From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Shiju Jose <shiju.jose@huawei.com>,
Bjorn Helgaas <helgaas@kernel.org>,
Bjorn Helgaas <bhelgaas@google.com>,
"Rafael J . Wysocki" <rafael.j.wysocki@intel.com>,
Sasha Levin <sashal@kernel.org>,
rafael@kernel.org, mahesh@linux.ibm.com, robert.moore@intel.com,
pabeni@redhat.com, leoyang.li@nxp.com, tony.luck@intel.com,
rostedt@goodmis.org, linmiaohe@huawei.com,
linux-acpi@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-pci@vger.kernel.org,
acpica-devel@lists.linuxfoundation.org
Subject: [PATCH AUTOSEL 6.5 11/30] ACPI: APEI: Fix AER info corruption when error status data has multiple sections
Date: Tue, 7 Nov 2023 07:08:26 -0500 [thread overview]
Message-ID: <20231107120922.3757126-11-sashal@kernel.org> (raw)
In-Reply-To: <20231107120922.3757126-1-sashal@kernel.org>
From: Shiju Jose <shiju.jose@huawei.com>
[ Upstream commit e2abc47a5a1a9f641e7cacdca643fdd40729bf6e ]
ghes_handle_aer() passes AER data to the PCI core for logging and
recovery by calling aer_recover_queue() with a pointer to struct
aer_capability_regs.
The problem was that aer_recover_queue() queues the pointer directly
without copying the aer_capability_regs data. The pointer was to
the ghes->estatus buffer, which could be reused before
aer_recover_work_func() reads the data.
To avoid this problem, allocate a new aer_capability_regs structure
from the ghes_estatus_pool, copy the AER data from the ghes->estatus
buffer into it, pass a pointer to the new struct to
aer_recover_queue(), and free it after aer_recover_work_func() has
processed it.
Reported-by: Bjorn Helgaas <helgaas@kernel.org>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Shiju Jose <shiju.jose@huawei.com>
[ rjw: Subject edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/ghes.c | 23 ++++++++++++++++++++++-
drivers/pci/pcie/aer.c | 10 ++++++++++
include/acpi/ghes.h | 4 ++++
3 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index ef59d6ea16da0..63ad0541db381 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -209,6 +209,20 @@ int ghes_estatus_pool_init(unsigned int num_ghes)
return -ENOMEM;
}
+/**
+ * ghes_estatus_pool_region_free - free previously allocated memory
+ * from the ghes_estatus_pool.
+ * @addr: address of memory to free.
+ * @size: size of memory to free.
+ *
+ * Returns none.
+ */
+void ghes_estatus_pool_region_free(unsigned long addr, u32 size)
+{
+ gen_pool_free(ghes_estatus_pool, addr, size);
+}
+EXPORT_SYMBOL_GPL(ghes_estatus_pool_region_free);
+
static int map_gen_v2(struct ghes *ghes)
{
return apei_map_generic_address(&ghes->generic_v2->read_ack_register);
@@ -564,6 +578,7 @@ static void ghes_handle_aer(struct acpi_hest_generic_data *gdata)
pcie_err->validation_bits & CPER_PCIE_VALID_AER_INFO) {
unsigned int devfn;
int aer_severity;
+ u8 *aer_info;
devfn = PCI_DEVFN(pcie_err->device_id.device,
pcie_err->device_id.function);
@@ -577,11 +592,17 @@ static void ghes_handle_aer(struct acpi_hest_generic_data *gdata)
if (gdata->flags & CPER_SEC_RESET)
aer_severity = AER_FATAL;
+ aer_info = (void *)gen_pool_alloc(ghes_estatus_pool,
+ sizeof(struct aer_capability_regs));
+ if (!aer_info)
+ return;
+ memcpy(aer_info, pcie_err->aer_info, sizeof(struct aer_capability_regs));
+
aer_recover_queue(pcie_err->device_id.segment,
pcie_err->device_id.bus,
devfn, aer_severity,
(struct aer_capability_regs *)
- pcie_err->aer_info);
+ aer_info);
}
#endif
}
diff --git a/drivers/pci/pcie/aer.c b/drivers/pci/pcie/aer.c
index f6c24ded134cd..67025ee2b7454 100644
--- a/drivers/pci/pcie/aer.c
+++ b/drivers/pci/pcie/aer.c
@@ -29,6 +29,7 @@
#include <linux/kfifo.h>
#include <linux/slab.h>
#include <acpi/apei.h>
+#include <acpi/ghes.h>
#include <ras/ras_event.h>
#include "../pci.h"
@@ -1010,6 +1011,15 @@ static void aer_recover_work_func(struct work_struct *work)
continue;
}
cper_print_aer(pdev, entry.severity, entry.regs);
+ /*
+ * Memory for aer_capability_regs(entry.regs) is being allocated from the
+ * ghes_estatus_pool to protect it from overwriting when multiple sections
+ * are present in the error status. Thus free the same after processing
+ * the data.
