diff mbox

[v2,1/5] ACPI: add in a bad_madt_entry() function to eventually replace the macro

Message ID 1440022048-6285-2-git-send-email-al.stone@linaro.org
State New
Headers show

Commit Message

Al Stone Aug. 19, 2015, 10:07 p.m. UTC
The existing BAD_MADT_ENTRY macro only checks that the size of the data
structure for an MADT subtable matches the length entry in the subtable.
This is, unfortunately, not reliable.  Nor, as it turns out, does it have
anything to do with what the length should be in any particular table.

We introduce the bad_madt_entry() function that uses a data set to
do some basic sanity checks on any given MADT subtable.  Over time, as
the spec changes, we should just be able to add entries to the data set
to reflect the changes.

What the data set captures is the allowed MADT subtable length for each
type of subtable, for each revision of the specification.  While there
is a revision number in the MADT that we should be able to use to figure
out the proper subtable length, it was not changed when subtables did.
And, while there is a major and minor revision in the FADT that could
also help, it was not always changed as the subtables changed either.
So, the data set captures for each published version of the ACPI spec
what the FADT revisions numbers should be, the corresponding MADT
revision number, and the subtable types and lengths that were defined
at that time.

The sanity checks done are:
	-- is the length non-zero?
	-- is the subtable type defined/allowed for the revision of
	   the FADT we're using?
	-- is the subtable type defined/allowed for the revision of
	   the MADT we're using?
	-- is the length entry what it should be for this revision
	   of the MADT and FADT?

These checks are more thorough than the previous macro provided, and
are now insulated from data structure size changes by ACPICA, which
have been the source of other patches in the past.

Now that the bad_madt_entry() function is available, we add code to
also invoke it before any subtable handlers are called to use the
info in the subtable.  Subsequent patches will remove the use of the
BAD_MADT_ENTRY macro which is now redundant as a result.  Any ACPI
functions that use acpi_parse_madt_entries() will always have all of
the MADT subtables checked from now on.

Signed-off-by: Al Stone <al.stone@linaro.org>
Cc: Rafael J. Wysocki <rjw@rjwysocki.net>
Cc: Len Brown <lenb@kernel.org>
---
 drivers/acpi/tables.c | 241 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 241 insertions(+)

Comments

Sudeep Holla Sept. 7, 2015, 3:32 p.m. UTC | #1
Hi Al,

On 19/08/15 23:07, Al Stone wrote:

I finally got a chance to try this series on Juno. Well it exposed a 
firmware bug in MADT table :)

[..]

>                  acpi_tbl_entry_handler handler,
> @@ -245,6 +484,8 @@ acpi_parse_entries(char *id, unsigned long table_size,
>                 table_end) {
>                  if (entry->type == entry_id
>                      && (!max_entries || count < max_entries)) {
> +                       if (bad_madt_entry(table_header, entry))
> +                               return -EINVAL;

Not sure if we can have the above check here unconditionally.
Currently I can see there are 2 other users of acpi_parse_entries i.e.
PCC and NUMA. So may be it can be made conditional or return success for
non-MADT tables from bad_madt_entry ?

Other than that, you can add for ARM64 specific parts:
Reviewed-and-tested-by: Sudeep Holla <sudeep.holla@arm.com>

Regards,
Sudeep
Al Stone Sept. 8, 2015, 11 p.m. UTC | #2
On 09/07/2015 09:32 AM, Sudeep Holla wrote:
> Hi Al,
> 
> On 19/08/15 23:07, Al Stone wrote:
> 
> I finally got a chance to try this series on Juno. Well it exposed a firmware
> bug in MADT table :)

What?  The code did what it was supposed to do :-)?  Very cool.  Good to know.

I talked to Graeme a bit, too, and he had some good suggestions for clean up.
I'll post a v3 tomorrow.

