On Fri, Apr 04, 2025 at 09:56:05AM -0500, Ira Weiny wrote:
> Zaid Alali wrote:
> > Enable the driver to inject EINJv2 type errors. The component
> > array values are parsed from user_input and expected to contain
> > hex values for component id and syndrome separated by space,
> > and multiple components are separated by new line as follows:
> >
> > component_id1 component_syndrome1
> > component_id2 component_syndrome2
> > :
> > component_id(n) component_syndrome(n)
> >
> > for example:
> >
> > $comp_arr="0x1 0x2
> > >0x1 0x4
> > >0x2 0x4"
> > $cd /sys/kernel/debug/apei/einj/
> > $echo "$comp_arr" > einjv2_component_array
> >
> > Signed-off-by: Zaid Alali <zaidal@xxxxxxxxxxxxxxxxxxxxxx>
> > ---
>
> [snip]
>
> > @@ -483,10 +513,10 @@ static int __einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
> > return rc;
> > apei_exec_ctx_set_input(&ctx, type);
> > if (acpi5) {
> > - struct set_error_type_with_address *v5param, v5_struct;
> > + struct set_error_type_with_address *v5param;
> >
> > - v5param = &v5_struct;
> > - memcpy_fromio(v5param, einj_param, sizeof(*v5param));
> > + v5param = kmalloc(v5param_size, GFP_KERNEL);
> > + memcpy_fromio(v5param, einj_param, v5param_size);
> > v5param->type = type;
> > if (type & ACPI5_VENDOR_BIT) {
> > switch (vendor_flags) {
> > @@ -506,8 +536,50 @@ static int __einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
> > v5param->flags = flags;
> > v5param->memory_address = param1;
> > v5param->memory_address_range = param2;
> > - v5param->apicid = param3;
> > - v5param->pcie_sbdf = param4;
> > +
> > + if (is_V2) {
> > + int count = 0, bytes_read, pos = 0, nr_parsed = 0, str_len;
> > + unsigned int comp, synd;
> > + struct syndrome_array *component_arr;
> > +
> > + component_arr = v5param->einjv2_struct.component_arr;
> > + str_len = strlen(user_input);
> > +
> > + while ((nr_parsed = sscanf(user_input + pos, "%x %x\n%n", &comp,
> > + &synd, &bytes_read))) {
> > + pos += bytes_read;
> > +
> > + if (nr_parsed != 2)
> > + goto err_out;
> > + if (count >= nr_components)
> > + goto err_out;
>
> It is hard to tell but I think these err_out's skip the kfree?
>
> Regardless it is better to use the cleanup functions[1] on that kmalloc and let
> the destructors clean up for you.
>
> Ira
>
> [1] include/linux/cleanup.h
Good catch! I will fix this in the next revision.
Zaid
>
> > +
> > + switch (type) {
> > + case EINJV2_PROCESSOR_ERROR:
> > + component_arr[count].comp_id.acpi_id = comp;
> > + component_arr[count].comp_synd.proc_synd = synd;
> > + break;
> > + case EINJV2_MEMORY_ERROR:
> > + component_arr[count].comp_id.device_id = comp;
> > + component_arr[count].comp_synd.mem_synd = synd;
> > + break;
> > + case EINJV2_PCIE_ERROR:
> > + component_arr[count].comp_id.pcie_sbdf = comp;
> > + component_arr[count].comp_synd.pcie_synd = synd;
> > + break;
> > + }
> > + count++;
> > + if (pos >= str_len)
> > + break;
> > + }
> > + v5param->einjv2_struct.component_arr_count = count;
> > +
> > + /* clear buffer after user input for next injection */
> > + memset(user_input, 0, COMP_ARR_SIZE);
> > + } else {
> > + v5param->apicid = param3;
> > + v5param->pcie_sbdf = param4;
> > + }
> > } else {
> > switch (type) {
> > case ACPI_EINJ_PROCESSOR_CORRECTABLE:
> > @@ -531,7 +603,8 @@ static int __einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
> > break;
> > }
> > }
> > - memcpy_toio(einj_param, v5param, sizeof(*v5param));
> > + memcpy_toio(einj_param, v5param, v5param_size);
> > + kfree(v5param);
> > } else {
> > rc = apei_exec_run(&ctx, ACPI_EINJ_SET_ERROR_TYPE);
> > if (rc)
> > @@ -583,6 +656,9 @@ static int __einj_error_inject(u32 type, u32 flags, u64 param1, u64 param2,
> > rc = apei_exec_run_optional(&ctx, ACPI_EINJ_END_OPERATION);
> >
> > return rc;
> > +err_out:
> > + memset(user_input, 0, COMP_ARR_SIZE);
> > + return -EINVAL;
> > }
> >
>
> [snip]
