Re: [RFC PATCH v7 11/12] ACPI:RAS2: Add driver for ACPI RAS2 feature table (RAS2)

[Daniel Ferguson <danielf@xxxxxxxxxxxxxxxxxxxxxx>]

> +static int __init ras2_acpi_init(void)
> +{
> +	u8 count;
> +	acpi_status status;
> +	acpi_size ras2_size;
> +	int pcc_subspace_idx;
> +	struct platform_device *pdev;
> +	struct acpi_table_ras2 *pRas2Table;
> +	struct acpi_ras2_pcc_desc *pcc_desc_list;
> +	struct platform_device **pdev_list = NULL;
> +	struct acpi_table_header *pAcpiTable = NULL;
> +
> +	status = acpi_get_table("RAS2", 0, &pAcpiTable);
> +	if (ACPI_FAILURE(status) || !pAcpiTable) {
> +		pr_err("ACPI RAS2 driver failed to initialize, get table failed\n");
> +		return RAS2_FAILURE;
> +	}
> +
> +	ras2_size = pAcpiTable->length;
> +	if (ras2_size < sizeof(struct acpi_table_ras2)) {
> +		pr_err("ACPI RAS2 table present but broken (too short #1)\n");
> +		goto free_ras2_table;
> +	}
> +
> +	pRas2Table = (struct acpi_table_ras2 *)pAcpiTable;
> +
> +	if (pRas2Table->num_pcc_descs <= 0) {
> +		pr_err("ACPI RAS2 table does not contain PCC descriptors\n");
> +		goto free_ras2_table;
> +	}
> +
> +	pdev_list = kzalloc((pRas2Table->num_pcc_descs * sizeof(struct platform_device *)),
> +			     GFP_KERNEL);
> +	if (!pdev_list)
> +		goto free_ras2_table;
> +
> +	pcc_desc_list = (struct acpi_ras2_pcc_desc *)
> +				((void *)pRas2Table + sizeof(struct acpi_table_ras2));
> +	count = 0;
> +	while (count < pRas2Table->num_pcc_descs) {
> +		if (pcc_desc_list->feature_type == RAS2_FEATURE_TYPE_MEMORY) {
> +			pcc_subspace_idx = pcc_desc_list->channel_id;
> +			/* Add the platform device and bind ras2 memory driver */
> +			pdev = ras2_add_platform_device("ras2", &pcc_subspace_idx,
> +							sizeof(pcc_subspace_idx));
> +			if (!pdev)
> +				goto free_ras2_pdev;
> +			pdev_list[count] = pdev;
> +		}
> +		count++;
> +		pcc_desc_list = pcc_desc_list + sizeof(struct acpi_ras2_pcc_desc);

This line needs to be:
pcc_desc_list = pcc_desc_list + 1
because pcc_desc_list is a type larger than a byte.
This bug will crash the module when num_pcc_descs
is greater than 1

> +	}
> +
> +	acpi_put_table(pAcpiTable);
> +	return RAS2_SUCCESS;
> +
> +free_ras2_pdev:
> +	count = 0;
> +	while (count < pRas2Table->num_pcc_descs) {
> +		if (pcc_desc_list->feature_type ==
> +				RAS2_FEATURE_TYPE_MEMORY)
> +			platform_device_put(pdev_list[count++]);
> +	}
> +	kfree(pdev_list);
> +
> +free_ras2_table:
> +	acpi_put_table(pAcpiTable);
> +	return RAS2_FAILURE;
> +}