[PATCH AUTOSEL 6.0 21/34] ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ashish Kalra <ashish.kalra@amd.com>,
	"Rafael J . Wysocki" <rafael.j.wysocki@intel.com>,
	Sasha Levin <sashal@kernel.org>,
	rafael@kernel.org, robert.moore@intel.com,
	xueshuai@linux.alibaba.com, tony.luck@intel.com,
	dave.hansen@linux.intel.com, linux-acpi@vger.kernel.org,
	devel@acpica.org
Subject: [PATCH AUTOSEL 6.0 21/34] ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()
Date: Tue,  1 Nov 2022 07:27:13 -0400	[thread overview]
Message-ID: <20221101112726.799368-21-sashal@kernel.org> (raw)
In-Reply-To: <20221101112726.799368-1-sashal@kernel.org>

From: Ashish Kalra <ashish.kalra@amd.com>

[ Upstream commit 43d2748394c3feb86c0c771466f5847e274fc043 ]

Change num_ghes from int to unsigned int, preventing an overflow
and causing subsequent vmalloc() to fail.

The overflow happens in ghes_estatus_pool_init() when calculating
len during execution of the statement below as both multiplication
operands here are signed int:

len += (num_ghes * GHES_ESOURCE_PREALLOC_MAX_SIZE);

The following call trace is observed because of this bug:

[    9.317108] swapper/0: vmalloc error: size 18446744071562596352, exceeds total pages, mode:0xcc0(GFP_KERNEL), nodemask=(null),cpuset=/,mems_allowed=0-1
[    9.317131] Call Trace:
[    9.317134]  <TASK>
[    9.317137]  dump_stack_lvl+0x49/0x5f
[    9.317145]  dump_stack+0x10/0x12
[    9.317146]  warn_alloc.cold+0x7b/0xdf
[    9.317150]  ? __device_attach+0x16a/0x1b0
[    9.317155]  __vmalloc_node_range+0x702/0x740
[    9.317160]  ? device_add+0x17f/0x920
[    9.317164]  ? dev_set_name+0x53/0x70
[    9.317166]  ? platform_device_add+0xf9/0x240
[    9.317168]  __vmalloc_node+0x49/0x50
[    9.317170]  ? ghes_estatus_pool_init+0x43/0xa0
[    9.317176]  vmalloc+0x21/0x30
[    9.317177]  ghes_estatus_pool_init+0x43/0xa0
[    9.317179]  acpi_hest_init+0x129/0x19c
[    9.317185]  acpi_init+0x434/0x4a4
[    9.317188]  ? acpi_sleep_proc_init+0x2a/0x2a
[    9.317190]  do_one_initcall+0x48/0x200
[    9.317195]  kernel_init_freeable+0x221/0x284
[    9.317200]  ? rest_init+0xe0/0xe0
[    9.317204]  kernel_init+0x1a/0x130
[    9.317205]  ret_from_fork+0x22/0x30
[    9.317208]  </TASK>

Signed-off-by: Ashish Kalra <ashish.kalra@amd.com>
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/apei/ghes.c | 2 +-
 include/acpi/ghes.h      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index 80ad530583c9..9952f3a792ba 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -163,7 +163,7 @@ static void ghes_unmap(void __iomem *vaddr, enum fixed_addresses fixmap_idx)
 	clear_fixmap(fixmap_idx);
 }
 
-int ghes_estatus_pool_init(int num_ghes)
+int ghes_estatus_pool_init(unsigned int num_ghes)
 {
 	unsigned long addr, len;
 	int rc;
diff --git a/include/acpi/ghes.h b/include/acpi/ghes.h
index 34fb3431a8f3..292a5c40bd0c 100644
--- a/include/acpi/ghes.h
+++ b/include/acpi/ghes.h
@@ -71,7 +71,7 @@ int ghes_register_vendor_record_notifier(struct notifier_block *nb);
 void ghes_unregister_vendor_record_notifier(struct notifier_block *nb);
 #endif
 
-int ghes_estatus_pool_init(int num_ghes);
+int ghes_estatus_pool_init(unsigned int num_ghes);
 
