From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "David E. Box" <david.e.box@linux.intel.com>,
Evgeny Novikov <novikov@ispras.ru>,
Andy Shevchenko <andy.shevchenko@gmail.com>,
Hans de Goede <hdegoede@redhat.com>,
Sasha Levin <sashal@kernel.org>,
platform-driver-x86@vger.kernel.org
Subject: [PATCH AUTOSEL 5.13 42/88] platform/x86: intel_pmc_core: Prevent possibile overflow
Date: Thu, 9 Sep 2021 20:17:34 -0400 [thread overview]
Message-ID: <20210910001820.174272-42-sashal@kernel.org> (raw)
In-Reply-To: <20210910001820.174272-1-sashal@kernel.org>
From: "David E. Box" <david.e.box@linux.intel.com>
[ Upstream commit 45b6f75eab6aabf9d88933830f41f532d39f38d2 ]
Substate priority levels are encoded in 4 bits in the LPM_PRI register.
This value was used as an index to an array whose element size was less
than 16, leading to the possibility of overflow should we read a larger
than expected priority. In addition to the overflow, bad values could lead
to incorrect state reporting. So rework the priority code to prevent the
overflow and perform some validation of the register. Use the priority
register values if they give an ordering of unique numbers between 0 and
the maximum number of states. Otherwise, use a default ordering instead.
Reported-by: Evgeny Novikov <novikov@ispras.ru>
Signed-off-by: David E. Box <david.e.box@linux.intel.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20210814014728.520856-1-david.e.box@linux.intel.com
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel_pmc_core.c | 65 +++++++++++++++++++++------
drivers/platform/x86/intel_pmc_core.h | 2 +
2 files changed, 53 insertions(+), 14 deletions(-)
diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c
index b0e486a6bdfb..ae410a358ffe 100644
--- a/drivers/platform/x86/intel_pmc_core.c
+++ b/drivers/platform/x86/intel_pmc_core.c
@@ -1449,9 +1449,42 @@ static int pmc_core_pkgc_show(struct seq_file *s, void *unused)
}
DEFINE_SHOW_ATTRIBUTE(pmc_core_pkgc);
-static void pmc_core_get_low_power_modes(struct pmc_dev *pmcdev)
+static bool pmc_core_pri_verify(u32 lpm_pri, u8 *mode_order)
{
- u8 lpm_priority[LPM_MAX_NUM_MODES];
+ int i, j;
+
+ if (!lpm_pri)
+ return false;
+ /*
+ * Each byte contains the priority level for 2 modes (7:4 and 3:0).
+ * In a 32 bit register this allows for describing 8 modes. Store the
+ * levels and look for values out of range.
+ */
+ for (i = 0; i < 8; i++) {
+ int level = lpm_pri & GENMASK(3, 0);
+
+ if (level >= LPM_MAX_NUM_MODES)
+ return false;
+
+ mode_order[i] = level;
+ lpm_pri >>= 4;
+ }
+
+ /* Check that we have unique values */
+ for (i = 0; i < LPM_MAX_NUM_MODES - 1; i++)
+ for (j = i + 1; j < LPM_MAX_NUM_MODES; j++)
+ if (mode_order[i] == mode_order[j])
+ return false;
+
+ return true;
+}
+
+static void pmc_core_get_low_power_modes(struct platform_device *pdev)
+{
+ struct pmc_dev *pmcdev = platform_get_drvdata(pdev);
+ u8 pri_order[LPM_MAX_NUM_MODES] = LPM_DEFAULT_PRI;
+ u8 mode_order[LPM_MAX_NUM_MODES];
+ u32 lpm_pri;
u32 lpm_en;
int mode, i, p;
@@ -1462,24 +1495,28 @@ static void pmc_core_get_low_power_modes(struct pmc_dev *pmcdev)
lpm_en = pmc_core_reg_read(pmcdev, pmcdev->map->lpm_en_offset);
pmcdev->num_lpm_modes = hweight32(lpm_en);
- /* Each byte contains information for 2 modes (7:4 and 3:0) */
- for (mode = 0; mode < LPM_MAX_NUM_MODES; mode += 2) {
- u8 priority = pmc_core_reg_read_byte(pmcdev,
- pmcdev->map->lpm_priority_offset + (mode / 2));
- int pri0 = GENMASK(3, 0) & priority;
- int pri1 = (GENMASK(7, 4) & priority) >> 4;
+ /* Read 32 bit LPM_PRI register */
+ lpm_pri = pmc_core_reg_read(pmcdev, pmcdev->map->lpm_priority_offset);
- lpm_priority[pri0] = mode;
- lpm_priority[pri1] = mode + 1;
- }
/*
- * Loop though all modes from lowest to highest priority,
+ * If lpm_pri value passes verification, then override the default
+ * modes here. Otherwise stick with the default.
+ */
+ if (pmc_core_pri_verify(lpm_pri, mode_order))
+ /* Get list of modes in priority order */
+ for (mode = 0; mode < LPM_MAX_NUM_MODES; mode++)
+ pri_order[mode_order[mode]] = mode;
+ else
+ dev_warn(&pdev->dev, "Assuming a default substate order for this platform\n");
+
+ /*
+ * Loop through all modes from lowest to highest priority,
* and capture all enabled modes in order
*/
i = 0;
for (p = LPM_MAX_NUM_MODES - 1; p >= 0; p--) {
- int mode = lpm_priority[p];
+ int mode = pri_order[p];
if (!(BIT(mode) & lpm_en))
continue;
@@ -1675,7 +1712,7 @@ static int pmc_core_probe(struct platform_device *pdev)
mutex_init(&pmcdev->lock);
pmcdev->pmc_xram_read_bit = pmc_core_check_read_lock_bit(pmcdev);
- pmc_core_get_low_power_modes(pmcdev);
+ pmc_core_get_low_power_modes(pdev);
pmc_core_do_dmi_quirks(pmcdev);
if (pmcdev->map == &tgl_reg_map)
diff --git a/drivers/platform/x86/intel_pmc_core.h b/drivers/platform/x86/intel_pmc_core.h
index e8dae9c6c45f..b9bf3d3d6f7a 100644
--- a/drivers/platform/x86/intel_pmc_core.h
+++ b/drivers/platform/x86/intel_pmc_core.h
@@ -188,6 +188,8 @@ enum ppfear_regs {
#define ICL_PMC_SLP_S0_RES_COUNTER_STEP 0x64
#define LPM_MAX_NUM_MODES 8
+#define LPM_DEFAULT_PRI { 7, 6, 2, 5, 4, 1, 3, 0 }
+
#define GET_X2_COUNTER(v) ((v) >> 1)
#define LPM_STS_LATCH_MODE BIT(31)
--
2.30.2
next prev parent reply other threads:[~2021-09-10 0:43 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-10 0:16 [PATCH AUTOSEL 5.13 01/88] pinctrl: renesas: rcar: Avoid changing PUDn when disabling bias Sasha Levin
2021-09-10 0:16 ` [PATCH AUTOSEL 5.13 02/88] swiotlb: add overflow checks to swiotlb_bounce Sasha Levin
2021-09-10 0:16 ` [PATCH AUTOSEL 5.13 03/88] HID: i2c-hid: goodix: Tie the reset line to true state of the regulator Sasha Levin
2021-09-10 0:16 ` [PATCH AUTOSEL 5.13 04/88] clk: rockchip: rk3036: fix up the sclk_sfc parent error Sasha Levin
2021-09-10 0:16 ` [PATCH AUTOSEL 5.13 05/88] scsi: be2iscsi: Fix use-after-free during IP updates Sasha Levin
2021-09-10 0:16 ` [PATCH AUTOSEL 5.13 06/88] scsi: lpfc: Fix NVMe support reporting in log message Sasha Levin
2021-09-10 0:16 ` [PATCH AUTOSEL 5.13 07/88] scsi: lpfc: Remove use of kmalloc() in trace event logging Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 08/88] scsi: lpfc: Fix target reset handler from falsely returning FAILURE Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 09/88] scsi: lpfc: Fix NULL ptr dereference with NPIV ports for RDF handling Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 10/88] scsi: lpfc: Fix KASAN slab-out-of-bounds in lpfc_unreg_rpi() routine Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 11/88] scsi: lpfc: Clear outstanding active mailbox during PCI function reset Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 12/88] scsi: lpfc: Skip issuing ADISC when node is in NPR state Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 13/88] f2fs: Revert "f2fs: Fix indefinite loop in f2fs_gc() v1" Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 14/88] scsi: smartpqi: Fix ISR accessing uninitialized data Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 15/88] f2fs: don't sleep while grabing nat_tree_lock Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 16/88] iommu/amd: Fix printing of IOMMU events when rate limiting kicks in Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 17/88] scsi: lpfc: Fix cq_id truncation in rq create Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 18/88] pinctrl: renesas: Fix pin control matching on R-Car H3e-2G Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 19/88] clk: mediatek: Fix asymmetrical PLL enable and disable control Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 20/88] HID: usbhid: free raw_report buffers in usbhid_stop Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 21/88] scsi: lpfc: Fix possible ABBA deadlock in nvmet_xri_aborted() Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 22/88] iommu/amd: Sync once for scatter-gather operations Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 23/88] f2fs: fix to force keeping write barrier for strict fsync mode Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 24/88] f2fs: fix min_seq_blocks can not make sense in some scenes Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 25/88] scsi: ufs: Verify UIC locking requirements at runtime Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 26/88] scsi: ufs: Request sense data asynchronously Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 27/88] cpuidle: pseries: Do not cap the CEDE0 latency in fixup_cede0_latency() Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 28/88] powerpc: make the install target not depend on any build artifact Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 29/88] f2fs: fix to stop filesystem update once CP failed Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 30/88] MIPS: loongson2ef: don't build serial.o unconditionally Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 31/88] xprtrdma: Disconnect after an ib_post_send() immediate error Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 32/88] KVM: PPC: Book3S HV: XICS: Fix mapping of passthrough interrupts Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 33/88] jbd2: fix portability problems caused by unaligned accesses Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 34/88] jbd2: fix clang warning in recovery.c Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 35/88] iommu: Fix race condition during default domain allocation Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 36/88] iommu/arm-smmu: Fix race condition during iommu_group creation Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 37/88] scsi: qla2xxx: Fix port type info Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 38/88] scsi: qla2xxx: Fix unsafe removal from linked list Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 39/88] scsi: qla2xxx: Fix NPIV create erroneous error Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 40/88] ovl: copy up sync/noatime fileattr flags Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 41/88] ovl: skip checking lower file's i_writecount on truncate Sasha Levin
