzoXag==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO8P123MB7475
Content-Type: text/plain; charset="utf-8"

When an IRQ descriptor is corrupted in memory (e.g., via an out-of-bounds
write by a rogue driver), the descriptor's internal IRQ number may be
zeroed out.

During iteration via for_each_active_irq(), irq_get_next_irq() relies on
irq_desc_get_irq(desc) to retrieve the next IRQ number. If a descriptor is
corrupted, this can result in returning an IRQ number (e.g., 0) that is
strictly less than the requested offset. This breaks the fundamental
forward-progress guarantee of the iterator.

This contract violation causes catastrophic unsigned integer underflows in
callers. For instance, show_all_irqs() in fs/proc/stat.c calculates
padding using (i - next). A corrupted descriptor returning 0 forces a
massive unsigned underflow, trapping the CPU in an extensive loop inside
show_irq_gap() and triggering a soft lockup watchdog.

While the underlying issue is a memory corruption bug, core iterators
should be resilient against returning values that violate their own
mathematical boundaries and induce lockups in other subsystems.

Introduce a lightweight boundary check in irq_get_next_irq() to verify
the returned IRQ is greater than or equal to the offset. If corruption
is detected, raise a WARN_ONCE() to pinpoint the invalid state and
return nr_irqs to safely abort the iteration.

Signed-off-by: Aaron Tomlin <atomlin@atomlin.com>
---
 kernel/irq/irqdesc.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c
index 7173b8b634f2..47a9dedb36b3 100644
--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -927,7 +927,22 @@ EXPORT_SYMBOL_GPL(__irq_alloc_descs);
  */
 unsigned int irq_get_next_irq(unsigned int offset)
 {
-	return irq_find_at_or_after(offset);
+	unsigned int irq;
+	const unsigned int nr_irqs =3D irq_get_nr_irqs();
+
+	irq =3D irq_find_at_or_after(offset);
+
+	/*
+	 * Defend against corrupted IRQ descriptors violating the monotonic
+	 * iterator contract. Returning a value lower than the offset will
+	 * cause catastrophic unsigned underflows in callers.
+	 */
+	if (WARN_ONCE(irq < offset && irq < nr_irqs,
+		      "genirq: Corrupted IRQ descriptor detected: irq %u < offset %u\n",
+		      irq, offset))
+		return nr_irqs;
+
+	return irq;
 }
=20
 struct irq_desc *__irq_get_desc_lock(unsigned int irq, unsigned long *flag=
s, bool bus,
--=20
2.51.0