Received: by 10.192.165.148 with SMTP id m20csp535500imm; Wed, 25 Apr 2018 03:52:24 -0700 (PDT) X-Google-Smtp-Source: AIpwx48Czq1NkEcgl1iYMzxji4TTUF9JwxOg6EcrWL8FPY3a//1ERCZJVQEj12TIWAB+2XpGVmQT X-Received: by 10.99.123.93 with SMTP id k29mr23302579pgn.249.1524653544352; Wed, 25 Apr 2018 03:52:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524653544; cv=none; d=google.com; s=arc-20160816; b=bjepoNSpVpzM449qh/LrrfkEpzAJJaTzaMBF7Rg/29ZVS6RP+hcSptSFp9qQDfd1kj 3IyQQTQhcElxxzRz4qKiX183NbL1BWEIvk8H7g5Eh3I2KDwjt8b+1luKRBnxDazp4BbK WgJBQ1zgA0jY3Q1YAPenpNtavnEPFA3LMEpOhNMuzEC+9OUNx2XzsMNVFjI+rhNBwc7Q WnTtKz895Jc0ZWs1oGVTQxFFW79DXT2jtFALXqk1p8hDBe7UronRI8ULpDkeEWpuCB9V fIWMQE2Yk5q0taYEF5RVPpam9f2DE9yCThNVjt+p7il9J8vj+8tW0V9y2Pv0CcY6x+/A YsUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=O1L9L08nU3utsZYGkcVlggU81WpPVN3Rjv18EUZDKN8=; b=gKH7psUYH2poESEJCxT5/Dmj6HIaauP3ZEDrdFpck9p6tWdObZh/MQuuVn9M42Ndqe 3Evf+awr4UurjGvvn69/cYm9HUjj1QHzLSx6ZHqwoamMMEYyUgQ9WTBPwV8uRWOMYnhe 8kbisnMvOa0gf2n9ugn7tlZv4SHjsZ57tF6YKJuxBD86qPPvaLyXWwIEur2guk7730UP yOm2lhDDg5GPVFJaVTQrQmo1xVu1pa9SrXENrB2SQzACXNrxsuHIvoqDe4g9TmGQkZEY EK9ouDDucyQUd8jlKh3s2Y37hPgjTaP7cpJQ85l0I7c5EN9Q8R9SwArEr9hS0l+RJaqa UhQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 131si15129224pfa.246.2018.04.25.03.52.10; Wed, 25 Apr 2018 03:52:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754345AbeDYKoV (ORCPT + 99 others); Wed, 25 Apr 2018 06:44:21 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:53268 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754165AbeDYKoQ (ORCPT ); Wed, 25 Apr 2018 06:44:16 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id DCC53272; Wed, 25 Apr 2018 10:44:15 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nicholas Piggin , Michael Ellerman , Sasha Levin Subject: [PATCH 4.14 167/183] powerpc/powernv: IMC fix out of bounds memory access at shutdown Date: Wed, 25 Apr 2018 12:36:27 +0200 Message-Id: <20180425103249.233448123@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180425103242.532713678@linuxfoundation.org> References: <20180425103242.532713678@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Nicholas Piggin [ Upstream commit e7bde88cdb4f0e432398a7d29ca2a15d2c18952a ] The OPAL IMC driver's shutdown handler disables nest PMU counters by walking nodes and taking the first CPU out of their cpumask, which is used to index into the paca (get_hard_smp_processor_id()). This does not always do the right thing, and in particular for CPU-less nodes it returns NR_CPUS and that overruns the paca and dereferences random memory. Fix it by being more careful about checking returned CPU, and only using online CPUs. It's not clear this shutdown code makes sense after commit 885dcd709b ("powerpc/perf: Add nest IMC PMU support"), but this should not make things worse Currently the bug causes us to call OPAL with a junk CPU number. A separate patch in development to change the way pacas are allocated escalates this bug into a crash: Unable to handle kernel paging request for data at address 0x2a21af1eeb000076 Faulting instruction address: 0xc0000000000a5468 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP opal_imc_counters_shutdown+0x148/0x1d0 LR opal_imc_counters_shutdown+0x134/0x1d0 Call Trace: opal_imc_counters_shutdown+0x134/0x1d0 (unreliable) platform_drv_shutdown+0x44/0x60 device_shutdown+0x1f8/0x350 kernel_restart_prepare+0x54/0x70 kernel_restart+0x28/0xc0 SyS_reboot+0x1d0/0x2c0 system_call+0x58/0x6c Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/platforms/powernv/opal-imc.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/arch/powerpc/platforms/powernv/opal-imc.c +++ b/arch/powerpc/platforms/powernv/opal-imc.c @@ -126,9 +126,11 @@ static void disable_nest_pmu_counters(vo const struct cpumask *l_cpumask; get_online_cpus(); - for_each_online_node(nid) { + for_each_node_with_cpus(nid) { l_cpumask = cpumask_of_node(nid); - cpu = cpumask_first(l_cpumask); + cpu = cpumask_first_and(l_cpumask, cpu_online_mask); + if (cpu >= nr_cpu_ids) + continue; opal_imc_counters_stop(OPAL_IMC_COUNTERS_NEST, get_hard_smp_processor_id(cpu)); }