[PATCH 0/2] powercap: dtpm: Fix out-of-bounds read in the set_pd_power

Linux Power Management development
 help / color / mirror / Atom feed

* [PATCH 0/2] powercap: dtpm: Fix out-of-bounds read in the set_pd_power_limit() callbacks
@ 2026-06-12  6:25 Elazar Leibovich
  2026-06-12  6:25 ` [PATCH 1/2] powercap: dtpm_cpu: Fix out-of-bounds read in set_pd_power_limit() Elazar Leibovich
  2026-06-12  6:25 ` [PATCH 2/2] powercap: dtpm_devfreq: " Elazar Leibovich
  0 siblings, 2 replies; 3+ messages in thread
From: Elazar Leibovich @ 2026-06-12  6:25 UTC (permalink / raw)
  To: linux-pm
  Cc: Rafael J . Wysocki, Daniel Lezcano, Lukasz Luba, linux-kernel,
	Elazar Leibovich

The set_pd_power_limit() callbacks in dtpm_cpu and dtpm_devfreq scan
the EM perf state table for the first state whose power exceeds the
requested limit, then use table[i - 1]. If the very first perf state
already exceeds the limit, the loop breaks at i == 0 and table[-1] is
read out of bounds.

The powercap core clamps the requested limit to dtpm->power_min, but
that clamp can be computed from stale data: in dtpm_cpu the number of
online CPUs may have grown since power_min was last updated, and in
dtpm_devfreq the EM table may have been updated at runtime via
em_dev_update_perf_domain(). In both cases the clamped limit can still
be below the first state's power, making the underflow reachable.

Start the scan at index 1 so the lowest perf state is used as the
fallback when even it exceeds the requested limit.

No functional dependency, but minor context offsets assume the dtpm
NULL-guard series posted earlier [1].

[1] https://lore.kernel.org/linux-pm/20260611204658.47987-1-elazarl@gmail.com/

Sivan Zohar-Kotzer (2):
  powercap: dtpm_cpu: Fix out-of-bounds read in set_pd_power_limit()
  powercap: dtpm_devfreq: Fix out-of-bounds read in set_pd_power_limit()

 drivers/powercap/dtpm_cpu.c     | 2 +-
 drivers/powercap/dtpm_devfreq.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

-- 
2.50.1 (Apple Git-155)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PATCH 1/2] powercap: dtpm_cpu: Fix out-of-bounds read in set_pd_power_limit()
  2026-06-12  6:25 [PATCH 0/2] powercap: dtpm: Fix out-of-bounds read in the set_pd_power_limit() callbacks Elazar Leibovich
@ 2026-06-12  6:25 ` Elazar Leibovich
  2026-06-12  6:25 ` [PATCH 2/2] powercap: dtpm_devfreq: " Elazar Leibovich
  1 sibling, 0 replies; 3+ messages in thread
From: Elazar Leibovich @ 2026-06-12  6:25 UTC (permalink / raw)
  To: linux-pm
  Cc: Rafael J . Wysocki, Daniel Lezcano, Lukasz Luba, linux-kernel,
	Sivan Zohar-Kotzer, Elazar Leibovich

From: Sivan Zohar-Kotzer <sivany32@gmail.com>

The loop in set_pd_power_limit() looks for the first perf state whose
power exceeds the requested limit, then uses table[i - 1]. If the very
first perf state already exceeds the limit, the loop breaks at i == 0
and table[-1] is read out of bounds.

The powercap core clamps the requested limit to dtpm->power_min, but
power_min was computed by update_pd_power_uw() with the number of
online CPUs at that time. If CPUs have come online since the last
update, the clamped limit can still be below table[0].power * nr_cpus,
making the underflow reachable.

Start the scan at index 1 so the lowest perf state is used as the
fallback when even it exceeds the requested limit.

