drivers/acpi/apei/einj-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
On an EINJV2 capable system, users may still use the old injection
interface but einj_get_parameter_address() takes the EINJV2 path to map
the parameter structure. This results in the address the user supplied
being stored to the wrong location and the BIOS injecting based on an
uninitialized field (0x0 in the reported case).
Check the version of the request when mapping the EINJ parameter
structure in BIOS reserved memory.
Fixes: 691a0f0a557b ("ACPI: APEI: EINJ: Discover EINJv2 parameters")
Reported-by: Lai, Yi1 <yi1.lai@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
---
drivers/acpi/apei/einj-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
index bf8dc92a373a..99f1b841fba9 100644
--- a/drivers/acpi/apei/einj-core.c
+++ b/drivers/acpi/apei/einj-core.c
@@ -315,7 +315,7 @@ static void __iomem *einj_get_parameter_address(void)
memcpy_fromio(&v5param, p, v5param_size);
acpi5 = 1;
check_vendor_extension(pa_v5, &v5param);
- if (available_error_type & ACPI65_EINJV2_SUPP) {
+ if (is_v2 && available_error_type & ACPI65_EINJV2_SUPP) {
len = v5param.einjv2_struct.length;
offset = offsetof(struct einjv2_extension_struct, component_arr);
max_nr_components = (len - offset) /
--
2.50.1On 2025/8/15 0:17, Tony Luck wrote:
> On an EINJV2 capable system, users may still use the old injection
> interface but einj_get_parameter_address() takes the EINJV2 path to map
> the parameter structure. This results in the address the user supplied
> being stored to the wrong location and the BIOS injecting based on an
> uninitialized field (0x0 in the reported case).
>
> Check the version of the request when mapping the EINJ parameter
> structure in BIOS reserved memory.
>
> Fixes: 691a0f0a557b ("ACPI: APEI: EINJ: Discover EINJv2 parameters")
> Reported-by: Lai, Yi1 <yi1.lai@intel.com>
> Signed-off-by: Tony Luck <tony.luck@intel.com>
> ---
> drivers/acpi/apei/einj-core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> index bf8dc92a373a..99f1b841fba9 100644
> --- a/drivers/acpi/apei/einj-core.c
> +++ b/drivers/acpi/apei/einj-core.c
> @@ -315,7 +315,7 @@ static void __iomem *einj_get_parameter_address(void)
> memcpy_fromio(&v5param, p, v5param_size);
> acpi5 = 1;
> check_vendor_extension(pa_v5, &v5param);
> - if (available_error_type & ACPI65_EINJV2_SUPP) {
> + if (is_v2 && available_error_type & ACPI65_EINJV2_SUPP) {
> len = v5param.einjv2_struct.length;
> offset = offsetof(struct einjv2_extension_struct, component_arr);
> max_nr_components = (len - offset) /
Reviewed-by: Hanjun Guo <gouhanjun@huawei.com>
Thanks
Hanjun
On Mon, Aug 18, 2025 at 5:58 PM Hanjun Guo <guohanjun@huawei.com> wrote:
>
> On 2025/8/15 0:17, Tony Luck wrote:
> > On an EINJV2 capable system, users may still use the old injection
> > interface but einj_get_parameter_address() takes the EINJV2 path to map
> > the parameter structure. This results in the address the user supplied
> > being stored to the wrong location and the BIOS injecting based on an
> > uninitialized field (0x0 in the reported case).
> >
> > Check the version of the request when mapping the EINJ parameter
> > structure in BIOS reserved memory.
> >
> > Fixes: 691a0f0a557b ("ACPI: APEI: EINJ: Discover EINJv2 parameters")
> > Reported-by: Lai, Yi1 <yi1.lai@intel.com>
> > Signed-off-by: Tony Luck <tony.luck@intel.com>
> > ---
> > drivers/acpi/apei/einj-core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> > index bf8dc92a373a..99f1b841fba9 100644
> > --- a/drivers/acpi/apei/einj-core.c
> > +++ b/drivers/acpi/apei/einj-core.c
> > @@ -315,7 +315,7 @@ static void __iomem *einj_get_parameter_address(void)
> > memcpy_fromio(&v5param, p, v5param_size);
> > acpi5 = 1;
> > check_vendor_extension(pa_v5, &v5param);
> > - if (available_error_type & ACPI65_EINJV2_SUPP) {
> > + if (is_v2 && available_error_type & ACPI65_EINJV2_SUPP) {
> > len = v5param.einjv2_struct.length;
> > offset = offsetof(struct einjv2_extension_struct, component_arr);
> > max_nr_components = (len - offset) /
>
> Reviewed-by: Hanjun Guo <gouhanjun@huawei.com>
Applied as 6.17-rc material, thanks!
On Thu, Aug 14, 2025 at 09:17:06AM -0700, Tony Luck wrote:
> On an EINJV2 capable system, users may still use the old injection
> interface but einj_get_parameter_address() takes the EINJV2 path to map
> the parameter structure. This results in the address the user supplied
> being stored to the wrong location and the BIOS injecting based on an
> uninitialized field (0x0 in the reported case).
>
> Check the version of the request when mapping the EINJ parameter
> structure in BIOS reserved memory.
>
> Fixes: 691a0f0a557b ("ACPI: APEI: EINJ: Discover EINJv2 parameters")
> Reported-by: Lai, Yi1 <yi1.lai@intel.com>
> Signed-off-by: Tony Luck <tony.luck@intel.com>
Looks good to me.
Reviewed-by: Zaid Alali <zaidal@os.amperecomputing.com>
> ---
> drivers/acpi/apei/einj-core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/acpi/apei/einj-core.c b/drivers/acpi/apei/einj-core.c
> index bf8dc92a373a..99f1b841fba9 100644
> --- a/drivers/acpi/apei/einj-core.c
> +++ b/drivers/acpi/apei/einj-core.c
> @@ -315,7 +315,7 @@ static void __iomem *einj_get_parameter_address(void)
> memcpy_fromio(&v5param, p, v5param_size);
> acpi5 = 1;
> check_vendor_extension(pa_v5, &v5param);
> - if (available_error_type & ACPI65_EINJV2_SUPP) {
> + if (is_v2 && available_error_type & ACPI65_EINJV2_SUPP) {
> len = v5param.einjv2_struct.length;
> offset = offsetof(struct einjv2_extension_struct, component_arr);
> max_nr_components = (len - offset) /
> --
> 2.50.1
>
© 2016 - 2025 Red Hat, Inc.