packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
qemu/hmat-acpi-Fix-out-of-bounds-access-due-to-missing-us.patch
Jiabo Feng ae37a72f4c QEMU update to version 6.2.0-98: 
- pci-host: designware: Limit value range of iATU viewport register
- hmat acpi: Fix out of bounds access due to missing use of indirection
- migration: Skip only empty block devices
- aspeed/hace: Initialize g_autofree pointer
- hw/net/vmxnet3: Fix guest-triggerable assert()
- qxl: don't assert() if device isn't yet initialized
- Avoid unaligned fetch in ladr_match()
- linux-user: Fix waitid return of siginfo_t and rusage
- hw/net/lan9118: Replace magic '2048' value by MIL_TXFIFO_SIZE definition
- stdvga: fix screen blanking
- virtio-net: drop too short packets early
- ebpf: replace deprecated bpf_program__set_socket_filter
- vhsot-user: only read reply of SET_LOG_BASE from vq 0
- cpu: add Tengyun S5000C cpu support
- hw/virtio: Fix obtain the buffer id from the last descriptor
- hw/core: ensure kernel_end never gets used undefined

Signed-off-by: Jiabo Feng <fengjiabo1@huawei.com>
(cherry picked from commit 1f9e476e96edb07e34e0133a312f478ddab4b6ff)
2024-08-22 14:53:59 +08:00

65 lines
2.5 KiB
Diff
Raw Blame History

From a47cccd44f4f97238fc2877bf38fdb5ae72b65a6 Mon Sep 17 00:00:00 2001
From: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
Date: Wed, 14 Aug 2024 19:14:40 -0700
Subject: [PATCH] hmat acpi: Fix out of bounds access due to missing use of
indirection
With a numa set up such as
-numa nodeid=0,cpus=0 \
-numa nodeid=1,memdev=mem \
-numa nodeid=2,cpus=1
and appropriate hmat_lb entries the initiator list is correctly
computed and writen to HMAT as 0,2 but then the LB data is accessed
using the node id (here 2), landing outside the entry_list array.
Stash the reverse lookup when writing the initiator list and use
it to get the correct array index index.
Fixes: 4586a2cb83 ("hmat acpi: Build System Locality Latency and Bandwidth Information Structure(s)")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240307160326.31570-3-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 74e2845c5f95b0c139c79233ddb65bb17f2dd679)
Signed-off-by: zhujun2 <zhujun2_yewu@cmss.chinamobile.com>
---
hw/acpi/hmat.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
index 6913ebf730..8af753c67b 100644
--- a/hw/acpi/hmat.c
+++ b/hw/acpi/hmat.c
@@ -77,6 +77,7 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
uint32_t *initiator_list)
{
int i, index;
+ uint32_t initiator_to_index[MAX_NODES] = {};
HMAT_LB_Data *lb_data;
uint16_t *entry_list;
uint32_t base;
@@ -120,6 +121,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
/* Initiator Proximity Domain List */
for (i = 0; i < num_initiator; i++) {
build_append_int_noprefix(table_data, initiator_list[i], 4);
+ /* Reverse mapping for array possitions */
+ initiator_to_index[initiator_list[i]] = i;
}
/* Target Proximity Domain List */
@@ -131,7 +134,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Info *hmat_lb,
entry_list = g_malloc0(num_initiator * num_target * sizeof(uint16_t));
for (i = 0; i < hmat_lb->list->len; i++) {
lb_data = &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
- index = lb_data->initiator * num_target + lb_data->target;
+ index = initiator_to_index[lb_data->initiator] * num_target +
+ lb_data->target;
entry_list[index] = (uint16_t)(lb_data->data / hmat_lb->base);
}
--
2.41.0.windows.1
Reference in New Issue View Git Blame Copy Permalink