mailbox: pcc: Don't access an unmapped memory address space
authorShanker Donthineni <shankerd@codeaurora.org>
Wed, 6 Apr 2016 17:49:24 +0000 (12:49 -0500)
committerRafael J. Wysocki <rafael.j.wysocki@intel.com>
Wed, 6 Apr 2016 23:25:28 +0000 (01:25 +0200)
The acpi_pcc_probe() may end up accessing memory outside of the PCCT
table space causing the kernel panic(). Increment the pcct_entry
pointer after parsing 'HW-reduced Communications Subspace' to fix
the problem. This change also enables the parsing of subtable at
index 0.

Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
Acked-by: Ashwin Chaugule <ashwin.chaugule@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
drivers/mailbox/pcc.c

index ac11a9b395d301326fe09a911f404b7b6c0a718f..9d3955e6ab44f2fb99e23094e73570c11d567024 100644 (file)
@@ -367,8 +367,6 @@ static int __init acpi_pcc_probe(void)
                struct acpi_generic_address *db_reg;
                struct acpi_pcct_hw_reduced *pcct_ss;
                pcc_mbox_channels[i].con_priv = pcct_entry;
-               pcct_entry = (struct acpi_subtable_header *)
-                       ((unsigned long) pcct_entry + pcct_entry->length);
 
                /* If doorbell is in system memory cache the virt address */
                pcct_ss = (struct acpi_pcct_hw_reduced *)pcct_entry;
@@ -376,6 +374,8 @@ static int __init acpi_pcc_probe(void)
                if (db_reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
                        pcc_doorbell_vaddr[i] = acpi_os_ioremap(db_reg->address,
                                                        db_reg->bit_width/8);
+               pcct_entry = (struct acpi_subtable_header *)
+                       ((unsigned long) pcct_entry + pcct_entry->length);
        }
 
        pcc_mbox_ctrl.num_chans = count;