The size of the pm_signal_local array should be equal to the
number of SPUs being configured in the array. Currently, the
array is of size 4 (NR_PHYS_CTRS) but being indexed by a for
loop from 0 to 7 (NUM_SPUS_PER_NODE). This could potentially
cause an oops or random memory corruption since the pm_signal_local
array is on the stack. This fixes it.
Signed-off-by: Carl Love <carll@us.ibm.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
+ if (unlikely(num_ctrs > NR_PHYS_CTRS)) {
+ printk(KERN_ERR
+ "%s: Oprofile, number of specified events " \
+ "exceeds number of physical counters\n",
+ __func__);
+ return -EIO;
+ }
pm_regs.group_control = 0;
pm_regs.debug_bus_control = 0;
pm_regs.group_control = 0;
pm_regs.debug_bus_control = 0;
static int pm_rtas_activate_spu_profiling(u32 node)
{
int ret, i;
static int pm_rtas_activate_spu_profiling(u32 node)
{
int ret, i;
- struct pm_signal pm_signal_local[NR_PHYS_CTRS];
+ struct pm_signal pm_signal_local[NUM_SPUS_PER_NODE];
/*
* Set up the rtas call to configure the debug bus to
* route the SPU PCs. Setup the pm_signal for each SPU
*/
/*
* Set up the rtas call to configure the debug bus to
* route the SPU PCs. Setup the pm_signal for each SPU
*/
- for (i = 0; i < NUM_SPUS_PER_NODE; i++) {
+ for (i = 0; i < ARRAY_SIZE(pm_signal_local); i++) {
pm_signal_local[i].cpu = node;
pm_signal_local[i].signal_group = 41;
/* spu i on word (i/2) */
pm_signal_local[i].cpu = node;
pm_signal_local[i].signal_group = 41;
/* spu i on word (i/2) */
ret = rtas_ibm_cbe_perftools(SUBFUNC_ACTIVATE,
PASSTHRU_ENABLE, pm_signal_local,
ret = rtas_ibm_cbe_perftools(SUBFUNC_ACTIVATE,
PASSTHRU_ENABLE, pm_signal_local,
+ (ARRAY_SIZE(pm_signal_local)
* sizeof(struct pm_signal)));
if (unlikely(ret)) {
* sizeof(struct pm_signal)));
if (unlikely(ret)) {