Fixes: 0e8f68d7f048 ("powercap/drivers/dtpm: Add CPU energy model based support")
Signed-off-by: Sivan Zohar-Kotzer <sivany32@gmail.com>
Co-developed-by: Elazar Leibovich <elazarl@gmail.com>
Signed-off-by: Elazar Leibovich <elazarl@gmail.com>
---
 drivers/powercap/dtpm_cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/powercap/dtpm_cpu.c b/drivers/powercap/dtpm_cpu.c
index 0a460f97bf15..5e06909ae4fc 100644
--- a/drivers/powercap/dtpm_cpu.c
+++ b/drivers/powercap/dtpm_cpu.c
@@ -54,7 +54,7 @@ static u64 set_pd_power_limit(struct dtpm *dtpm, u64 power_limit)

 	rcu_read_lock();
 	table = em_perf_state_from_pd(pd);
-	for (i = 0; i < pd->nr_perf_states; i++) {
+	for (i = 1; i < pd->nr_perf_states; i++) {

 		power = table[i].power * nr_cpus;

-- 
2.50.1 (Apple Git-155)

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [PATCH 2/2] powercap: dtpm_devfreq: Fix out-of-bounds read in set_pd_power_limit()
  2026-06-12  6:25 [PATCH 0/2] powercap: dtpm: Fix out-of-bounds read in the set_pd_power_limit() callbacks Elazar Leibovich
  2026-06-12  6:25 ` [PATCH 1/2] powercap: dtpm_cpu: Fix out-of-bounds read in set_pd_power_limit() Elazar Leibovich
@ 2026-06-12  6:25 ` Elazar Leibovich
  1 sibling, 0 replies; 3+ messages in thread
From: Elazar Leibovich @ 2026-06-12  6:25 UTC (permalink / raw)
  To: linux-pm
  Cc: Rafael J . Wysocki, Daniel Lezcano, Lukasz Luba, linux-kernel,
	Sivan Zohar-Kotzer, Elazar Leibovich

From: Sivan Zohar-Kotzer <sivany32@gmail.com>

The loop in set_pd_power_limit() looks for the first perf state whose
power exceeds the requested limit, then uses table[i - 1]. If the very
first perf state already exceeds the limit, the loop breaks at i == 0
and table[-1] is read out of bounds.

The powercap core clamps the requested limit to dtpm->power_min, but
power_min is only captured by update_pd_power_uw() at setup time. If
the energy model table is updated at runtime via
em_dev_update_perf_domain() and the power of the lowest perf state
grows past the stale power_min, the clamped limit can still be below
table[0].power, making the underflow reachable.

Start the scan at index 1 so the lowest perf state is used as the
fallback when even it exceeds the requested limit.

Fixes: e44655617317 ("powercap/drivers/dtpm: Add dtpm devfreq with energy model support")
Signed-off-by: Sivan Zohar-Kotzer <sivany32@gmail.com>
Co-developed-by: Elazar Leibovich <elazarl@gmail.com>
Signed-off-by: Elazar Leibovich <elazarl@gmail.com>
---
 drivers/powercap/dtpm_devfreq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/powercap/dtpm_devfreq.c b/drivers/powercap/dtpm_devfreq.c
index cf16e2756481..1afaae234c01 100644
--- a/drivers/powercap/dtpm_devfreq.c
+++ b/drivers/powercap/dtpm_devfreq.c
@@ -68,7 +68,7 @@ static u64 set_pd_power_limit(struct dtpm *dtpm, u64 power_limit)

 	rcu_read_lock();
 	table = em_perf_state_from_pd(pd);
-	for (i = 0; i < pd->nr_perf_states; i++) {
+	for (i = 1; i < pd->nr_perf_states; i++) {
 		if (table[i].power > power_limit)
 			break;
 	}
-- 
2.50.1 (Apple Git-155)

^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-12  6:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-12  6:25 [PATCH 0/2] powercap: dtpm: Fix out-of-bounds read in the set_pd_power_limit() callbacks Elazar Leibovich
2026-06-12  6:25 ` [PATCH 1/2] powercap: dtpm_cpu: Fix out-of-bounds read in set_pd_power_limit() Elazar Leibovich
2026-06-12  6:25 ` [PATCH 2/2] powercap: dtpm_devfreq: " Elazar Leibovich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox