Re: [PATCH] ACPI/PPTT: fix off-by-one error

public inbox for linux-acpi@vger.kernel.org
 help / color / mirror / Atom feed

From: Jeremy Linton <jeremy.linton@arm.com>
To: "Heyne, Maximilian" <mheyne@amazon.de>
Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>,
	"Rafael J. Wysocki" <rafael@kernel.org>,
	Len Brown <lenb@kernel.org>, Sudeep Holla <sudeep.holla@arm.com>,
	Ard Biesheuvel <ardb@kernel.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	"linux-acpi@vger.kernel.org" <linux-acpi@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ACPI/PPTT: fix off-by-one error
Date: Wed, 7 May 2025 10:25:25 -0500	[thread overview]
Message-ID: <214c2a2d-e0ea-4ec6-9925-05e39319e813@arm.com> (raw)
In-Reply-To: <20250506-draco-taped-15f475cd@mheyne-amazon>

Hi,

On 5/6/25 8:13 AM, Heyne, Maximilian wrote:
> Commit 7ab4f0e37a0f ("ACPI PPTT: Fix coding mistakes in a couple of
> sizeof() calls") corrects the processer entry size but unmasked a longer
> standing bug where the last entry in the structure can get skipped due
> to an off-by-one mistake if the last entry ends exactly at the end of
> the ACPI subtable.
> 
> The error manifests for instance on EC2 Graviton Metal instances with
> 
>    ACPI PPTT: PPTT table found, but unable to locate core 63 (63)
>    [...]
>    ACPI: SPE must be homogeneous
> 
> Fixes: 2bd00bcd73e5 ("ACPI/PPTT: Add Processor Properties Topology Table parsing")
> Cc: stable@vger.kernel.org
> Signed-off-by: Maximilian Heyne <mheyne@amazon.de>
> ---
>   drivers/acpi/pptt.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/acpi/pptt.c b/drivers/acpi/pptt.c
> index f73ce6e13065d..4364da90902e5 100644
> --- a/drivers/acpi/pptt.c
> +++ b/drivers/acpi/pptt.c
> @@ -231,7 +231,7 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr,
>   			     sizeof(struct acpi_table_pptt));
>   	proc_sz = sizeof(struct acpi_pptt_processor);

This isn't really right, it should be struct acpi_subtable_header, then 
once the header is safe, pull the length from it.

But then, really if we are trying to fix the original bug that the table 
could be shorter than the data in it suggests, the struct 
acpi_pptt_processor length plus its resources needs to be checked once 
the subtype is known to be a processor node.

Otherwise the original sizeof * change isn't really fixing anything.




>   
> -	while ((unsigned long)entry + proc_sz < table_end) {
> +	while ((unsigned long)entry + proc_sz <= table_end) {
>   		cpu_node = (struct acpi_pptt_processor *)entry;
>   		if (entry->type == ACPI_PPTT_TYPE_PROCESSOR &&
>   		    cpu_node->parent == node_entry)
> @@ -273,7 +273,7 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he
>   	proc_sz = sizeof(struct acpi_pptt_processor);
>   
>   	/* find the processor structure associated with this cpuid */
> -	while ((unsigned long)entry + proc_sz < table_end) {
> +	while ((unsigned long)entry + proc_sz <= table_end) {
>   		cpu_node = (struct acpi_pptt_processor *)entry;
>   
>   		if (entry->length == 0) {

next prev parent reply	other threads:[~2025-05-07 15:25 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-06 13:13 [PATCH] ACPI/PPTT: fix off-by-one error Heyne, Maximilian
2025-05-06 13:43 ` Sudeep Holla
2025-05-06 20:08   ` Heyne, Maximilian
2025-05-07 11:52     ` Sudeep Holla
2025-05-07 11:56       ` Heyne, Maximilian
2025-05-07 12:30         ` Sudeep Holla
2025-05-07 12:35           ` Rafael J. Wysocki
2025-05-07 12:42           ` Heyne, Maximilian
2025-05-07 12:50             ` Rafael J. Wysocki
2025-05-07 13:01               ` Sudeep Holla
2025-05-07 12:56             ` Sudeep Holla
2025-05-07 14:29               ` Heyne, Maximilian
2025-05-07 15:12                 ` Sudeep Holla
2025-05-06 20:11   ` Jeremy Linton
2025-05-07 11:53     ` Heyne, Maximilian
2025-05-07 11:59       ` Rafael J. Wysocki
2025-05-07 12:17         ` Heyne, Maximilian
2025-05-07 15:25 ` Jeremy Linton [this message]
2025-05-07 15:42   ` Rafael J. Wysocki
2025-05-07 15:51     ` Jeremy Linton
2025-05-07 16:12       ` Rafael J. Wysocki
2025-05-07 16:28         ` Sudeep Holla
2025-05-07 16:31         ` Jeremy Linton
2025-05-07 16:38           ` Jeremy Linton
2025-05-07 16:41             ` Jeremy Linton
2025-05-07 17:01               ` Rafael J. Wysocki
2025-05-07 17:35                 ` Jeremy Linton
2025-05-07 17:59                   ` Jeremy Linton
2025-05-07 15:47   ` Sudeep Holla
2025-05-07 15:52     ` Sudeep Holla

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=214c2a2d-e0ea-4ec6-9925-05e39319e813@arm.com \
    --to=jeremy.linton@arm.com \
    --cc=ardb@kernel.org \
    --cc=catalin.marinas@arm.com \
    --cc=lenb@kernel.org \
    --cc=linux-acpi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mheyne@amazon.de \
    --cc=rafael@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=sudeep.holla@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox