On 3/9/21 7:11 PM, Greg Kurz wrote:
> All these commands end up peeking into the PACA using the user originated
> cpu id as an index. Check the cpu id is valid in order to prevent xmon to
> crash. Instead of printing an error, this follows the same behavior as the
> "lp s #" command : ignore the buggy cpu id parameter and fall back to the
> #-less version of the command.
>
> Signed-off-by: Greg Kurz <gr...@kaod.org>
Reviewed-by: Cédric Le Goater <c...@kaod.org>
> ---
> arch/powerpc/xmon/xmon.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
> index 80fbf8968f77..d3d6e044228e 100644
> --- a/arch/powerpc/xmon/xmon.c
> +++ b/arch/powerpc/xmon/xmon.c
> @@ -1248,7 +1248,7 @@ static int cpu_cmd(void)
> unsigned long cpu, first_cpu, last_cpu;
> int timeout;
>
> - if (!scanhex(&cpu)) {
> + if (!scanhex(&cpu) || cpu >= num_possible_cpus()) {
> /* print cpus waiting or in xmon */
> printf("cpus stopped:");
> last_cpu = first_cpu = NR_CPUS;
> @@ -2678,7 +2678,7 @@ static void dump_pacas(void)
>
> termch = c; /* Put c back, it wasn't 'a' */
>
> - if (scanhex(&num))
> + if (scanhex(&num) && num < num_possible_cpus())
> dump_one_paca(num);
> else
> dump_one_paca(xmon_owner);
> @@ -2751,7 +2751,7 @@ static void dump_xives(void)
>
> termch = c; /* Put c back, it wasn't 'a' */
>
> - if (scanhex(&num))
> + if (scanhex(&num) && num < num_possible_cpus())
> dump_one_xive(num);
> else
> dump_one_xive(xmon_owner);
>
>
