Follow up. Panic still present on 6.8-current.
Original diff to prevent writing to an out of bounds bufferfield:
Index: dev/acpi/dsdt.c
===================================================================
RCS file: /cvs/src/sys/dev/acpi/dsdt.c,v
retrieving revision 1.256
diff -u -p -u -r1.256 dsdt.c
--- dev/acpi/dsdt.c 27 Sep 2020 16:46:15 -0000 1.256
+++ dev/acpi/dsdt.c 4 Nov 2020 02:03:07 -0000
@@ -2745,6 +2745,13 @@ aml_rwfield(struct aml_value *fld, int b
} else {
/* bufferfield:write */
val = aml_convert(val, AML_OBJTYPE_INTEGER, -1);
+ if (fld->v_field.bitpos + fld->v_field.bitlen >
+ ref1->length * 8) {
+ dnprintf(10, "out of bounds bufferfield write\n");
+ aml_delref(&val, "wrbuffld");
+ aml_unlockfield(NULL, fld);
+ return;
+ }
aml_bufcpy(ref1->v_buffer, fld->v_field.bitpos, &val->v_integer,
0, fld->v_field.bitlen);
aml_delref(&val, "wrbuffld");
On 7/13/20, James Hastings <[email protected]> wrote:
> revision 1.383
> date: 2020/05/08 11:18:01; author: kettenis; state: Exp; lines: +131 -1;
> commitid: Oz7hBmgl4UuNm4Yz;
> Move parsing of _CRS into acpi(4) and pass the parsed address and interrupt
> information in struct acpi_attach_args.
>
Before this commit, acpi(4) did not parse devices that were to be skipped.
Now they are parsed and this machine with a bug in the _CRS for "PNP0C01"
caught the page fault.
Push down acpi_parse_crs() to after the check for skipped _HIDs.
Index: dev/acpi/acpi.c
===================================================================
RCS file: /cvs/src/sys/dev/acpi/acpi.c,v
retrieving revision 1.391
diff -u -p -u -r1.391 acpi.c
--- dev/acpi/acpi.c 27 Aug 2020 01:08:55 -0000 1.391
+++ dev/acpi/acpi.c 4 Nov 2020 02:03:07 -0000
@@ -3316,7 +3316,6 @@ acpi_foundhid(struct aml_node *node, voi
aaa.aaa_node = node->parent;
aaa.aaa_dev = dev;
aaa.aaa_cdev = cdev;
- acpi_parse_crs(sc, &aaa);
#ifndef SMALL_KERNEL
if (!strcmp(cdev, ACPI_DEV_MOUSE)) {
@@ -3332,6 +3331,8 @@ acpi_foundhid(struct aml_node *node, voi
if (acpi_matchhids(&aaa, acpi_skip_hids, "none") ||
acpi_matchhids(&aaa, acpi_isa_hids, "none"))
return (0);
+
+ acpi_parse_crs(sc, &aaa);
if (!node->parent->attached) {
node->parent->attached = 1;
OpenBSD 6.8-current (GENERIC) #147: Sat Oct 31 18:07:36 MDT 2020
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 2934833152 (2798MB)
avail mem = 2830757888 (2699MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0000 (25 entries)
bios0: vendor Phoenix Technologies, LTD version "5.59" date 05/20/2010
bios0: Compaq-Presario BT473AA-ABA CQ5604F
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT HPET MCFG APIC
acpi0: wakeup devices HUB0(S5) XVR0(S5) XVR1(S5) XVR2(S5) PS2M(S4) PS2K(S4)
USB0(S3) USB2(S3) AZAD(S5) MMAC(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 25000000 Hz
acpimcfg0 at acpi0
acpimcfg0: addr 0xf0000000, bus 0-63
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) II 170u Processor, 2009.40 MHz, 10-06-03
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu0: AMD erratum 721 detected and fixed
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, IBE
ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (HUB0)
acpibtn0 at acpi0: PWRB
acpipci0 at acpi0 PCI0
acpicmos0 at acpi0
uvm_fault(0xffffffff82151058, 0xffff80000009f208, 0, 2) -> e
kernel: page fault trap, code=0
Stopped at memcpy+0x1f: repe movsb (%rsi),%es:(%rdi)
ddb> memcpy(ffff80000008e408,0,20,ffffffff82501510,1,ffff80000008e408) at
