[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 66/68] hmat acpi: Fix out of bounds access due to missing use of i
From: |
Michael S. Tsirkin |
Subject: |
[PULL 66/68] hmat acpi: Fix out of bounds access due to missing use of indirection |
Date: |
Tue, 12 Mar 2024 18:29:04 -0400 |
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
With a numa set up such as
-numa nodeid=0,cpus=0 \
-numa nodeid=1,memdev=mem \
-numa nodeid=2,cpus=1
and appropriate hmat_lb entries the initiator list is correctly
computed and writen to HMAT as 0,2 but then the LB data is accessed
using the node id (here 2), landing outside the entry_list array.
Stash the reverse lookup when writing the initiator list and use
it to get the correct array index index.
Fixes: 4586a2cb83 ("hmat acpi: Build System Locality Latency and Bandwidth
Information Structure(s)")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240307160326.31570-3-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/acpi/hmat.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
index 8ea240878a..9b1662b6b8 100644
--- a/hw/acpi/hmat.c
+++ b/hw/acpi/hmat.c
@@ -78,6 +78,7 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info
*hmat_lb,
uint32_t *initiator_list)
{
int i, index;
+ uint32_t initiator_to_index[MAX_NODES] = {};
HMAT_LB_Data *lb_data;
uint16_t *entry_list;
uint32_t base;
@@ -121,6 +122,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info
*hmat_lb,
/* Initiator Proximity Domain List */
for (i = 0; i < num_initiator; i++) {
build_append_int_noprefix(table_data, initiator_list[i], 4);
+ /* Reverse mapping for array possitions */
+ initiator_to_index[initiator_list[i]] = i;
}
/* Target Proximity Domain List */
@@ -132,7 +135,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info
*hmat_lb,
entry_list = g_new0(uint16_t, num_initiator * num_target);
for (i = 0; i < hmat_lb->list->len; i++) {
lb_data = &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
- index = lb_data->initiator * num_target + lb_data->target;
+ index = initiator_to_index[lb_data->initiator] * num_target +
+ lb_data->target;
entry_list[index] = (uint16_t)(lb_data->data / hmat_lb->base);
}
--
MST
- [PULL 53/68] hw/i386/pc: Inline pc_cmos_init() into pc_cmos_init_late() and remove it, (continued)
- [PULL 53/68] hw/i386/pc: Inline pc_cmos_init() into pc_cmos_init_late() and remove it, Michael S. Tsirkin, 2024/03/12
- [PULL 51/68] hw/i386/pc: Avoid one use of the current_machine global, Michael S. Tsirkin, 2024/03/12
- [PULL 46/68] hw/pci: Always call pcie_sriov_pf_reset(), Michael S. Tsirkin, 2024/03/12
- [PULL 45/68] pcie_sriov: Do not reset NumVFs after disabling VFs, Michael S. Tsirkin, 2024/03/12
- [PULL 47/68] pc: q35: Bump max_cpus to 4096 vcpus, Michael S. Tsirkin, 2024/03/12
- [PULL 49/68] Revert "hw/i386/pc: Confine system flash handling to pc_sysfw", Michael S. Tsirkin, 2024/03/12
- [PULL 50/68] hw/i386/pc: Remove "rtc_state" link again, Michael S. Tsirkin, 2024/03/12
- [PULL 52/68] hw/i386/pc: Set "normal" boot device order in pc_basic_device_init(), Michael S. Tsirkin, 2024/03/12
- [PULL 54/68] qom: new object to associate device to NUMA node, Michael S. Tsirkin, 2024/03/12
- [PULL 58/68] virtio-iommu: Change the default granule to the host page size, Michael S. Tsirkin, 2024/03/12
- [PULL 66/68] hmat acpi: Fix out of bounds access due to missing use of indirection,
Michael S. Tsirkin <=
- [PULL 55/68] hw/acpi: Implement the SRAT GI affinity structure, Michael S. Tsirkin, 2024/03/12
- [PULL 57/68] virtio-iommu: Add a granule property, Michael S. Tsirkin, 2024/03/12
- [PULL 56/68] hw/i386/acpi-build: Add support for SRAT Generic Initiator structures, Michael S. Tsirkin, 2024/03/12
- [PULL 62/68] hw/i386/q35: Set virtio-iommu aw-bits default value to 39, Michael S. Tsirkin, 2024/03/12
- [PULL 60/68] virtio-iommu: Trace domain range limits as unsigned int, Michael S. Tsirkin, 2024/03/12
- [PULL 64/68] qemu-options.hx: Document the virtio-iommu-pci aw-bits option, Michael S. Tsirkin, 2024/03/12
- [PULL 67/68] hw/cxl: Fix missing reserved data in CXL Device DVSEC, Michael S. Tsirkin, 2024/03/12
- [PULL 68/68] docs/specs/pvpanic: document shutdown event, Michael S. Tsirkin, 2024/03/12
- [PULL 59/68] qemu-options.hx: Document the virtio-iommu-pci granule option, Michael S. Tsirkin, 2024/03/12
- [PULL 61/68] virtio-iommu: Add an option to define the input range width, Michael S. Tsirkin, 2024/03/12