 /* From drivers/edac/ghes_edac.c */
 
-- 
2.35.1

next prev parent reply	other threads:[~2022-11-01 11:30 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-01 11:26 [PATCH AUTOSEL 6.0 01/34] media: rkisp1: Fix source pad format configuration Sasha Levin
2022-11-01 11:26 ` [PATCH AUTOSEL 6.0 02/34] media: rkisp1: Don't pass the quantization to rkisp1_csm_config() Sasha Levin
2022-11-01 11:26 ` [PATCH AUTOSEL 6.0 03/34] media: rkisp1: Initialize color space on resizer sink and source pads Sasha Levin
2022-11-01 11:26 ` [PATCH AUTOSEL 6.0 04/34] media: rkisp1: Use correct macro for gradient registers Sasha Levin
2022-11-01 11:26 ` [PATCH AUTOSEL 6.0 05/34] media: rkisp1: Zero v4l2_subdev_format fields in when validating links Sasha Levin
2022-11-01 11:26 ` [PATCH AUTOSEL 6.0 06/34] media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE Sasha Levin
2022-11-01 11:26 ` [PATCH AUTOSEL 6.0 07/34] media: cros-ec-cec: " Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 08/34] media: dvb-frontends/drxk: initialize err to 0 Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 09/34] media: platform: cros-ec: Add Kuldax to the match table Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 10/34] media: meson: vdec: fix possible refcount leak in vdec_probe() Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 11/34] media: hantro: Store HEVC bit depth in context Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 12/34] media: hantro: HEVC: Fix auxilary buffer size calculation Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 13/34] media: hantro: HEVC: Fix chroma offset computation Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 14/34] media: v4l: subdev: Fail graciously when getting try data for NULL state Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 15/34] media: atomisp-ov2680: Fix ov2680_set_fmt() Sasha Levin
2022-11-01 13:27   ` Hans de Goede
2022-11-06 17:05     ` Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 16/34] media: atomisp: Fix VIDIOC_TRY_FMT Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 17/34] media: atomisp: Ensure that USERPTR pointers are page aligned Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 18/34] media: atomisp: Fix v4l2_fh resource leak on open errors Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 19/34] media: atomisp: Fix locking around asd->streaming read/write Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 20/34] drm/vc4: hdmi: Check the HSM rate at runtime_resume Sasha Levin
2022-11-01 11:27 ` Sasha Levin [this message]
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 22/34] hwrng: bcm2835 - use hwrng_msleep() instead of cpu_relax() Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 23/34] io_uring: don't iopoll from io_ring_ctx_wait_and_kill() Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 24/34] scsi: core: Restrict legal sdev_state transitions via sysfs Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 25/34] HID: saitek: add madcatz variant of MMO7 mouse device ID Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 26/34] drm/amdgpu: set vm_update_mode=0 as default for Sienna Cichlid in SRIOV case Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 27/34] drm/amd/pm: skip loading pptable from driver on secure board for smu_v13_0_10 Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 28/34] drm/amdkfd: Fix type of reset_type parameter in hqd_destroy() callback Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 29/34] drm/amdgpu: Program GC registers through RLCG interface in gfx_v11/gmc_v11 Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 30/34] drm/amdgpu: dequeue mes scheduler during fini Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 31/34] nvme-pci: disable write zeroes on various Kingston SSD Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 32/34] nvme-hwmon: consistently ignore errors from nvme_hwmon_init Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 33/34] i2c: xiic: Add platform module alias Sasha Levin
2022-11-01 11:27 ` [PATCH AUTOSEL 6.0 34/34] bio: safeguard REQ_ALLOC_CACHE bio put Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:80ad530583c dfblob:9952f3a792b dfblob:34fb3431a8f
dfblob:292a5c40bd0 )
 OR (
bs:"[PATCH AUTOSEL 6.0 21/34] ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221101112726.799368-21-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=ashish.kalra@amd.com \
    --cc=dave.hansen@linux.intel.com \
    --cc=devel@acpica.org \
    --cc=linux-acpi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rafael.j.wysocki@intel.com \
    --cc=rafael@kernel.org \
    --cc=robert.moore@intel.com \
    --cc=stable@vger.kernel.org \
    --cc=tony.luck@intel.com \
    --cc=xueshuai@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox