The acpi_pcc_probe() could end up accessing memory outside of the PCCT table space which might cause the kernel panic(). Increment the pcct_entry pointer after parsing 'HW-reduced Communications Subspace' to fix the problem. This change also enables the parsing of subtable at index 0.

Signed-off-by: Shanker Donthineni shankerd@codeaurora.org Acked-by: Ashwin Chaugule ashwin.chaugule@linaro.org --- Changes since v1: Edit commit message.

drivers/mailbox/pcc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c index 0ddf638..043828d 100644 --- a/drivers/mailbox/pcc.c +++ b/drivers/mailbox/pcc.c @@ -361,8 +361,6 @@ static int __init acpi_pcc_probe(void) struct acpi_generic_address *db_reg; struct acpi_pcct_hw_reduced *pcct_ss; pcc_mbox_channels[i].con_priv = pcct_entry; - pcct_entry = (struct acpi_subtable_header *) - ((unsigned long) pcct_entry + pcct_entry->length);

/* If doorbell is in system memory cache the virt address */ pcct_ss = (struct acpi_pcct_hw_reduced *)pcct_entry; @@ -370,6 +368,8 @@ static int __init acpi_pcc_probe(void) if (db_reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) pcc_doorbell_vaddr[i] = acpi_os_ioremap(db_reg->address, db_reg->bit_width/8); + pcct_entry = (struct acpi_subtable_header *) + ((unsigned long) pcct_entry + pcct_entry->length); }

pcc_mbox_ctrl.num_chans = count;