+ */
+ ghes_estatus_pool_region_free((unsigned long)entry.regs,
+ sizeof(struct aer_capability_regs));
+
if (entry.severity == AER_NONFATAL)
pcie_do_recovery(pdev, pci_channel_io_normal,
aer_root_reset);
diff --git a/include/acpi/ghes.h b/include/acpi/ghes.h
index 3c8bba9f1114a..be1dd4c1a9174 100644
--- a/include/acpi/ghes.h
+++ b/include/acpi/ghes.h
@@ -73,8 +73,12 @@ int ghes_register_vendor_record_notifier(struct notifier_block *nb);
void ghes_unregister_vendor_record_notifier(struct notifier_block *nb);
struct list_head *ghes_get_devices(void);
+
+void ghes_estatus_pool_region_free(unsigned long addr, u32 size);
#else
static inline struct list_head *ghes_get_devices(void) { return NULL; }
+
+static inline void ghes_estatus_pool_region_free(unsigned long addr, u32 size) { return; }
#endif
int ghes_estatus_pool_init(unsigned int num_ghes);
--
2.42.0
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
linmiaohe@huawei.com, tony.luck@intel.com, rafael@kernel.org,
linux-pci@vger.kernel.org, leoyang.li@nxp.com,
"Rafael J . Wysocki" <rafael.j.wysocki@intel.com>,
mahesh@linux.ibm.com, rostedt@goodmis.org,
robert.moore@intel.com, linux-acpi@vger.kernel.org,
Bjorn Helgaas <helgaas@kernel.org>,
Bjorn Helgaas <bhelgaas@google.com>,
acpica-devel@lists.linuxfoundation.org, pabeni@redhat.com,
linuxppc-dev@lists.ozlabs.org, Shiju Jose <shiju.jose@huawei.com>
Subject: [PATCH AUTOSEL 6.5 11/30] ACPI: APEI: Fix AER info corruption when error status data has multiple sections
Date: Tue, 7 Nov 2023 07:08:26 -0500 [thread overview]
Message-ID: <20231107120922.3757126-11-sashal@kernel.org> (raw)
In-Reply-To: <20231107120922.3757126-1-sashal@kernel.org>
From: Shiju Jose <shiju.jose@huawei.com>
[ Upstream commit e2abc47a5a1a9f641e7cacdca643fdd40729bf6e ]
ghes_handle_aer() passes AER data to the PCI core for logging and
recovery by calling aer_recover_queue() with a pointer to struct
aer_capability_regs.
The problem was that aer_recover_queue() queues the pointer directly
without copying the aer_capability_regs data. The pointer was to
the ghes->estatus buffer, which could be reused before
aer_recover_work_func() reads the data.
To avoid this problem, allocate a new aer_capability_regs structure
from the ghes_estatus_pool, copy the AER data from the ghes->estatus
buffer into it, pass a pointer to the new struct to
aer_recover_queue(), and free it after aer_recover_work_func() has
processed it.
Reported-by: Bjorn Helgaas <helgaas@kernel.org>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Shiju Jose <shiju.jose@huawei.com>
[ rjw: Subject edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/ghes.c | 23 ++++++++++++++++++++++-
drivers/pci/pcie/aer.c | 10 ++++++++++
include/acpi/ghes.h | 4 ++++
3 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index ef59d6ea16da0..63ad0541db381 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -209,6 +209,20 @@ int ghes_estatus_pool_init(unsigned int num_ghes)
return -ENOMEM;
}
+/**
+ * ghes_estatus_pool_region_free - free previously allocated memory
+ * from the ghes_estatus_pool.
+ * @addr: address of memory to free.
+ * @size: size of memory to free.
+ *
+ * Returns none.
+ */
+void ghes_estatus_pool_region_free(unsigned long addr, u32 size)
+{
+ gen_pool_free(ghes_estatus_pool, addr, size);
+}
+EXPORT_SYMBOL_GPL(ghes_estatus_pool_region_free);
+
static int map_gen_v2(struct ghes *ghes)
{
return apei_map_generic_address(&ghes->generic_v2->read_ack_register);
@@ -564,6 +578,7 @@ static void ghes_handle_aer(struct acpi_hest_generic_data *gdata)
pcie_err->validation_bits & CPER_PCIE_VALID_AER_INFO) {
unsigned int devfn;
int aer_severity;
+ u8 *aer_info;
devfn = PCI_DEVFN(pcie_err->device_id.device,
pcie_err->device_id.function);
@@ -577,11 +592,17 @@ static void ghes_handle_aer(struct acpi_hest_generic_data *gdata)
if (gdata->flags & CPER_SEC_RESET)
aer_severity = AER_FATAL;
+ aer_info = (void *)gen_pool_alloc(ghes_estatus_pool,
+ sizeof(struct aer_capability_regs));
+ if (!aer_info)
+ return;
+ memcpy(aer_info, pcie_err->aer_info, sizeof(struct aer_capability_regs));
+
aer_recover_queue(pcie_err->device_id.segment,
pcie_err->device_id.bus,
devfn, aer_severity,
(struct aer_capability_regs *)
- pcie_err->aer_info);
+ aer_info);
}
#endif
}
diff --git a/drivers/pci/pcie/aer.c b/drivers/pci/pcie/aer.c
index f6c24ded134cd..67025ee2b7454 100644
--- a/drivers/pci/pcie/aer.c
+++ b/drivers/pci/pcie/aer.c
@@ -29,6 +29,7 @@
#include <linux/kfifo.h>
#include <linux/slab.h>
#include <acpi/apei.h>
+#include <acpi/ghes.h>
#include <ras/ras_event.h>
#include "../pci.h"
@@ -1010,6 +1011,15 @@ static void aer_recover_work_func(struct work_struct *work)
continue;
}
cper_print_aer(pdev, entry.severity, entry.regs);
+ /*
+ * Memory for aer_capability_regs(entry.regs) is being allocated from the
+ * ghes_estatus_pool to protect it from overwriting when multiple sections
+ * are present in the error status. Thus free the same after processing
+ * the data.
