[Stable-8.2.3 24/87] hmat acpi: Fix out of bounds access due to missing

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Stable-8.2.3 24/87] hmat acpi: Fix out of bounds access due to missing

From:	Michael Tokarev
Subject:	[Stable-8.2.3 24/87] hmat acpi: Fix out of bounds access due to missing use of indirection
Date:	Wed, 10 Apr 2024 10:21:57 +0300

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

With a numa set up such as

-numa nodeid=0,cpus=0 \
-numa nodeid=1,memdev=mem \
-numa nodeid=2,cpus=1

and appropriate hmat_lb entries the initiator list is correctly
computed and writen to HMAT as 0,2 but then the LB data is accessed
using the node id (here 2), landing outside the entry_list array.

Stash the reverse lookup when writing the initiator list and use
it to get the correct array index index.

Fixes: 4586a2cb83 ("hmat acpi: Build System Locality Latency and Bandwidth 
Information Structure(s)")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240307160326.31570-3-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 74e2845c5f95b0c139c79233ddb65bb17f2dd679)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
index 3042d223c8..2f3a2362bd 100644
--- a/hw/acpi/hmat.c
+++ b/hw/acpi/hmat.c
@@ -78,6 +78,7 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info 
*hmat_lb,
                           uint32_t *initiator_list)
 {
     int i, index;
+    uint32_t initiator_to_index[MAX_NODES] = {};
     HMAT_LB_Data *lb_data;
     uint16_t *entry_list;
     uint32_t base;
@@ -121,6 +122,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info 
*hmat_lb,
     /* Initiator Proximity Domain List */
     for (i = 0; i < num_initiator; i++) {
         build_append_int_noprefix(table_data, initiator_list[i], 4);
+        /* Reverse mapping for array possitions */
+        initiator_to_index[initiator_list[i]] = i;
     }
 
     /* Target Proximity Domain List */
@@ -132,7 +135,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info 
*hmat_lb,
     entry_list = g_new0(uint16_t, num_initiator * num_target);
     for (i = 0; i < hmat_lb->list->len; i++) {
         lb_data = &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
-        index = lb_data->initiator * num_target + lb_data->target;
+        index = initiator_to_index[lb_data->initiator] * num_target +
+            lb_data->target;
 
         entry_list[index] = (uint16_t)(lb_data->data / hmat_lb->base);
     }
-- 
2.39.2

[Prev in Thread]

Current Thread

[Next in Thread]

[Stable-8.2.3 14/87] igb: fix link state on resume, (continued)
- [Stable-8.2.3 14/87] igb: fix link state on resume, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 16/87] Avoid unaligned fetch in ladr_match(), Michael Tokarev, 2024/04/10
- [Stable-8.2.3 17/87] xen: Drop out of coroutine context xen_invalidate_map_cache_entry, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 19/87] hw/nvme: fix invalid check on mcl, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 18/87] hw/nvme: separate 'serial' property for VFs, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 20/87] hw/nvme: generalize the mbar size helper, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 23/87] pcie_sriov: Validate NumVFs, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 25/87] hw/audio/virtio-sound: return correct command response size, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 22/87] hw/nvme: Use pcie_sriov_num_vfs(), Michael Tokarev, 2024/04/10
- [Stable-8.2.3 21/87] hw/nvme: add machine compatibility parameter to enable msix exclusive bar, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 24/87] hmat acpi: Fix out of bounds access due to missing use of indirection, Michael Tokarev <=
- [Stable-8.2.3 26/87] migration: Skip only empty block devices, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 28/87] nbd/server: only traverse NBDExport->clients from main loop thread, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 30/87] nbd/server: Fix race in draining the export, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 29/87] nbd/server: introduce NBDClient->lock to protect fields, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 27/87] mirror: Don't call job_pause_point() under graph lock, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 31/87] iotests: Add test for reset/AioContext switches with NBD exports, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 34/87] tests/unit: Bump test-replication timeout to 60 seconds, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 33/87] tests/unit: Bump test-crypto-block test timeout to 5 minutes, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 32/87] tests/unit: Bump test-aio-multithread test timeout to 2 minutes, Michael Tokarev, 2024/04/10
- [Stable-8.2.3 36/87] target/i386: use separate MMU indexes for 32-bit accesses, Michael Tokarev, 2024/04/10

Prev by Date: [Stable-8.2.3 21/87] hw/nvme: add machine compatibility parameter to enable msix exclusive bar
Next by Date: [Stable-8.2.3 26/87] migration: Skip only empty block devices
Previous by thread: [Stable-8.2.3 21/87] hw/nvme: add machine compatibility parameter to enable msix exclusive bar
Next by thread: [Stable-8.2.3 26/87] migration: Skip only empty block devices
Index(es):
- Date
- Thread