From: Bjorn Helgaas <helgaas@kernel.org>
To: Jeremy Linton <jeremy.linton@arm.com>
Cc: Chengwen Feng <fengchengwen@huawei.com>,
Bjorn Helgaas <bhelgaas@google.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
Shuah Khan <skhan@linuxfoundation.org>,
Huacai Chen <chenhuacai@kernel.org>,
WANG Xuerui <kernel@xen0n.name>, Paul Walmsley <pjw@kernel.org>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Alexandre Ghiti <alex@ghiti.fr>,
Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
Juergen Gross <jgross@suse.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Len Brown <lenb@kernel.org>, Sunil V L <sunilvl@ventanamicro.com>,
Mark Rutland <mark.rutland@arm.com>,
Jonathan Cameron <jonathan.cameron@huawei.com>,
Kees Cook <kees@kernel.org>, Yanteng Si <si.yanteng@linux.dev>,
Sean Christopherson <seanjc@google.com>,
Kai Huang <kai.huang@intel.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Thomas Huth <thuth@redhat.com>,
Thorsten Blum <thorsten.blum@linux.dev>,
Kevin Loughlin <kevinloughlin@google.com>,
Zheyun Shen <szy0127@sjtu.edu.cn>,
Peter Zijlstra <peterz@infradead.org>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Xin Li <xin@zytor.com>, "Ahmed S . Darwish" <darwi@linutronix.de>,
Sohil Mehta <sohil.mehta@intel.com>,
Ilkka Koskinen <ilkka@os.amperecomputing.com>,
Robin Murphy <robin.murphy@arm.com>,
James Clark <james.clark@linaro.org>,
Besar Wicaksono <bwicaksono@nvidia.com>,
Ma Ke <make24@iscas.ac.cn>,
Ajit Khaparde <ajit.khaparde@broadcom.com>,
Wei Huang <wei.huang2@amd.com>,
Andy Gospodarek <andrew.gospodarek@broadcom.com>,
Somnath Kotur <somnath.kotur@broadcom.com>,
wangzhou1@hisilicon.com, wanghuiqiang@huawei.com,
liuyonglong@huawei.com, linux-pci@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, loongarch@lists.linux.dev,
linux-riscv@lists.infradead.org, xen-devel@lists.xenproject.org,
linux-acpi@vger.kernel.org, linux-perf-users@vger.kernel.org,
stable@vger.kernel.org,
Wathsala Vithanage <wathsala.vithanage@arm.com>
Subject: Re: [PATCH v5 2/2] PCI/TPH: Fix get cpu steer-tag fail on ARM64 platform
Date: Tue, 10 Mar 2026 17:09:20 -0500 [thread overview]
Message-ID: <20260310220920.GA826995@bhelgaas> (raw)
In-Reply-To: <657142d1-1632-4a3e-8800-ee1dd5763d78@arm.com>
On Tue, Mar 10, 2026 at 10:58:49AM -0500, Jeremy Linton wrote:
> On 3/9/26 10:20 PM, Chengwen Feng wrote:
> > pcie_tph_get_cpu_st() is broken on ARM64:
> > 1. pcie_tph_get_cpu_st() passes cpu_uid to the PCI ACPI DSM method.
> > cpu_uid should be the ACPI Processor UID [1].
> > 2. In BNXT, pcie_tph_get_cpu_st() is passed a cpu_uid obtained via
> > cpumask_first(irq->cpu_mask) - the logical CPU ID of a CPU core,
> > generated and managed by kernel (e.g., [0,255] for a system with 256
> > logical CPU cores).
> > 3. On ARM64 platforms, ACPI assigns Processor UID to cores listed in the
> > MADT table, and this UID may not match the kernel's logical CPU ID.
> > When this occurs, the mismatch results in the wrong CPU steer-tag.
> > 4. On AMD x86 the logical CPU ID is identical to the ACPI Processor UID
> > so the mismatch is not seen.
> > int pcie_tph_get_cpu_st(struct pci_dev *pdev, enum tph_mem_type mem_type,
> > - unsigned int cpu_uid, u16 *tag)
> > + unsigned int cpu, u16 *tag)
> > {
> > #ifdef CONFIG_ACPI
> > + u32 cpu_uid = acpi_get_cpu_acpi_id(cpu);
From AI review (gemini/gemini-3.1-pro-preview):
Does this code need to validate that `cpu` is within bounds before
using it? Before this change, the `cpu_uid` parameter was passed
opaquely to the ACPI firmware via `tph_invoke_dsm()`, which would
gracefully handle invalid values.