+ */
+ ghes_estatus_pool_region_free((unsigned long)entry.regs,
+ sizeof(struct aer_capability_regs));
+
if (entry.severity == AER_NONFATAL)
pcie_do_recovery(pdev, pci_channel_io_normal,
aer_root_reset);
diff --git a/include/acpi/ghes.h b/include/acpi/ghes.h
index 3c8bba9f1114a..be1dd4c1a9174 100644
--- a/include/acpi/ghes.h
+++ b/include/acpi/ghes.h
@@ -73,8 +73,12 @@ int ghes_register_vendor_record_notifier(struct notifier_block *nb);
void ghes_unregister_vendor_record_notifier(struct notifier_block *nb);
struct list_head *ghes_get_devices(void);
+
+void ghes_estatus_pool_region_free(unsigned long addr, u32 size);
#else
static inline struct list_head *ghes_get_devices(void) { return NULL; }
+
+static inline void ghes_estatus_pool_region_free(unsigned long addr, u32 size) { return; }
#endif
int ghes_estatus_pool_init(unsigned int num_ghes);
--
2.42.0
next prev parent reply other threads:[~2023-11-07 12:09 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 12:08 [PATCH AUTOSEL 6.5 01/30] wifi: plfxlc: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 02/30] wifi: ath12k: Ignore fragments from uninitialized peer in dp Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 03/30] wifi: mac80211_hwsim: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 04/30] wifi: mac80211: don't return unset power in ieee80211_get_tx_power() Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 05/30] atl1c: Work around the DMA RX overflow issue Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 06/30] bpf: Detect IP == ksym.end as part of BPF program Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 07/30] wifi: ath9k: fix clang-specific fortify warnings Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 08/30] wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats() Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 09/30] wifi: ath10k: fix clang-specific fortify warning Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 10/30] wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` Sasha Levin [this message]
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 11/30] ACPI: APEI: Fix AER info corruption when error status data has multiple sections Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 12/30] net: sfp: add quirk for Fiberstone GPON-ONU-34-20BI Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 13/30] wifi: mt76: mt7921e: Support MT7992 IP in Xiaomi Redmibook 15 Pro (2023) Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 14/30] wifi: mt76: get rid of false alamrs of tx emission issues Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 15/30] net: annotate data-races around sk->sk_tx_queue_mapping Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 16/30] net: annotate data-races around sk->sk_dst_pending_confirm Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 17/30] wifi: ath12k: mhi: fix potential memory leak in ath12k_mhi_register() Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 18/30] wifi: ath10k: Don't touch the CE interrupt registers after power up Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 19/30] net: sfp: add quirk for FS's 2.5G copper SFP Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 20/30] vsock: read from socket's error queue Sasha Levin
2023-11-07 12:08 ` Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 21/30] bpf: Ensure proper register state printing for cond jumps Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 22/30] wifi: iwlwifi: mvm: fix size check for fw_link_id Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 23/30] Bluetooth: btusb: Add date->evt_skb is NULL check Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 24/30] Bluetooth: Fix double free in hci_conn_cleanup Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 25/30] ACPI: EC: Add quirk for HP 250 G7 Notebook PC Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 26/30] tsnep: Fix tsnep_request_irq() format-overflow warning Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 27/30] gpiolib: acpi: Add a ignore interrupt quirk for Peaq C1010 Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 28/30] platform/chrome: kunit: initialize lock for fake ec_dev Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 29/30] of: address: Fix address translation when address-size is greater than 2 Sasha Levin
2023-11-07 12:08 ` [PATCH AUTOSEL 6.5 30/30] platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107120922.3757126-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=acpica-devel@lists.linuxfoundation.org \
--cc=bhelgaas@google.com \
--cc=helgaas@kernel.org \
--cc=leoyang.li@nxp.com \
--cc=linmiaohe@huawei.com \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mahesh@linux.ibm.com \
--cc=pabeni@redhat.com \
--cc=rafael.j.wysocki@intel.com \
--cc=rafael@kernel.org \
--cc=robert.moore@intel.com \
--cc=rostedt@goodmis.org \
--cc=shiju.jose@huawei.com \
--cc=stable@vger.kernel.org \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.