io_apic: Don't route to APIC ID > 255

I/O APIC Redirection Table Entries use 8 bits to encode the Destination
ID.  Attempting to route an IRQ to a higher APIC ID would result in it
being silently routed to the value reduced modulo 256, causing a panic
if the IRQ fired since the receiving CPU would not expect that IRQ.

Instead, print a warning and mark the interrupt as invalid, resulting
in it being forcibly masked.

Reviewed by:	kib
Tested on:	EC2 r8i.96xlarge
MFC after:	3 weeks
Sponsored by:	Amazon
Differential Revision:	https://reviews.freebsd.org/D55857

1 files changed, 13 insertions, 3 deletions

diff --git a/sys/x86/x86/io_apic.c b/sys/x86/x86/io_apic.c
index 03d85acabb1a..5d28b7e8c611 100644
--- a/sys/x86/x86/io_apic.c
+++ b/sys/x86/x86/io_apic.c
@@ -364,10 +364,20 @@ ioapic_program_intpin(struct ioapic_intsrc *intpin)
 	/*
 	 * Set the destination.  Note that with Intel interrupt remapping,
 	 * the previously reserved bits 55:48 now have a purpose so ensure
-	 * these are zero.
+	 * these are zero.  If the CPU number (in fact, APIC ID) is too
+	 * large, mark the interrupt as invalid, and target CPU #0.
 	 */
-	low = IOART_DESTPHY;
-	high = intpin->io_cpu << APIC_ID_SHIFT;
+	if (intpin->io_cpu <= IOAPIC_MAX_ID) {
+		low = IOART_DESTPHY;
+		high = intpin->io_cpu << APIC_ID_SHIFT;
+		intpin->io_valid = 1;
+	} else {
+		printf("%s: unsupported destination APIC ID %u for pin %u\n",
+		    __func__, intpin->io_cpu, intpin->io_intpin);
+		low = IOART_DESTPHY;
+		high = 0 << APIC_ID_SHIFT;
+		intpin->io_valid = 0;
+	}
 
 	/* Program the rest of the low word. */
 	if (intpin->io_edgetrigger)