From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH v2] x86/cpuidle: prevent out of bounds array
	access
Date: Fri, 22 May 2015 15:01:30 +0100
Message-ID: <555F36BA.6000608@citrix.com>
References: <1432201161-17982-1-git-send-email-huaitong.han@intel.com>
	<555F2104.10700@citrix.com>
	<555F41C1020000780007D4AD@mail.emea.novell.com>
	<555F279C.9040905@citrix.com>
	<555F5177020000780007D510@mail.emea.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <555F5177020000780007D510@mail.emea.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>, xen-devel@lists.xen.org
Cc: Huaitong Han <huaitong.han@intel.com>
List-Id: xen-devel@lists.xenproject.org

On 22/05/15 14:55, Jan Beulich wrote:
> ... resulting from fbeef5570c ("x86/cpuidle: get accurate C0 value with
> xenpm tool"). For consistency also no longer account an unknown state
> to C0 in pmstat_get_cx_stat().
>
> Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

Looks plausible.  Reviewed-by: Andrew Cooper <andrew.cooper3@citirx.com>

>
> --- a/xen/arch/x86/acpi/cpu_idle.c
> +++ b/xen/arch/x86/acpi/cpu_idle.c
> @@ -279,7 +279,7 @@ static void print_acpi_power(
>      uint64_t usage[ACPI_PROCESSOR_MAX_POWER] = { 0 };
>      uint64_t res_tick[ACPI_PROCESSOR_MAX_POWER] = { 0 };
>      unsigned int i;
> -    u8 last_state_idx;
> +    signed int last_state_idx;
>  
>      printk("==cpu%d==\n", cpu);
>      last_state_idx = power->last_state ? power->last_state->idx : -1;
> @@ -298,8 +298,12 @@ static void print_acpi_power(
>      last_state_update_tick = power->last_state_update_tick;
>      spin_unlock_irq(&power->stat_lock);
>  
> -    res_tick[last_state_idx] += ticks_elapsed(last_state_update_tick, current_tick);
> -    usage[last_state_idx]++;
> +    if ( last_state_idx >= 0 )
> +    {
> +        res_tick[last_state_idx] += ticks_elapsed(last_state_update_tick,
> +                                                  current_tick);
> +        usage[last_state_idx]++;
> +    }
>  
>      for ( i = 1; i < power->count; i++ )
>      {
> @@ -1233,6 +1237,7 @@ int pmstat_get_cx_stat(uint32_t
>      else
>      {
>          struct hw_residencies hw_res;
> +        signed int last_state_idx;
>  
>          stat->nr = power->count;
>  
> @@ -1245,11 +1250,18 @@ int pmstat_get_cx_stat(uint32_t
>              res[i] = power->states[i].time;
>          }
>          last_state_update_tick = power->last_state_update_tick;
> -        stat->last = power->last_state ? power->last_state->idx : 0;
> +        last_state_idx = power->last_state ? power->last_state->idx : -1;
>          spin_unlock_irq(&power->stat_lock);
>
> -        usage[stat->last]++;
> -        res[stat->last] += ticks_elapsed(last_state_update_tick, current_tick);
> +        if ( last_state_idx >= 0 )
> +        {
> +            usage[last_state_idx]++;
> +            res[last_state_idx] += ticks_elapsed(last_state_update_tick,
> +                                                 current_tick);
> +            stat->last = last_state_idx;
> +        }
> +        else
> +            stat->last = 0;
>  
>          for ( i = 1; i < nr; i++ )
>          {
>
>
>