All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Ilpo Järvinen" <ilpo.jarvinen@linux.intel.com>
To: Muralidhara M K <muralidhara.mk@amd.com>
Cc: platform-driver-x86@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4/4] platform/x86/amd/hsmp: Gate the data plane on a fully initialized socket
Date: Mon, 29 Jun 2026 15:50:33 +0300 (EEST)	[thread overview]
Message-ID: <1ae5a8f4-9585-f520-e2fd-e32872b387f1@linux.intel.com> (raw)
In-Reply-To: <20260629073923.1595696-5-muralidhara.mk@amd.com>

On Mon, 29 Jun 2026, Muralidhara M K wrote:

> hsmp_parse_acpi_table() published sock->dev before hsmp_read_acpi_crs()
> had mapped virt_base_addr.  sock->dev is the readiness gate for the
> lock-free data plane, so on a multi-socket system - where socket 0
> exposes /dev/hsmp before later sockets finish probing - an ioctl aimed
> at a socket still in bring-up could pass the gate and dereference a NULL
> virt_base_addr.
> 
> Publish sock->dev last with smp_store_release() once virt_base_addr, the
> mailbox offsets and the semaphore are initialized, and read it with
> smp_load_acquire() in hsmp_send_message() so a non-NULL dev guarantees
> the rest of the socket state is visible.
> 
> Signed-off-by: Muralidhara M K <muralidhara.mk@amd.com>
> Link: https://lore.kernel.org/platform-driver-x86/20260625123337.886435-5-muralidhara.mk@amd.com/T/#u [1]

What is the purpose of these links? We don't generally link to older 
version of the change unless there's clearly some useful discussion there.

> ---
>  drivers/platform/x86/amd/hsmp/acpi.c | 18 ++++++++++++++++--
>  drivers/platform/x86/amd/hsmp/hsmp.c | 12 ++++++++++++
>  2 files changed, 28 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/platform/x86/amd/hsmp/acpi.c b/drivers/platform/x86/amd/hsmp/acpi.c
> index f7fbba4c6b66..5aec3bded712 100644
> --- a/drivers/platform/x86/amd/hsmp/acpi.c
> +++ b/drivers/platform/x86/amd/hsmp/acpi.c
> @@ -224,7 +224,6 @@ static int hsmp_parse_acpi_table(struct device *dev, u16 sock_ind)
>  	int ret;
>  
>  	sock->sock_ind		= sock_ind;
> -	sock->dev		= dev;
>  	sock->amd_hsmp_rdwr	= amd_hsmp_acpi_rdwr;
>  
>  	sema_init(&sock->hsmp_sem, 1);
> @@ -237,7 +236,22 @@ static int hsmp_parse_acpi_table(struct device *dev, u16 sock_ind)
>  		return ret;
>  
>  	/* Read mailbox offsets from DSD table */
> -	return hsmp_read_acpi_dsd(sock, dev);
> +	ret = hsmp_read_acpi_dsd(sock, dev);
> +	if (ret)
> +		return ret;
> +
> +	/*
> +	 * Publish sock->dev last.  hsmp_send_message() uses it (via
> +	 * smp_load_acquire()) as the readiness gate for the lock-free data
> +	 * plane, so it must become visible only after virt_base_addr, the
> +	 * mailbox offsets and the semaphore are fully initialized.  On a
> +	 * multi-socket system socket 0 exposes /dev/hsmp before later sockets
> +	 * finish probing, so without this an ioctl aimed at a socket still in
> +	 * bring-up could pass the gate and dereference a NULL virt_base_addr.
> +	 */
> +	smp_store_release(&sock->dev, dev);
> +
> +	return 0;
>  }
>  
>  static ssize_t hsmp_metric_tbl_acpi_read(struct file *filp, struct kobject *kobj,
> diff --git a/drivers/platform/x86/amd/hsmp/hsmp.c b/drivers/platform/x86/amd/hsmp/hsmp.c
> index 6a26937fc2b5..0cd4f691db49 100644
> --- a/drivers/platform/x86/amd/hsmp/hsmp.c
> +++ b/drivers/platform/x86/amd/hsmp/hsmp.c
> @@ -223,6 +223,18 @@ int hsmp_send_message(struct hsmp_message *msg)
>  	sock_ind = array_index_nospec(msg->sock_ind, hsmp_pdev.num_sockets);
>  	sock = &hsmp_pdev.sock[sock_ind];
>  
> +	/*
> +	 * A slot exists for every possible socket, but it is only usable once
> +	 * that socket has actually been probed.  Reject messages aimed at a
> +	 * socket that was never brought up or is still in bring-up, so we never
> +	 * operate on a zero-initialized semaphore or an unmapped mailbox.  A
> +	 * non-NULL dev also guarantees virt_base_addr, the mailbox offsets and
> +	 * the semaphore are visible.
> +	 */
> +	/* Pairs with smp_store_release(&sock->dev) in hsmp_parse_acpi_table(). */

Change to:

	/*
	 ...
	 * the semaphore are visible.
	 *
	 * Pairs with smp_store_release(&sock->dev) in hsmp_parse_acpi_table().
	 */
> +	if (!smp_load_acquire(&sock->dev))
> +		return -ENODEV;
> +
>  	ret = down_interruptible(&sock->hsmp_sem);
>  	if (ret < 0)
>  		return ret;
> 

-- 
 i.


      reply	other threads:[~2026-06-29 12:50 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  7:39 [PATCH 0/4] platform/x86/amd/hsmp: ACPI input hardening and data-plane readiness gating Muralidhara M K
2026-06-29  7:39 ` [PATCH 1/4] platform/x86/amd/hsmp: Validate ACPI UID before parsing socket index Muralidhara M K
2026-06-29  7:39 ` [PATCH 2/4] platform/x86/amd/hsmp: Validate _DSD mailbox sub-package element count Muralidhara M K
2026-06-29  7:39 ` [PATCH 3/4] platform/x86/amd/hsmp: Pass struct device explicitly to ACPI mailbox parsers Muralidhara M K
2026-06-29 12:46   ` Ilpo Järvinen
2026-06-29 14:07     ` M K, Muralidhara
2026-06-29 14:52       ` Ilpo Järvinen
2026-06-29  7:39 ` [PATCH 4/4] platform/x86/amd/hsmp: Gate the data plane on a fully initialized socket Muralidhara M K
2026-06-29 12:50   ` Ilpo Järvinen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1ae5a8f4-9585-f520-e2fd-e32872b387f1@linux.intel.com \
    --to=ilpo.jarvinen@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=muralidhara.mk@amd.com \
    --cc=platform-driver-x86@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.