memcpy+0x1f
aml_store(ffff800000091708,ffff80000008e408,20000,0,6f7eb0da3725e28b,ffff800000091708)
at aml_store+0x2be
aml_parse(ffff800000091708,54,ffff800000091708,ffff800000091708,7a17f53ae1e9800e,ffff800000091708)
at aml_parse+0xfda
aml_eval(0,ffff800000076b88,74,0,0,0) at aml_eval+0x317
aml_evalnode(ffff800000076b2c,ffff800000076b08,0,0,ffffffff825017b8,ffff800000076b2c)
at aml_evalnode+0xb4
acpi_foundhid(ffff800000076988,ffff800000028400,3298694f4fc6e42c,ffffffff81018600,ffff800000028400,ffff800000076788)
at acpi_foundhid+0x151
aml_find_node(ffff800000076788,ffffffff81dd3937,ffffffff81018600,ffff800000028400,fc29eb669843164a,ffffffff81018600)
at aml_find_node+0x84
aml_find_node(ffff80000002ba88,ffffffff81dd3937,ffffffff81018600,ffff800000028400,fc29eb669843164a,ffffffff81018600)
at aml_find_node+0xd1
aml_find_node(ffffffff8219d1e0,ffffffff81dd3937,ffffffff81018600,ffff800000028400,fc29eb6698f0434c,ffffffff82501a80)
at aml_find_node+0xd1
acpi_attach_common(ffff800000028400,f74f0,39e49f639ab6f6bc,ffff80000002b200,ffffffff82501c48,ffffffff820aca50)
at acpi_attach_common+0x737
config_attach(ffff80000002b200,ffffffff820e2098,ffffffff82501c48,ffffffff8122cc00,64e0e1743d06b4dd,ffffffff82501c70)
at config_attach+0x1f4
bios_attach(ffff80000002b180,ffff80000002b200,ffffffff82501db8,ffff80000002b180,556571f657c63080,ffff80000002b180)
at bios_attach+0x6c9
config_attach(ffff80000002b180,ffffffff820dc8e0,ffffffff82501db8,ffffffff81cfd9b0,64e0e1743debdb72,ffffffff82501db8)
at config_attach+0x1f4
mainbus_attach(0,ffff80000002b180,0,0,553ec7217b725b60,0) at mainbus_attach+0x86
config_attach(0,ffffffff820dc8a8,0,0,64e0e1743d1fe4b7,0) at config_attach+0x1f4
cpu_configure(67f190fd10d4bf67,0,0,ffff80000002c000,ffffffff813be903,ffffffff82501f00)
at cpu_configure+0x33
main(0,0,0,0,0,1) at main+0x37f
end trace frame: 0x0, count: -17
ddb> rdi 0xffff80000009f208
rsi 0xffffffff82501528 end+0x101528
rbp 0xffffffff82501500 end+0x101500
rbx 0xffff800000092308
rdx 0x4
rcx 0x4
rax 0xffffffff82501510 end+0x101510
r8 0x10000 __ALIGN_SIZE+0xf000
r9 0x4
r10 0x19a78fe6dab26d5f
r11 0xffff80000009f208
r12 0
r13 0x20
r14 0xffff80000008e408
r15 0xffffffff82501510 end+0x101510
rip 0xffffffff815a63df memcpy+0x1f
cs 0x8
rflags 0x10202 __ALIGN_SIZE+0xf202
rsp 0xffffffff82501438 end+0x101438
ss 0x10
OpenBSD 6.8-current (GENERIC.MP) #14: Tue Nov 3 22:35:00 EST 2020
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2934833152 (2798MB)
avail mem = 2830647296 (2699MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0000 (25 entries)
bios0: vendor Phoenix Technologies, LTD version "5.59" date 05/20/2010
bios0: Compaq-Presario BT473AA-ABA CQ5604F
acpi0 at bios0: ACPI 3.0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT HPET MCFG APIC
acpi0: wakeup devices HUB0(S5) XVR0(S5) XVR1(S5) XVR2(S5) PS2M(S4) PS2K(S4)
USB0(S3) USB2(S3) AZAD(S5) MMAC(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 25000000 Hz
acpimcfg0 at acpi0
acpimcfg0: addr 0xf0000000, bus 0-63
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) II 170u Processor, 2009.44 MHz, 10-06-03
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,3DNOW2,3DNOW,LAHF,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,ITSC
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative
cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative
cpu0: AMD erratum 721 detected and fixed
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
