xen/acpi: off by one in read_acpi_id()
authorDan Carpenter <dan.carpenter@oracle.com>
Thu, 29 Mar 2018 09:01:53 +0000 (12:01 +0300)
committerBoris Ostrovsky <boris.ostrovsky@oracle.com>
Fri, 30 Mar 2018 15:30:13 +0000 (11:30 -0400)
If acpi_id is == nr_acpi_bits, then we access one element beyond the end
of the acpi_psd[] array or we set one bit beyond the end of the bit map
when we do __set_bit(acpi_id, acpi_id_present);

Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
drivers/xen/xen-acpi-processor.c

index c80195e8fbd11d0d544c924fcf649cbcd9c5b775..b29f4e40851f0cab2894450e61352285fd28b9f4 100644 (file)
@@ -364,9 +364,9 @@ read_acpi_id(acpi_handle handle, u32 lvl, void *context, void **rv)
        }
        /* There are more ACPI Processor objects than in x2APIC or MADT.
         * This can happen with incorrect ACPI SSDT declerations. */
-       if (acpi_id > nr_acpi_bits) {
-               pr_debug("We only have %u, trying to set %u\n",
-                        nr_acpi_bits, acpi_id);
+       if (acpi_id >= nr_acpi_bits) {
+               pr_debug("max acpi id %u, trying to set %u\n",
+                        nr_acpi_bits - 1, acpi_id);
                return AE_OK;
        }
        /* OK, There is a ACPI Processor object */