> [..]
> 
>>                  acpi_tbl_entry_handler handler,
>> @@ -245,6 +484,8 @@ acpi_parse_entries(char *id, unsigned long table_size,
>>                 table_end) {
>>                  if (entry->type == entry_id
>>                      && (!max_entries || count < max_entries)) {
>> +                       if (bad_madt_entry(table_header, entry))
>> +                               return -EINVAL;
> 
> Not sure if we can have the above check here unconditionally.
> Currently I can see there are 2 other users of acpi_parse_entries i.e.
> PCC and NUMA. So may be it can be made conditional or return success for
> non-MADT tables from bad_madt_entry ?

I'll double check these uses.  I thought I had before, and based on what I
saw the check would be reasonable.  It never hurts to check again, though.

> Other than that, you can add for ARM64 specific parts:
> Reviewed-and-tested-by: Sudeep Holla <sudeep.holla@arm.com>

Thanks!

> Regards,
> Sudeep
> -- 
> To unsubscribe from this list: send the line "unsubscribe linux-acpi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Al Stone Sept. 9, 2015, 7:57 p.m. UTC | #3
On 09/07/2015 09:32 AM, Sudeep Holla wrote:
> Hi Al,
> 
> On 19/08/15 23:07, Al Stone wrote:
> 
> I finally got a chance to try this series on Juno. Well it exposed a firmware
> bug in MADT table :)
> 
> [..]
> 
>>                  acpi_tbl_entry_handler handler,
>> @@ -245,6 +484,8 @@ acpi_parse_entries(char *id, unsigned long table_size,
>>                 table_end) {
>>                  if (entry->type == entry_id
>>                      && (!max_entries || count < max_entries)) {
>> +                       if (bad_madt_entry(table_header, entry))
>> +                               return -EINVAL;
> 
> Not sure if we can have the above check here unconditionally.
> Currently I can see there are 2 other users of acpi_parse_entries i.e.
> PCC and NUMA. So may be it can be made conditional or return success for
> non-MADT tables from bad_madt_entry ?

So, I went back and double checked the other users and they're looking at
the return value for acpi_parse_entries properly; adding in the check above
unconditionally should not cause any behavior change.  Further, despite the
name, acpi_parse_entries is only used to examine MADT subtables.  Granted,
we should probably make the name clearer at some point (too ambiguous as to
which entries are parsed right now).  Nonetheless, current usage seems to
be in order.
Sudeep Holla Sept. 10, 2015, 4:20 p.m. UTC | #4
On 09/09/15 20:57, Al Stone wrote:
> On 09/07/2015 09:32 AM, Sudeep Holla wrote:
>> Hi Al,
>>
>> On 19/08/15 23:07, Al Stone wrote:
>>
>> I finally got a chance to try this series on Juno. Well it exposed a firmware
>> bug in MADT table :)
>>
>> [..]
>>
>>>                   acpi_tbl_entry_handler handler,
>>> @@ -245,6 +484,8 @@ acpi_parse_entries(char *id, unsigned long table_size,
>>>                  table_end) {
>>>                   if (entry->type == entry_id
>>>                       && (!max_entries || count < max_entries)) {
>>> +                       if (bad_madt_entry(table_header, entry))
>>> +                               return -EINVAL;
>>
>> Not sure if we can have the above check here unconditionally.
>> Currently I can see there are 2 other users of acpi_parse_entries i.e.
>> PCC and NUMA. So may be it can be made conditional or return success for
>> non-MADT tables from bad_madt_entry ?
>
> So, I went back and double checked the other users and they're looking at
> the return value for acpi_parse_entries properly; adding in the check above
> unconditionally should not cause any behavior change.

I disagree. I populated PCCT table on Juno to get this error for
PCCT(PCCT header gets interpreted as MADT header):
"
ACPI: undefined version for either FADT 5.1 or MADT 1
Error parsing PCC subspaces from PCCT
"
And here the stacktrace:
[<ffffffc000881e58>] bad_madt_entry+0x90/0x16c
[<ffffffc000882030>] acpi_table_parse_entries+0xfc/0x180
[<ffffffc000895af8>] pcc_init+0x70/0x148

> Further, despite the name, acpi_parse_entries is only used to examine MADT
> subtables.  Granted, we should probably make the name clearer at some point
> (too ambiguous as to which entries are parsed right now).  Nonetheless, current
> usage seems to be in order.
>

 From the code inspection, I can see we have 3 users of 
acpi_parse_entries not just MADT but also PCC and NUMA/SRAT

Something like this solves this issue:
-              if (bad_madt_entry(table_header, entry))
+              if (!strncmp(id, ACPI_SIG_MADT, 4) &&
+                      bad_madt_entry(table_header, entry)


Or am I still missing something ?

