| Message ID | alpine.DEB.2.20.1609231705570.5640@nanos (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers | show |
On Fri, Sep 23, 2016 at 5:08 PM, Thomas Gleixner <tglx@linutronix.de> wrote: > map_processor() checks the cpuid value returned by acpi_map_cpuid() for -1 > but acpi_map_cpuid() returns -EINVAL in case of error. > > As a consequence the error is ignored and the following access into percpu > data with that negative cpuid results in a boot crash. > > This happens always when NR_CPUS/nr_cpu_ids is smaller than the number of > processors listed in the ACPI tables. > > Use a proper error check for id < 0 so the function returns instead of > trying to map CPU#(-EINVAL). > > Reported-by: Ingo Molnar <mingo@kernel.org> > Fixes: dc6db24d2476 ("x86/acpi: Set persistent cpuid <-> nodeid mapping when booting") > Signed-off-by: Thomas Gleixner <tglx@linutronix.de> It looks like the commit in the Fixes tag is in the tip tree now, so the fix should better go in via tip as well IMO. Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> > --- > drivers/acpi/processor_core.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > --- a/drivers/acpi/processor_core.c > +++ b/drivers/acpi/processor_core.c > @@ -284,7 +284,7 @@ EXPORT_SYMBOL_GPL(acpi_get_cpuid); > static bool __init > map_processor(acpi_handle handle, phys_cpuid_t *phys_id, int *cpuid) > { > - int type; > + int type, id; > u32 acpi_id; > acpi_status status; > acpi_object_type acpi_type; > @@ -320,10 +320,11 @@ map_processor(acpi_handle handle, phys_c > type = (acpi_type == ACPI_TYPE_DEVICE) ? 1 : 0; > > *phys_id = __acpi_get_phys_id(handle, type, acpi_id, false); > - *cpuid = acpi_map_cpuid(*phys_id, acpi_id); > - if (*cpuid == -1) > - return false; > + id = acpi_map_cpuid(*phys_id, acpi_id); > > + if (id < 0) > + return false; > + *cpuid = id; > return true; > } > -- To unsubscribe from this list: send the line "unsubscribe linux-acpi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- a/drivers/acpi/processor_core.c +++ b/drivers/acpi/processor_core.c @@ -284,7 +284,7 @@ EXPORT_SYMBOL_GPL(acpi_get_cpuid); static bool __init map_processor(acpi_handle handle, phys_cpuid_t *phys_id, int *cpuid) { - int type; + int type, id; u32 acpi_id; acpi_status status; acpi_object_type acpi_type; @@ -320,10 +320,11 @@ map_processor(acpi_handle handle, phys_c type = (acpi_type == ACPI_TYPE_DEVICE) ? 1 : 0; *phys_id = __acpi_get_phys_id(handle, type, acpi_id, false); - *cpuid = acpi_map_cpuid(*phys_id, acpi_id); - if (*cpuid == -1) - return false; + id = acpi_map_cpuid(*phys_id, acpi_id); + if (id < 0) + return false; + *cpuid = id; return true; }
map_processor() checks the cpuid value returned by acpi_map_cpuid() for -1 but acpi_map_cpuid() returns -EINVAL in case of error. As a consequence the error is ignored and the following access into percpu data with that negative cpuid results in a boot crash. This happens always when NR_CPUS/nr_cpu_ids is smaller than the number of processors listed in the ACPI tables. Use a proper error check for id < 0 so the function returns instead of trying to map CPU#(-EINVAL). Reported-by: Ingo Molnar <mingo@kernel.org> Fixes: dc6db24d2476 ("x86/acpi: Set persistent cpuid <-> nodeid mapping when booting") Signed-off-by: Thomas Gleixner <tglx@linutronix.de> --- drivers/acpi/processor_core.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-acpi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html