On 6 April 2016 at 13:49, Shanker Donthineni <shankerd@xxxxxxxxxxxxxx> wrote: > The acpi_pcc_probe() is accessing memory outside of the PCCT table NIT: s/is/could end up > space causing the kernel panic(). Increment the pcct_entry pointer > after parsing 'HW-reduced Communications Subspace' to fix the > problem. This change also enables the parsing of subtable at index 0. > > Signed-off-by: Shanker Donthineni <shankerd@xxxxxxxxxxxxxx> Thanks for catching this. Looks like this slipped through in the PCC doorbell optimization patch. Acked-by: Ashwin Chaugule <ashwin.chaugule@xxxxxxxxxx> > --- > drivers/mailbox/pcc.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c > index 0ddf638..043828d 100644 > --- a/drivers/mailbox/pcc.c > +++ b/drivers/mailbox/pcc.c > @@ -361,8 +361,6 @@ static int __init acpi_pcc_probe(void) > struct acpi_generic_address *db_reg; > struct acpi_pcct_hw_reduced *pcct_ss; > pcc_mbox_channels[i].con_priv = pcct_entry; > - pcct_entry = (struct acpi_subtable_header *) > - ((unsigned long) pcct_entry + pcct_entry->length); > > /* If doorbell is in system memory cache the virt address */ > pcct_ss = (struct acpi_pcct_hw_reduced *)pcct_entry; > @@ -370,6 +368,8 @@ static int __init acpi_pcc_probe(void) > if (db_reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) > pcc_doorbell_vaddr[i] = acpi_os_ioremap(db_reg->address, > db_reg->bit_width/8); > + pcct_entry = (struct acpi_subtable_header *) > + ((unsigned long) pcct_entry + pcct_entry->length); > } > > pcc_mbox_ctrl.num_chans = count; > -- > Qualcomm Technologies, Inc. on behalf of Qualcomm Innovation Center, Inc. > Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, > a Linux Foundation Collaborative Project > -- To unsubscribe from this list: send the line "unsubscribe linux-acpi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