Regards,
Sudeep
Al Stone Sept. 10, 2015, 8:43 p.m. UTC | #5
On 09/10/2015 10:20 AM, Sudeep Holla wrote:
> 
> 
> On 09/09/15 20:57, Al Stone wrote:
>> On 09/07/2015 09:32 AM, Sudeep Holla wrote:
>>> Hi Al,
>>>
>>> On 19/08/15 23:07, Al Stone wrote:
>>>
>>> I finally got a chance to try this series on Juno. Well it exposed a firmware
>>> bug in MADT table :)
>>>
>>> [..]
>>>
>>>>                   acpi_tbl_entry_handler handler,
>>>> @@ -245,6 +484,8 @@ acpi_parse_entries(char *id, unsigned long table_size,
>>>>                  table_end) {
>>>>                   if (entry->type == entry_id
>>>>                       && (!max_entries || count < max_entries)) {
>>>> +                       if (bad_madt_entry(table_header, entry))
>>>> +                               return -EINVAL;
>>>
>>> Not sure if we can have the above check here unconditionally.
>>> Currently I can see there are 2 other users of acpi_parse_entries i.e.
>>> PCC and NUMA. So may be it can be made conditional or return success for
>>> non-MADT tables from bad_madt_entry ?
>>
>> So, I went back and double checked the other users and they're looking at
>> the return value for acpi_parse_entries properly; adding in the check above
>> unconditionally should not cause any behavior change.
> 
> I disagree. I populated PCCT table on Juno to get this error for
> PCCT(PCCT header gets interpreted as MADT header):
> "
> ACPI: undefined version for either FADT 5.1 or MADT 1
> Error parsing PCC subspaces from PCCT
> "
> And here the stacktrace:
> [<ffffffc000881e58>] bad_madt_entry+0x90/0x16c
> [<ffffffc000882030>] acpi_table_parse_entries+0xfc/0x180
> [<ffffffc000895af8>] pcc_init+0x70/0x148
> 
>> Further, despite the name, acpi_parse_entries is only used to examine MADT
>> subtables.  Granted, we should probably make the name clearer at some point
>> (too ambiguous as to which entries are parsed right now).  Nonetheless, current
>> usage seems to be in order.
>>
> 
> From the code inspection, I can see we have 3 users of acpi_parse_entries not
> just MADT but also PCC and NUMA/SRAT
> 
> Something like this solves this issue:
> -              if (bad_madt_entry(table_header, entry))
> +              if (!strncmp(id, ACPI_SIG_MADT, 4) &&
> +                      bad_madt_entry(table_header, entry)
> 
> 
> Or am I still missing something ?
> 
> Regards,
> Sudeep

Nope, I missed it.  Your fix above will solve the problem; I misunderstood
how acpi_parse_entries() was being used -- somehow I had it in my head that
only MADT was in use, and just not seeing that it's being used for several
other subtable traversals also.  Sorry about that, Sudeep.  My mistake.

I'll add this fix for a v4, but I'll wait for a few days to see if I get any
additional comments -- I haven't heard from any x86, ia64 or ACPI maintainers
yet.  OTOH, it's nice to know we've already found and fixed two sets of arm64
ACPI tables that are in error by using these patches, even with the flaws :).
Sudeep Holla Sept. 11, 2015, 8:49 a.m. UTC | #6
On 10/09/15 21:43, Al Stone wrote:
> On 09/10/2015 10:20 AM, Sudeep Holla wrote:
>>

[...]

