From: Alejandro Vallejo <alejandro.garciavallejo@amd.com>
To: Jan Beulich <jbeulich@suse.com>,
Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Anthony PERARD <anthony.perard@vates.tech>,
Grygorii Strashko <grygorii_strashko@epam.com>,
<xen-devel@lists.xenproject.org>
Subject: Re: [PATCH v2 1/2] libacpi: Prevent CPU hotplug AML from corrupting memory
Date: Thu, 11 Sep 2025 17:16:23 +0200 [thread overview]
Message-ID: <DCQ2JJMEV44G.3XPYX0Q2RLID@amd.com> (raw)
In-Reply-To: <b77e3087-8f58-48fb-8370-0d71ed47811c@suse.com>
On Thu Sep 11, 2025 at 5:04 PM CEST, Jan Beulich wrote:
> On 11.09.2025 14:03, Andrew Cooper wrote:
>> On 11/09/2025 12:53 pm, Alejandro Vallejo wrote:
>>> CPU hotplug relies on the online CPU bitmap being provided on PIO 0xaf00
>>> by the device model. The GPE handler checks this and compares it against
>>> the "online" flag on each MADT LAPIC entry, setting the flag to its
>>> related bit in the bitmap and adjusting the table's checksum.
>>>
>>> The bytecode doesn't, however, stop at NCPUS. It keeps comparing until it
>>> reaches 128, even if that overflows the MADT into some other (hopefully
>>> mapped) memory. The reading isn't as problematic as the writing though.
>>>
>>> If an "entry" outside the MADT is deemed to disagree with the CPU bitmap
>>> then the bit where the "online" flag would be is flipped, thus
>>> corrupting that memory. And the MADT checksum gets adjusted for a flip
>>> that happened outside its range. It's all terrible.
>>>
>>> Note that this corruption happens regardless of the device-model being
>>> present or not, because even if the bitmap holds 0s, the overflowed
>>> memory might not at the bits corresponding to the "online" flag.
>>>
>>> This patch adjusts the DSDT so entries >=NCPUS are skipped.
>>>
>>> Fixes: c70ad37a1f7c("HVM vcpu add/remove: setup dsdt infrastructure...")
>>> Reported-by: Grygorii Strashko <grygorii_strashko@epam.com>
>>> Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@amd.com>
>>> ---
>>> Half RFC. Not thoroughly untested. Pipeline is green, but none of this is tested
>>> there.
>>>
>>> v2:
>>> * New patch with the general fix for HVM too. Turns out the correction
>>> logic was buggy after all.
>>
>> Hmm, this does sound rather more serious. I have a nagging feeling that
>> until recently we always wrote 128 MADT entries.
>
> Not exactly recently, but looks like that's my fault then: 0875433389240
> ("hvmloader: limit CPUs exposed to guests").
>
> Jan
Very right. I got to that commit, but thought nr_processor_objects would match
NCPUS. Wrong assumption.
That sorts out wich fixes tag to attribute this to.
Cheers,
Alejandro
next prev parent reply other threads:[~2025-09-11 15:16 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-11 11:53 [PATCH 0/2] libacpi: Fix memory corruption on ACPI CPU hotplug Alejandro Vallejo
2025-09-11 11:53 ` [PATCH v2 1/2] libacpi: Prevent CPU hotplug AML from corrupting memory Alejandro Vallejo
2025-09-11 12:03 ` Andrew Cooper
2025-09-11 12:35 ` Alejandro Vallejo
2025-09-11 13:29 ` Andrew Cooper
2025-09-11 15:04 ` Jan Beulich
2025-09-11 15:16 ` Alejandro Vallejo [this message]
2025-09-11 14:52 ` Jan Beulich
2025-09-11 15:32 ` Alejandro Vallejo
2025-09-11 15:42 ` Jan Beulich
2025-09-11 11:53 ` [PATCH v2 2/2] libacpi: Remove CPU hotplug and GPE handling from PVH DSDTs Alejandro Vallejo
2025-09-11 15:07 ` Jan Beulich
2025-09-11 15:36 ` Alejandro Vallejo
2025-09-11 15:43 ` Jan Beulich
-- strict thread matches above, loose matches on Subject: below --
2025-09-11 16:23 [PATCH v2 0/2] libacpi: Fix memory corruption on ACPI CPU hotplug Alejandro Vallejo
2025-09-11 16:23 ` [PATCH v2 1/2] libacpi: Prevent CPU hotplug AML from corrupting memory Alejandro Vallejo
2025-09-12 6:40 ` Jan Beulich
2025-09-12 9:32 ` Alejandro Vallejo
2025-09-12 12:19 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DCQ2JJMEV44G.3XPYX0Q2RLID@amd.com \
--to=alejandro.garciavallejo@amd.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@vates.tech \
--cc=grygorii_strashko@epam.com \
--cc=jbeulich@suse.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.