From nobody Thu Mar 13 16:58:04 2025
Delivered-To: importer2@patchew.org
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer2=patchew.org@nongnu.org
Return-Path: <qemu-devel-bounces+importer2=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 17127283512881007.2038556486098;
 Tue, 9 Apr 2024 22:52:31 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1ruQnN-00088M-J2; Wed, 10 Apr 2024 01:46:55 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1ruQmb-0005gu-8T; Wed, 10 Apr 2024 01:46:05 -0400
Received: from isrv.corpit.ru ([86.62.121.231])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <mjt@tls.msk.ru>)
 id 1ruQmZ-0001nY-Hx; Wed, 10 Apr 2024 01:46:04 -0400
Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2])
 by isrv.corpit.ru (Postfix) with ESMTP id 1C99B5D4EE;
 Wed, 10 Apr 2024 08:46:16 +0300 (MSK)
Received: from tls.msk.ru (mjt.wg.tls.msk.ru [192.168.177.130])
 by tsrv.corpit.ru (Postfix) with SMTP id D6293B0155;
 Wed, 10 Apr 2024 08:44:17 +0300 (MSK)
Received: (nullmailer pid 4182068 invoked by uid 1000);
 Wed, 10 Apr 2024 05:44:16 -0000
From: Michael Tokarev <mjt@tls.msk.ru>
To: qemu-devel@nongnu.org
Cc: qemu-stable@nongnu.org, Jonathan Cameron <Jonathan.Cameron@huawei.com>,
 "Michael S . Tsirkin" <mst@redhat.com>, Michael Tokarev <mjt@tls.msk.ru>
Subject: [Stable-7.2.11 22/41] hmat acpi: Fix out of bounds access due to
 missing use of indirection
Date: Wed, 10 Apr 2024 08:43:43 +0300
Message-Id: <20240410054416.4181891-22-mjt@tls.msk.ru>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <qemu-stable-7.2.11-20240410084037@cover.tls.msk.ru>
References: <qemu-stable-7.2.11-20240410084037@cover.tls.msk.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer2=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=86.62.121.231; envelope-from=mjt@tls.msk.ru;
 helo=isrv.corpit.ru
X-Spam_score_int: -68
X-Spam_score: -6.9
X-Spam_bar: ------
X-Spam_report: (-6.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer2=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer2=patchew.org@nongnu.org
X-ZM-MESSAGEID: 1712728352024100001
Content-Type: text/plain; charset="utf-8"

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

With a numa set up such as

-numa nodeid=3D0,cpus=3D0 \
-numa nodeid=3D1,memdev=3Dmem \
-numa nodeid=3D2,cpus=3D1

and appropriate hmat_lb entries the initiator list is correctly
computed and writen to HMAT as 0,2 but then the LB data is accessed
using the node id (here 2), landing outside the entry_list array.

Stash the reverse lookup when writing the initiator list and use
it to get the correct array index index.

Fixes: 4586a2cb83 ("hmat acpi: Build System Locality Latency and Bandwidth =
Information Structure(s)")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240307160326.31570-3-Jonathan.Cameron@huawei.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 74e2845c5f95b0c139c79233ddb65bb17f2dd679)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/acpi/hmat.c b/hw/acpi/hmat.c
index 3a6d51282a..768038e0da 100644
--- a/hw/acpi/hmat.c
+++ b/hw/acpi/hmat.c
@@ -77,6 +77,7 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_Inf=
o *hmat_lb,
                           uint32_t *initiator_list)
 {
     int i, index;
+    uint32_t initiator_to_index[MAX_NODES] =3D {};
     HMAT_LB_Data *lb_data;
     uint16_t *entry_list;
     uint32_t base;
@@ -120,6 +121,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_I=
nfo *hmat_lb,
     /* Initiator Proximity Domain List */
     for (i =3D 0; i < num_initiator; i++) {
         build_append_int_noprefix(table_data, initiator_list[i], 4);
+        /* Reverse mapping for array possitions */
+        initiator_to_index[initiator_list[i]] =3D i;
     }
=20
     /* Target Proximity Domain List */
@@ -131,7 +134,8 @@ static void build_hmat_lb(GArray *table_data, HMAT_LB_I=
nfo *hmat_lb,
     entry_list =3D g_new0(uint16_t, num_initiator * num_target);
     for (i =3D 0; i < hmat_lb->list->len; i++) {
         lb_data =3D &g_array_index(hmat_lb->list, HMAT_LB_Data, i);
-        index =3D lb_data->initiator * num_target + lb_data->target;
+        index =3D initiator_to_index[lb_data->initiator] * num_target +
+            lb_data->target;
=20
         entry_list[index] =3D (uint16_t)(lb_data->data / hmat_lb->base);
     }
--=20
2.39.2