>>
>>  From the code inspection, I can see we have 3 users of acpi_parse_entries not
>> just MADT but also PCC and NUMA/SRAT
>>
>> Something like this solves this issue:
>> -              if (bad_madt_entry(table_header, entry))
>> +              if (!strncmp(id, ACPI_SIG_MADT, 4) &&
>> +                      bad_madt_entry(table_header, entry)
>>
>>
>> Or am I still missing something ?
>
> Nope, I missed it.  Your fix above will solve the problem; I misunderstood
> how acpi_parse_entries() was being used -- somehow I had it in my head that
> only MADT was in use, and just not seeing that it's being used for several
> other subtable traversals also.  Sorry about that, Sudeep.  My mistake.
>

No worries.

> I'll add this fix for a v4, but I'll wait for a few days to see if I get any
> additional comments -- I haven't heard from any x86, ia64 or ACPI maintainers

Makes sense.

> yet.  OTOH, it's nice to know we've already found and fixed two sets of arm64
> ACPI tables that are in error by using these patches, even with the flaws :).
>

Very much true indeed :)

Regards,
Sudeep
diff mbox

Patch

diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
index 17a6fa0..d1c0efc 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -210,6 +210,245 @@  void acpi_table_print_madt_entry(struct acpi_subtable_header *header)
 	}
 }
 