Now, `cpu` is treated as a logical CPU index and passed to
`acpi_get_cpu_acpi_id(cpu)`. On architectures like arm64 and riscv,
`acpi_get_cpu_acpi_id()` uses `cpu` directly as an array index
(`&cpu_madt_gicc[cpu]` and `&cpu_madt_rintc[cpu]`). On x86, it uses
`per_cpu(x86_cpu_to_acpiid, cpu)`.
If a caller passes an out-of-bounds `cpu` index (for example, if an
IRQ affinity mask is empty and `cpumask_first()` returns
`nr_cpu_ids`, or if userspace passes an arbitrary ID via
`mlx5_st_alloc_index()`), this will result in an out-of-bounds
memory read.
Consider adding a bounds check:
if (cpu >= nr_cpu_ids)
return -EINVAL;
I agree that this is an issue, and I think implementations of
acpi_get_cpu_acpi_id() should validate their inputs.
I don't know if there's a value that can never be a valid ACPI CPU UID
and could be used as an error value from acpi_get_cpu_acpi_id(). I do
see a few mentions of a ~0 value meaning "all processors" (ACPI r6.6,
sec 5.2.12.13).
next prev parent reply other threads:[~2026-03-10 22:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-10 3:20 [PATCH v5 0/2] Fix get cpu steer-tag fail on ARM64 platform Chengwen Feng
2026-03-10 3:20 ` [PATCH v5 1/2] ACPI: Rename get_acpi_id_for_cpu() to acpi_get_cpu_acpi_id() on non-x86 Chengwen Feng
2026-03-10 17:53 ` Bjorn Helgaas
2026-03-10 22:39 ` Andrew Cooper
2026-03-11 2:57 ` fengchengwen
2026-03-10 3:20 ` [PATCH v5 2/2] PCI/TPH: Fix get cpu steer-tag fail on ARM64 platform Chengwen Feng
2026-03-10 15:58 ` Jeremy Linton
2026-03-10 22:09 ` Bjorn Helgaas [this message]
2026-03-11 3:00 ` fengchengwen
2026-03-11 17:02 ` Bjorn Helgaas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260310220920.GA826995@bhelgaas \
--to=helgaas@kernel.org \
--cc=ajit.khaparde@broadcom.com \
--cc=alex@ghiti.fr \
--cc=andrew.gospodarek@broadcom.com \
--cc=aou@eecs.berkeley.edu \
--cc=bhelgaas@google.com \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=bwicaksono@nvidia.com \
--cc=catalin.marinas@arm.com \
--cc=chenhuacai@kernel.org \
--cc=corbet@lwn.net \
--cc=darwi@linutronix.de \
--cc=dave.hansen@linux.intel.com \
--cc=fengchengwen@huawei.com \
--cc=hpa@zytor.com \
--cc=ilkka@os.amperecomputing.com \
--cc=james.clark@linaro.org \
--cc=jeremy.linton@arm.com \
--cc=jgross@suse.com \
--cc=jonathan.cameron@huawei.com \
--cc=kai.huang@intel.com \
--cc=kees@kernel.org \
--cc=kernel@xen0n.name \
--cc=kevinloughlin@google.com \
--cc=lenb@kernel.org \
--cc=linux-acpi@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=liuyonglong@huawei.com \
--cc=loongarch@lists.linux.dev \
--cc=make24@iscas.ac.cn \
--cc=mark.rutland@arm.com \
--cc=mingo@redhat.com \
--cc=palmer@dabbelt.com \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=rafael@kernel.org \
--cc=robin.murphy@arm.com \
--cc=seanjc@google.com \
--cc=si.yanteng@linux.dev \
--cc=skhan@linuxfoundation.org \
--cc=sohil.mehta@intel.com \
--cc=somnath.kotur@broadcom.com \
--cc=stable@vger.kernel.org \
--cc=sunilvl@ventanamicro.com \
--cc=szy0127@sjtu.edu.cn \
--cc=tglx@kernel.org \
--cc=thomas.lendacky@amd.com \
--cc=thorsten.blum@linux.dev \
--cc=thuth@redhat.com \
--cc=wanghuiqiang@huawei.com \
--cc=wangzhou1@hisilicon.com \
--cc=wathsala.vithanage@arm.com \
--cc=wei.huang2@amd.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
--cc=xin@zytor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox