From: Toshi Kani <toshi.kani@hp.com>
To: Alok Kataria <akataria@vmware.com>
Cc: Petr Vandrovec <petr@vmware.com>,
the arch/x86 maintainers <x86@kernel.org>,
lenb@kernel.org, linux-kernel@vger.kernel.org,
linux-acpi@vger.kernel.org, dcovelli@vmware.com
Subject: Re: [PATCH 3.3.0-rc3] Fix use-after-free in acpi_map_lsapic
Date: Thu, 08 Mar 2012 14:01:15 -0700 [thread overview]
Message-ID: <1331240475.1156.104.camel@misato.fc.hp.com> (raw)
In-Reply-To: <1331149730.25361.24.camel@ank32.eng.vmware.com>
On Wed, 2012-03-07 at 11:48 -0800, Alok Kataria wrote:
> Len, anyone else,
>
> Any comments on this one ? This fixes a important bug during cpu hotadd
> where the kernel fails to recognize all the newly added cpus.
>
> Thanks,
> Alok
>
>
> On Wed, 2012-02-15 at 16:06 -0800, Petr Vandrovec wrote:
> > From: Petr Vandrovec <petr@vmware.com>
> >
> > When processor is being hot-added to the system, acpi_map_lsapic invokes
> > ACPI _MAT method to find APIC ID and flags, verifies that returned structure
> > is indeed ACPI's local APIC structure, and that flags contain MADT_ENABLED
> > bit. Then saves APIC ID, frees structure - and accesses structure when
> > computing arguments for acpi_register_lapic call. Which sometime leads
> > to acpi_register_lapic call being made with second argument zero, failing
> > to bring processor online with error 'Unable to map lapic to logical cpu
> > number'.
> >
> > As lapic->lapic_flags & ACPI_MADT_ENABLED was already confirmed to be non-zero
> > few lines above, we can just pass unconditional ACPI_MADT_ENABLED to the
> > acpi_register_lapic.
> >
> > Thanks, Petr
> >
> > Signed-off-by: Petr Vandrovec <petr@vmware.com>
> > Signed-off-by: Alok Kataria <akataria@vmware.com>
> >
> >
> > diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
> > index ce664f3..a4a0901 100644
> > --- a/arch/x86/kernel/acpi/boot.c
> > +++ b/arch/x86/kernel/acpi/boot.c
> > @@ -650,7 +650,7 @@ static int __cpuinit _acpi_map_lsapic(acpi_handle handle, int *pcpu)
> > goto free_tmp_map;
> >
> > cpumask_copy(tmp_map, cpu_present_mask);
> > - acpi_register_lapic(physid, lapic->lapic_flags & ACPI_MADT_ENABLED);
> > + acpi_register_lapic(physid, ACPI_MADT_ENABLED);
The change looks good. I suggest you also add the following line to
prevent such bug in future.
kfree(buffer.pointer);
buffer.length = ACPI_ALLOCATE_BUFFER;
buffer.pointer = NULL;
+ lapic = NULL;
Thanks,
-Toshi
> >
> > /*
> > * If mp_register_lapic successfully generates a new logical cpu
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-03-08 21:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-16 0:06 [PATCH 3.3.0-rc3] Fix use-after-free in acpi_map_lsapic Petr Vandrovec
2012-03-07 19:48 ` Alok Kataria
2012-03-08 21:01 ` Toshi Kani [this message]
2012-03-08 21:33 ` Alok Kataria
2012-03-08 22:34 ` Toshi Kani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1331240475.1156.104.camel@misato.fc.hp.com \
--to=toshi.kani@hp.com \
--cc=akataria@vmware.com \
--cc=dcovelli@vmware.com \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=petr@vmware.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.