cpu0: mwait min=64, max=64, IBE
ioapic0 at mainbus0: apid 4 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (HUB0)
acpibtn0 at acpi0: PWRB
acpipci0 at acpi0 PCI0
acpicmos0 at acpi0
"PNP0C0B" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpitz0 at acpi0: critical temperature is 75 degC
cpu0: 2009 MHz: speeds: 2000 1500 800 MHz
pci0 at mainbus0 bus 0
"NVIDIA MCP61 Memory" rev 0xa1 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 "NVIDIA MCP61 ISA" rev 0xa2
nviic0 at pci0 dev 1 function 1 "NVIDIA MCP61 SMBus" rev 0xa2
iic0 at nviic0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-6400CL6
spdmem1 at iic0 addr 0x51: 2GB DDR2 SDRAM non-parity PC2-6400CL6
iic1 at nviic0
"NVIDIA MCP61 Memory" rev 0xa2 at pci0 dev 1 function 2 not configured
ohci0 at pci0 dev 2 function 0 "NVIDIA MCP61 USB" rev 0xa3: apic 4 int 10,
version 1.0, legacy support
ehci0 at pci0 dev 2 function 1 "NVIDIA MCP61 USB" rev 0xa3: apic 4 int 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "NVIDIA EHCI root hub" rev 2.00/1.00
addr 1
ppb0 at pci0 dev 4 function 0 "NVIDIA MCP61" rev 0xa1
pci1 at ppb0 bus 1
azalia0 at pci0 dev 5 function 0 "NVIDIA MCP61 HD Audio" rev 0xa2: apic 4 int 10
azalia0: codecs: Realtek ALC888
audio0 at azalia0
nfe0 at pci0 dev 7 function 0 "NVIDIA MCP61 LAN" rev 0xa2: apic 4 int 5, address
rlphy0 at nfe0 phy 1: RTL8201L 10/100 PHY, rev. 1
pciide0 at pci0 dev 8 function 0 "NVIDIA MCP61 SATA" rev 0xa2: DMA
pciide0: using apic 4 int 10 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: <ST3500418AS>
wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide0 channel 1 drive 0: <ST3320620AS>
wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 6
pciide1 at pci0 dev 8 function 1 "NVIDIA MCP61 SATA" rev 0xa2: DMA
pciide1: using apic 4 int 11 for native-PCI interrupt
ppb1 at pci0 dev 9 function 0 "NVIDIA MCP61 PCIE" rev 0xa2
pci2 at ppb1 bus 2
ppb2 at pci0 dev 11 function 0 "NVIDIA MCP61 PCIE" rev 0xa2
pci3 at ppb2 bus 3
ppb3 at pci0 dev 12 function 0 "NVIDIA MCP61 PCIE" rev 0xa2
pci4 at ppb3 bus 4
ral0 at pci4 dev 0 function 0 "Ralink RT5390" rev 0x00: apic 4 int 7, address
ral0: MAC/BBP RT5390 (rev 0x0502), RF RT5390 (MIMO 1T1R)
vga1 at pci0 dev 13 function 0 "NVIDIA GeForce 6100 nForce 430" rev 0xa2
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pchb0 at pci0 dev 24 function 0 "AMD 10h HyperTransport" rev 0x00
pchb1 at pci0 dev 24 function 1 "AMD 10h Address Map" rev 0x00
pchb2 at pci0 dev 24 function 2 "AMD 10h DRAM Cfg" rev 0x00
km0 at pci0 dev 24 function 3 "AMD 10h Misc Cfg" rev 0x00
pchb3 at pci0 dev 24 function 4 "AMD 10h Link Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "NVIDIA OHCI root hub" rev 1.00/1.00
addr 1
vmm0 at mainbus0: SVM/RVI
acpitz0: _AL0[0] _PR0 failed
umass0 at uhub0 port 2 configuration 1 interface 0 "SanDisk Cruzer Glide" rev
2.00/1.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus1 at umass0: 2 targets, initiator 0
sd0 at scsibus1 targ 1 lun 0: <SanDisk, Cruzer Glide, 1.00> removable
sd0: 29340MB, 512 bytes/sector, 60088320 sectors
umass1 at uhub0 port 8 configuration 1 interface 0 "Generic Mass Storage
Device" rev 2.00/1.00 addr 3
umass1: using SCSI over Bulk-Only
scsibus2 at umass1: 2 targets, initiator 0
sd1 at scsibus2 targ 1 lun 0: <Multi, Flash Reader, 1.00> removable
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on wd0a (88dc47c0cf69c93b.a) swap on wd0b dump on wd0b
