Commit 09946bc8 authored by Dan Carpenter's avatar Dan Carpenter Committed by Khalid Elmously

xen/acpi: off by one in read_acpi_id()

BugLink: https://bugs.launchpad.net/bugs/1775771

[ Upstream commit c37a3c94 ]

If acpi_id is == nr_acpi_bits, then we access one element beyond the end
of the acpi_psd[] array or we set one bit beyond the end of the bit map
when we do __set_bit(acpi_id, acpi_id_present);

Fixes: 59a56802 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarJoao Martins <joao.m.martins@oracle.com>
Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent b11f4eff
...@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl, void *context, void **rv) ...@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl, void *context, void **rv)
} }
/* There are more ACPI Processor objects than in x2APIC or MADT. /* There are more ACPI Processor objects than in x2APIC or MADT.
* This can happen with incorrect ACPI SSDT declerations. */ * This can happen with incorrect ACPI SSDT declerations. */
if (acpi_id > nr_acpi_bits) { if (acpi_id >= nr_acpi_bits) {
pr_debug("We only have %u, trying to set %u\n", pr_debug("max acpi id %u, trying to set %u\n",
nr_acpi_bits, acpi_id); nr_acpi_bits - 1, acpi_id);
return AE_OK; return AE_OK;
} }
/* OK, There is a ACPI Processor object */ /* OK, There is a ACPI Processor object */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment