Patch "platform/x86: intel_pmc_core: fix out-of-bounds accesses on stack" has been added to the 4.10-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    platform/x86: intel_pmc_core: fix out-of-bounds accesses on stack

to the 4.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     platform-x86-intel_pmc_core-fix-out-of-bounds-accesses-on-stack.patch
and it can be found in the queue-4.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 4f24ecff0153047a4a8b53c31d8001ee79e1cab7 Mon Sep 17 00:00:00 2001
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date: Thu, 26 Jan 2017 17:27:23 +0300
Subject: platform/x86: intel_pmc_core: fix out-of-bounds accesses on stack

From: Andrey Ryabinin <aryabinin@virtuozzo.com>

commit 4f24ecff0153047a4a8b53c31d8001ee79e1cab7 upstream.

pmc_core_mtpmc_link_status() an pmc_core_check_read_lock_bit() use
test_bit() on local 32-bit variable. This causes out-of-bounds
access since test_bit() expects object at least of 'unsigned long' size:

   BUG: KASAN: stack-out-of-bounds in pmc_core_probe+0x3aa/0x3b0
    Call Trace:
     __asan_report_load_n_noabort+0x5c/0x80
     pmc_core_probe+0x3aa/0x3b0
     local_pci_probe+0xf9/0x1e0
     pci_device_probe+0x27b/0x350
     driver_probe_device+0x419/0x830
     __driver_attach+0x15f/0x1d0
     bus_for_each_dev+0x129/0x1d0
     driver_attach+0x42/0x70
     bus_add_driver+0x385/0x690
     driver_register+0x1a9/0x3d0
     __pci_register_driver+0x1a2/0x290
     intel_pmc_core_driver_init+0x19/0x1b
     do_one_initcall+0x12e/0x280
     kernel_init_freeable+0x57c/0x623
     kernel_init+0x13/0x140
     ret_from_fork+0x2e/0x40

Fix this by open coding bit test. While at it, also refactor this code
a little bit.

Fixes: 173943b3dae5 ("platform/x86: intel_pmc_core: ModPhy core lanes pg status")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
[andy: reverted not related changes, used BIT() macro]
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/platform/x86/intel_pmc_core.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/platform/x86/intel_pmc_core.c
+++ b/drivers/platform/x86/intel_pmc_core.c
@@ -188,8 +188,7 @@ static int pmc_core_check_read_lock_bit(
 	u32 value;
 
 	value = pmc_core_reg_read(pmcdev, SPT_PMC_PM_CFG_OFFSET);
-	return test_bit(SPT_PMC_READ_DISABLE_BIT,
-			(unsigned long *)&value);
+	return value & BIT(SPT_PMC_READ_DISABLE_BIT);
 }
 
 #if IS_ENABLED(CONFIG_DEBUG_FS)
@@ -238,8 +237,7 @@ static int pmc_core_mtpmc_link_status(vo
 	u32 value;
 
 	value = pmc_core_reg_read(pmcdev, SPT_PMC_PM_STS_OFFSET);
-	return test_bit(SPT_PMC_MSG_FULL_STS_BIT,
-			(unsigned long *)&value);
+	return value & BIT(SPT_PMC_MSG_FULL_STS_BIT);
 }
 
 static int pmc_core_send_msg(u32 *addr_xram)


Patches currently in stable-queue which might be from aryabinin@virtuozzo.com are

queue-4.10/platform-x86-intel_pmc_core-fix-out-of-bounds-accesses-on-stack.patch