[Skiboot] [PATCH STABLE 2.1.1.1] hw/fsp/fsp-leds.c: use allocated buffer for FSP_CMD_GET_LED_LIST response

Stewart Smith stewart at linux.vnet.ibm.com
Fri Oct 9 16:42:38 AEDT 2015 

This bug has originated since day 1 (of public release), what was going on
was that we were incorrectly using PSI_DMA_LOC_COD_BUF as the *address*
to write to for the FSP to read rather than using that purely as the
TCE table.

What we *should* have been doing (and this patch now does), is allocating
some (aligned) memory and using it.

With this patch, we no longer write over some poor random memory location
that could be being used by the host OS for something important, for example,
in the (internal) bug report of this, it was futex_hash_bucket in Linux
being replaced with our structure for replying to FSP_CMD_GET_LED_LIST (which
is around 4kb) and Linux doesn't like it when you replace a bunch of lock
data structures with essentially garbage.

Since this is FSP LED code specific, this only affects FSP based systems.

Reported-by: Dionysius d. Bell <belldi at us.ibm.com>
Signed-off-by: Stewart Smith <stewart at linux.vnet.ibm.com>
---
 hw/fsp/fsp-leds.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/hw/fsp/fsp-leds.c b/hw/fsp/fsp-leds.c
index 2d71c5d..f2f2a57 100644
--- a/hw/fsp/fsp-leds.c
+++ b/hw/fsp/fsp-leds.c
@@ -60,6 +60,7 @@ static bool led_support;
  *
  */
 static void *led_buffer;
+static u8 *loc_code_list_buffer = NULL;
 
 /* Maintain list of all LEDs
  *
@@ -76,7 +77,6 @@ static struct lock led_lock = LOCK_UNLOCKED;
 static u32 last_spcn_cmd;
 static int replay = 0;
 
-
 static void fsp_leds_query_spcn(void);
 static void fsp_read_leds_data_complete(struct fsp_msg *msg);
 
@@ -458,8 +458,13 @@ static void fsp_ret_loc_code_list(u16 req_type, char *loc_code)
 	u32 bytes_sent = 0, total_size = 0;
 	u16 header_size = 0, flags = 0;
 
+	if (loc_code_list_buffer == NULL) {
+		prerror("No loc_code_list_buffer\n");
+		return;
+	}
+
 	/* Init the addresses */
-	data = (u8 *) PSI_DMA_LOC_COD_BUF;
+	data = loc_code_list_buffer;
 	out_data = NULL;
 
 	/* Unmapping through FSP_CMD_RET_LOC_BUFFER command */
@@ -1085,6 +1090,10 @@ void fsp_led_init(void)
 	list_head_init(&encl_ledq);
 
 	fsp_leds_query_spcn();
+	loc_code_list_buffer = memalign(TCE_PSIZE, PSI_DMA_LOC_COD_BUF_SZ);
+	if (loc_code_list_buffer == NULL)
+		prerror(PREFIX "ERROR: Unable to allocate loc_code_list_buffer!\n");
+
 	printf(PREFIX "Init completed\n");
 
 	/* Handle FSP initiated async LED commands */
-- 
2.1.4

More information about the Skiboot mailing list