+/*
+ * The Long, Sad, True Story of the MADT
+ *    or
+ * What does bad_madt_entry() actually do?
+ *
+ * Once upon a time in ACPI 1.0, there was the MADT.  It was a nice table,
+ * and it had two subtables all of its own.  But, it was also a pretty
+ * busy table, too, so over time the MADT gathered up other nice little
+ * subtables.  By the time ACPI 6.0 came around, the MADT had 16 of the
+ * little guys.
+ *
+ * Now, the MADT kept a little counter around for the subtables.  In fact,
+ * it kept two counters: one was the revision level, which was supposed to
+ * change when new subtables came to be, or as the ones already around grew
+ * up. The second counter was a type number, because the MADT needed a unique
+ * type for each subtable so he could tell them apart.  But, sometimes the
+ * MADT got so busy, he forgot to increment the revision level when he needed
+ * to.  Fortunately, the type counter kept increasing since that's the only
+ * way the MADT could find each little subtable.  It just wouldn't do to have
+ * every subtable called Number 6.
+ *
+ * In the next valley over, a castle full of wizards was watching the MADT
+ * and made a pact to keep their own counter.  Every time the MADT found a
+ * new subtable, or a subtable grew up, the wizards promised they would
+ * increment their counter.  Well, wizards being the forgetful sort, they
+ * didn't alway do that.  And, since there quite a lot of them, they
+ * couldn't always remember who was supposed to keep track of the MADT,
+ * especially if dinner was coming up soon.  Their counter was called the
+ * spec version.
+ *
+ * Every now and then, the MADT would gather up all its little subtables
+ * and take them in to the cobbler to get new boots.  This was a very, very
+ * meticulous cobbler, so every time they came, he wrote down all the boot
+ * sizes for all of the little subtables.  The cobbler would ask each subtable
+ * for its length, check that against his careful notes, and then go get the
+ * right boots.  Sometimes, a little subtable would change a bit, and their
+ * length did not match what the cobbler had written down.  If the wizards
+ * or the MADT had incremented their counters, the cobbler would breath a
+ * sigh of relief and write down the new length as the right one.  But, if
+ * none of the counters had changed, this would make the cobbler very, very
+ * mad.  He couldn't tell if he had the right size boots or not for the
+ * little subtable.  He would have to *guess* and this really bugged him.
+ *
+ * Well, when the cobbler got mad like this, he would go into hiding.  He
+ * would not make or sell any boots.  He would not go out at all.  Pretty
+ * soon, the coffee shop would have to close because the cobbler wasn't
+ * coming by twice a day any more.  Then the grocery store would have to
+ * close because he wouldn't eat much.  After a while, everyone would panic
+ * and have to move from the village and go live with all their relatives
+ * (usually the ones they didn't like very much).
+ *
+ * Eventually, the cobbler would work his way out of his bad mood, and
+ * open up his boot business again.  Then, everyone else could move back
+ * to the village and restart their lives, too.
+ *
+ * Fortunately, we have been able to collect up all the cobbler's careful
+ * notes (and we wrote them down below).  We'll have to keep checking these
+ * notes over time, too, just as the cobbler does.  But, in the meantime,
+ * we can avoid the panic and the reboot since we can make sure that each
+ * subtable is doing okay.  And that's what bad_madt_entry() does.
+ *
+ *
+ * FADT Major Version ->       1    3    4     4     5     5     6
+ * FADT Minor Version ->       x    x    x     x     x     1     0
+ * MADT revision ->            1    1    2     3     3     3     3
+ * Spec Version ->            1.0  2.0  3.0b  4.0a  5.0b  5.1a  6.0
+ * Subtable Name	Type  Expected Length ->
+ * Processor Local APIC  0x0    8    8    8     8     8     8     8
+ * IO APIC               0x1   12   12   12    12    12    12    12
+ * Int Src Override      0x2        10   10    10    10    10    10
+ * NMI Src               0x3         8    8     8     8     8     8
+ * Local APIC NMI Struct 0x4         6    6     6     6     6     6
+ * Local APIC Addr Ovrrd 0x5        16   12    12    12    12    12
+ * IO SAPIC              0x6        20   16    16    16    16    16
+ * Local SAPIC           0x7         8  >16   >16   >16   >16   >16
+ * Platform Int Src      0x8        16   16    16    16    16    16
+ * Proc Local x2APIC     0x9                   16    16    16    16
+ * Local x2APIC NMI      0xa                   12    12    12    12
+ * GICC CPU I/F          0xb                         40    76    80
+ * GICD                  0xc                         24    24    24
