[PATCH 3.3.0-rc3] Fix use-after-free in acpi_map_lsapic

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petr Vandrovec <petr@vmware.com>
To: lenb@kernel.org
Cc: linux-kernel@vger.kernel.org, linux-acpi@vger.kernel.org,
	akataria@vmware.com, dcovelli@vmware.com
Subject: [PATCH 3.3.0-rc3] Fix use-after-free in acpi_map_lsapic
Date: Wed, 15 Feb 2012 16:06:43 -0800	[thread overview]
Message-ID: <20120216000643.GA7508@petr-dev3.eng.vmware.com> (raw)

From: Petr Vandrovec <petr@vmware.com>

When processor is being hot-added to the system, acpi_map_lsapic invokes
ACPI _MAT method to find APIC ID and flags, verifies that returned structure
is indeed ACPI's local APIC structure, and that flags contain MADT_ENABLED
bit.  Then saves APIC ID, frees structure - and accesses structure when
computing arguments for acpi_register_lapic call.  Which sometime leads
to acpi_register_lapic call being made with second argument zero, failing
to bring processor online with error 'Unable to map lapic to logical cpu
number'.

As lapic->lapic_flags & ACPI_MADT_ENABLED was already confirmed to be non-zero
few lines above, we can just pass unconditional ACPI_MADT_ENABLED to the
acpi_register_lapic.

Thanks, Petr

Signed-off-by: Petr Vandrovec <petr@vmware.com>
Signed-off-by: Alok Kataria <akataria@vmware.com>

diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
index ce664f3..a4a0901 100644
--- a/arch/x86/kernel/acpi/boot.c
+++ b/arch/x86/kernel/acpi/boot.c
@@ -650,7 +650,7 @@ static int __cpuinit _acpi_map_lsapic(acpi_handle handle, int *pcpu)
 		goto free_tmp_map;

 	cpumask_copy(tmp_map, cpu_present_mask);
-	acpi_register_lapic(physid, lapic->lapic_flags & ACPI_MADT_ENABLED);
+	acpi_register_lapic(physid, ACPI_MADT_ENABLED);

 	/*
 	 * If mp_register_lapic successfully generates a new logical cpu

next             reply	other threads:[~2012-02-16  0:06 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-16  0:06 Petr Vandrovec [this message]
2012-03-07 19:48 ` [PATCH 3.3.0-rc3] Fix use-after-free in acpi_map_lsapic Alok Kataria
2012-03-08 21:01   ` Toshi Kani
2012-03-08 21:33     ` Alok Kataria
2012-03-08 22:34       ` Toshi Kani

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ce664f3 dfblob:a4a0901 )
 OR (
bs:"[PATCH 3.3.0-rc3] Fix use-after-free in acpi_map_lsapic" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120216000643.GA7508@petr-dev3.eng.vmware.com \
    --to=petr@vmware.com \
    --cc=akataria@vmware.com \
    --cc=dcovelli@vmware.com \
    --cc=lenb@kernel.org \
    --cc=linux-acpi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.