[PATCH v1 0/2] ACPI: CPPC: acpi_cppc_processor_probe() fix and cleanup

[PATCH v1 0/2] ACPI: CPPC: acpi_cppc_processor_probe() fix and cleanup

[Rafael J. Wysocki]

Hi All,

This series of two patches addresses a possible out-of-bounds array access
in acpi_cppc_processor_probe() [1/2] and clean up some of it [2/2].

Please refer to the patch changelogs for details.

Thanks!

[PATCH v1 1/2] ACPI: CPPC: Avoid out of bounds access when parsing _CPC data

[Rafael J. Wysocki]

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

If the NumEntries field in the _CPC return package is less than 2, do
not attempt to access the "Revision" element of that package, because
it may not be present then.

Fixes: 337aadff8e45 ("ACPI: Introduce CPU performance controls using CPPC")
BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/acpi/cppc_acpi.c |    5 +++++
 1 file changed, 5 insertions(+)

Index: linux-pm/drivers/acpi/cppc_acpi.c
===================================================================
--- linux-pm.orig/drivers/acpi/cppc_acpi.c
+++ linux-pm/drivers/acpi/cppc_acpi.c
@@ -679,6 +679,11 @@ int acpi_cppc_processor_probe(struct acp
 	cpc_obj = &out_obj->package.elements[0];
 	if (cpc_obj->type == ACPI_TYPE_INTEGER)	{
 		num_ent = cpc_obj->integer.value;
+		if (num_ent <= 1) {
+			pr_debug("Unexpected _CPC NumEntries value (%d) for CPU:%d\n",
+				 num_ent, pr->id);
+			goto out_free;
+		}
 	} else {
 		pr_debug("Unexpected entry type(%d) for NumEntries\n",
 				cpc_obj->type);

[PATCH v1 2/2] ACPI: CPPC: Change default error code and clean up debug messages in probe

[Rafael J. Wysocki]

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

Change the default error code returned by acpi_cppc_processor_probe()
from -EFAULT (which is completely inadequate) to -ENODATA and change
the debug messages printed by it to contain more information and be
more consistent.

While at it, format some white space to follow the coding style.

Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/acpi/cppc_acpi.c |   27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

Index: linux-pm/drivers/acpi/cppc_acpi.c
===================================================================
--- linux-pm.orig/drivers/acpi/cppc_acpi.c
+++ linux-pm/drivers/acpi/cppc_acpi.c
@@ -654,7 +654,7 @@ int acpi_cppc_processor_probe(struct acp
 	unsigned int num_ent, i, cpc_rev;
 	int pcc_subspace_id = -1;
 	acpi_status status;
-	int ret = -EFAULT;
+	int ret = -ENODATA;
 
 	if (osc_sb_cppc_not_supported)
 		return -ENODEV;
@@ -685,8 +685,8 @@ int acpi_cppc_processor_probe(struct acp
 			goto out_free;
 		}
 	} else {
-		pr_debug("Unexpected entry type(%d) for NumEntries\n",
-				cpc_obj->type);
+		pr_debug("Unexpected _CPC NumEntries entry type (%d) for CPU:%d\n",
+			 cpc_obj->type, pr->id);
 		goto out_free;
 	}
 	cpc_ptr->num_entries = num_ent;
@@ -696,8 +696,8 @@ int acpi_cppc_processor_probe(struct acp
 	if (cpc_obj->type == ACPI_TYPE_INTEGER)	{
 		cpc_rev = cpc_obj->integer.value;
 	} else {
-		pr_debug("Unexpected entry type(%d) for Revision\n",
-				cpc_obj->type);
+		pr_debug("Unexpected _CPC Revision entry type (%d) for CPU:%d\n",
+			 cpc_obj->type, pr->id);
 		goto out_free;
 	}
 	cpc_ptr->version = cpc_rev;
@@ -728,7 +728,8 @@ int acpi_cppc_processor_probe(struct acp
 					if (pcc_data_alloc(pcc_subspace_id))
 						goto out_free;
 				} else if (pcc_subspace_id != gas_t->access_width) {
-					pr_debug("Mismatched PCC ids.\n");
+					pr_debug("Mismatched PCC ids in _CPC for CPU:%d\n",
+						 pr->id);
 					goto out_free;
 				}
 			} else if (gas_t->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) {
@@ -747,20 +748,21 @@ int acpi_cppc_processor_probe(struct acp
 					 * SystemIO doesn't implement 64-bit
 					 * registers.
 					 */
-					pr_debug("Invalid access width %d for SystemIO register\n",
-						gas_t->access_width);
+					pr_debug("Invalid access width %d for SystemIO register in _CPC\n",
+						 gas_t->access_width);
 					goto out_free;
 				}
 				if (gas_t->address & OVER_16BTS_MASK) {
 					/* SystemIO registers use 16-bit integer addresses */
-					pr_debug("Invalid IO port %llu for SystemIO register\n",
-						gas_t->address);
+					pr_debug("Invalid IO port %llu for SystemIO register in _CPC\n",
+						 gas_t->address);
 					goto out_free;
 				}
 			} else {
 				if (gas_t->space_id != ACPI_ADR_SPACE_FIXED_HARDWARE || !cpc_ffh_supported()) {
 					/* Support only PCC, SystemMemory, SystemIO, and FFH type regs. */
-					pr_debug("Unsupported register type: %d\n", gas_t->space_id);
+					pr_debug("Unsupported register type (%d) in _CPC\n",
+						 gas_t->space_id);
 					goto out_free;
 				}
 			}
@@ -768,7 +770,8 @@ int acpi_cppc_processor_probe(struct acp
 			cpc_ptr->cpc_regs[i-2].type = ACPI_TYPE_BUFFER;
 			memcpy(&cpc_ptr->cpc_regs[i-2].cpc_entry.reg, gas_t, sizeof(*gas_t));
 		} else {
-			pr_debug("Err in entry:%d in CPC table of CPU:%d\n", i, pr->id);
+			pr_debug("Invalid entry type (%d) in _CPC for CPU:%d\n",
+				 i, pr->id);
 			goto out_free;
 		}
 	}

Re: [PATCH v1 0/2] ACPI: CPPC: acpi_cppc_processor_probe() fix and cleanup

[Huang Rui]

On Tue, Mar 22, 2022 at 05:00:27PM +0100, Rafael J. Wysocki wrote:
> Hi All,
> 
> This series of two patches addresses a possible out-of-bounds array access
> in acpi_cppc_processor_probe() [1/2] and clean up some of it [2/2].
> 
> Please refer to the patch changelogs for details.
> 

Series are Reviewed-by: Huang Rui <ray.huang@amd.com>