+ * GICv2m MSI            0xd                               24    24
+ * GICR                  0xe                               16    16
+ * GIC ITS               0xf                                     16
+ *
+ * In the table, each length entry is what should be in the length
+ * field of the subtable, and -- in general -- it should match the
+ * size of the struct for the subtable.  Any value that is not set
+ * (i.e., is zero) indicates that the subtable is not defined for
+ * that version of the ACPI spec.
+ *
+ */
+#define SUBTABLE_UNDEFINED	0x00
+#define SUBTABLE_VARIABLE	0xff
+#define NUM_SUBTABLE_TYPES	16
+
+struct acpi_madt_subtable_lengths {
+	unsigned short major_version;	/* from revision in FADT header */
+	unsigned short minor_version;	/* FADT field starting with 5.1 */
+	unsigned short madt_version;	/* MADT revision */
+	unsigned short num_types;	/* types possible for this version */
+	unsigned short lengths[NUM_SUBTABLE_TYPES];
+					/* subtable lengths, indexed by type */
+};
+
+static struct acpi_madt_subtable_lengths spec_info[] = {
+	{ /* for ACPI 1.0 */
+		.major_version = 1,
+		.minor_version = 0,
+		.madt_version = 1,
+		.num_types = 2,
+		.lengths = { 8, 12 }
+	},
+	{ /* for ACPI 2.0 */
+		.major_version = 3,
+		.minor_version = 0,
+		.madt_version = 1,
+		.num_types = 9,
+		.lengths = { 8, 12, 10, 8, 6, 16, 20, 8, 16 }
+	},
+	{ /* for ACPI 3.0b */
+		.major_version = 4,
+		.minor_version = 0,
+		.madt_version = 2,
+		.num_types = 9,
+		.lengths = { 8, 12, 10, 8, 6, 12, 16, SUBTABLE_VARIABLE, 16 }
+	},
+	{ /* for ACPI 4.0a */
+		.major_version = 4,
+		.minor_version = 0,
+		.madt_version = 3,
+		.num_types = 11,
+		.lengths = { 8, 12, 10, 8, 6, 12, 16, SUBTABLE_VARIABLE,
+			     16, 16, 12 }
+	},
+	{ /* for ACPI 5.0b */
+		.major_version = 5,
+		.minor_version = 0,
+		.madt_version = 3,
+		.num_types = 13,
+		.lengths = { 8, 12, 10, 8, 6, 12, 16, SUBTABLE_VARIABLE,
+			     16, 16, 12, 40, 24 }
+	},
+	{ /* for ACPI 5.1a */
+		.major_version = 5,
+		.minor_version = 1,
+		.madt_version = 3,
+		.num_types = 15,
+		.lengths = { 8, 12, 10, 8, 6, 12, 16, SUBTABLE_VARIABLE,
+			     16, 16, 12, 76, 24, 24, 16 }
+	},
+	{ /* for ACPI 6.0 */
+		.major_version = 6,
+		.minor_version = 0,
+		.madt_version = 3,
+		.num_types = 16,
+		.lengths = { 8, 12, 10, 8, 6, 12, 16, SUBTABLE_VARIABLE,
+			     16, 16, 12, 80, 24, 24, 16, 16 }
+	},
+	{ /* terminator */
+		.major_version = 0,
+		.minor_version = 0,
+		.madt_version = 0,
+		.num_types = 0,
+		.lengths = { 0 }
+	}
+};
+
+int __init bad_madt_entry(struct acpi_table_header *table,
+			  struct acpi_subtable_header *entry)
+{
+	struct acpi_madt_subtable_lengths *ms;
+	struct acpi_table_madt *madt;
+	unsigned short major;
+	unsigned short minor;
+	unsigned short len;
+
+	/* simple sanity checking on MADT subtable entries */
+	if (!entry || !table)
+		return 1;
+
+	/* FADT minor numbers were not introduced until ACPI 5.1 */
+	major = acpi_gbl_FADT.header.revision;
+	if (major >= 5 && acpi_gbl_FADT.header.length >= 268)
+		minor = acpi_gbl_FADT.minor_revision;
+	else
+		minor = 0;
+
+	madt = (struct acpi_table_madt *)table;
+	ms = spec_info;
+	while (ms->num_types != 0) {
+		if (ms->major_version == major &&
+		    ms->minor_version == minor &&
+		    ms->madt_version == madt->header.revision)
+			break;
+		ms++;
+	}
+	if (!ms->num_types) {
+		pr_err("undefined FADT version: %d.%d\n", major, minor);
+		return 1;
+	}
+
+	if (entry->type >= ms->num_types) {
+		pr_err("undefined MADT subtable type for FADT %d.%d: %d (length %d)\n",
+		       major, minor, entry->type, entry->length);
+		return 1;
+	}
+
+	/* verify that the table is allowed for this version of the spec */
+	len = ms->lengths[entry->type];
+	if (!len) {
+		pr_err("MADT subtable %d not defined for FADT %d.%d\n",
+			 entry->type, major, minor);
+		return 1;
+	}
+
+	/* verify that the length is what we expect */
+	if (len == SUBTABLE_VARIABLE) {
+		if (entry->type == ACPI_MADT_TYPE_LOCAL_SAPIC) {
+			struct acpi_madt_local_sapic *lsapic =
+				(struct acpi_madt_local_sapic *)entry;
+
+			if (sizeof(struct acpi_madt_local_sapic) +
+			    strlen(lsapic->uid_string) + 1 != entry->length) {
+				pr_err("Variable length MADT subtable %d is wrong size: %d\n",
+				       entry->type, entry->length);
+				return 1;
+			}
+		}
+	} else {
+		if (entry->length != len) {
+			pr_err("MADT subtable %d is wrong size: %d\n",
+			       len, entry->type);
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
 int __init
 acpi_parse_entries(char *id, unsigned long table_size,
 		acpi_tbl_entry_handler handler,
@@ -245,6 +484,8 @@  acpi_parse_entries(char *id, unsigned long table_size,
 	       table_end) {
 		if (entry->type == entry_id
 		    && (!max_entries || count < max_entries)) {
+			if (bad_madt_entry(table_header, entry))
+				return -EINVAL;
 			if (handler(entry, table_end))
 				return -EINVAL;