From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ozlabs.org (bilbo.ozlabs.org [103.22.144.67]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3zkggl3kJQzDrTR for ; Sun, 18 Feb 2018 19:55:15 +1100 (AEDT) In-Reply-To: <20180213074511.6210-1-npiggin@gmail.com> To: Nicholas Piggin , linuxppc-dev@lists.ozlabs.org From: Michael Ellerman Cc: Anju T Sudhakar , Hemant Kumar , Nicholas Piggin , Madhavan Srinivasan Subject: Re: powerpc/powernv: IMC fix out of bounds memory access at shutdown Message-Id: <3zkggl2ldVz9ryg@ozlabs.org> Date: Sun, 18 Feb 2018 19:55:15 +1100 (AEDT) List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Tue, 2018-02-13 at 07:45:11 UTC, Nicholas Piggin wrote: > The OPAL IMC driver's shutdown handler disables nest PMU counters by > walking nodes and taking the first CPU out of their cpumask, which is > used to index into the paca (get_hard_smp_processor_id()). This does > not always do the right thing, and in particular for CPU-less nodes it > returns NR_CPUS and that overruns the paca and dereferences random > memory. > > Fix it by being more careful about checking returned CPU, and only > using online CPUs. It's not clear this shutdown code makes sense > after commit 885dcd709b ("powerpc/perf: Add nest IMC PMU support"), > but this should not make things worse > > Changing the way pacas are allocated to an array of pointers exposed > this bug: ... > > Cc: Anju T Sudhakar > Cc: Hemant Kumar > Cc: Madhavan Srinivasan > Signed-off-by: Nicholas Piggin Applied to powerpc fixes, thanks. https://git.kernel.org/powerpc/c/e7bde88cdb4f0e432398a7d29ca2a1 cheers