2021-09-10 0:17 ` Sasha Levin [this message]
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 43/88] scsi: target: pscsi: Fix possible null-pointer dereference in pscsi_complete_cmd() Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 44/88] iommu/vt-d: Add present bit check in pasid entry setup helpers Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 45/88] fs: dlm: fix return -EINTR on recovery stopped Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 46/88] platform/x86: ideapad-laptop: Fix Legion 5 Fn lock LED Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 47/88] HID: thrustmaster: Fix memory leaks in probe Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 48/88] HID: thrustmaster: Fix memory leak in remove Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 49/88] HID: thrustmaster: Fix memory leak in thrustmaster_interrupts() Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 50/88] HID: sony: Fix more ShanWan clone gamepads to not rumble when plugged in Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 51/88] MIPS: mscc: ocelot: disable all switch ports by default Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 52/88] MIPS: mscc: ocelot: mark the phy-mode for internal PHY ports Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 53/88] scsi: qla2xxx: Fix hang during NVMe session tear down Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 54/88] scsi: qla2xxx: Fix NVMe | FCP personality change Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 55/88] scsi: qla2xxx: Fix hang on NVMe command timeouts Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 56/88] scsi: qla2xxx: Fix NVMe session down detection Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 57/88] scsi: core: Fix missing FORCE for scsi_devinfo_tbl.c build rule Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 58/88] vfio/type1: Fix vfio_find_dma_valid return Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 59/88] scsi: ufs: Fix ufshcd_request_sense_async() for Samsung KLUFG8RHDA-B2D1 Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 60/88] powerpc/32: indirect function call use bctrl rather than blrl in ret_from_kernel_thread Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 61/88] powerpc/booke: Avoid link stack corruption in several places Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 62/88] powerpc: Avoid link stack corruption in misc asm functions Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 63/88] KVM: PPC: Book3S HV: Initialise vcpu MSR with MSR_ME Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 64/88] KVM: PPC: Book3S HV P9: Fixes for TM softpatch interrupt NIP Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 65/88] KVM: PPC: Book3S HV Nested: Fix TM softpatch HFAC interrupt emulation Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 66/88] RDMA/core/sa_query: Retry SA queries Sasha Levin
2021-09-10 0:17 ` [PATCH AUTOSEL 5.13 67/88] selftests: openat2: Fix testing failure for O_LARGEFILE flag Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 68/88] selftests/x86: Fix error: variably modified 'altstack_data' at file scope Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 69/88] platform/x86: dell-smbios-wmi: Avoid false-positive memcpy() warning Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 70/88] powerpc/pseries/iommu: Allow DDW windows starting at 0x00 Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 71/88] clk: zynqmp: Fix a memory leak Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 72/88] MIPS: ingenic: Unconditionally enable clock of CPU #0 Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 73/88] ext4: if zeroout fails fall back to splitting the extent node Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 74/88] ext4: Make sure quota files are not grabbed accidentally Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 75/88] ext4: make the updating inode data procedure atomic Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 76/88] xen: remove stray preempt_disable() from PV AP startup code Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 77/88] x86/build/vdso: fix missing FORCE for *.so build rule Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 78/88] checkkconfigsymbols.py: Fix the '--ignore' option Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 79/88] ocfs2: quota_local: fix possible uninitialized-variable access in ocfs2_local_read_info() Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 80/88] ocfs2: ocfs2_downconvert_lock failure results in deadlock Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 81/88] fs: drop_caches: fix skipping over shadow cache inodes Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 82/88] kasan: test: avoid writing invalid memory Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 83/88] kasan: test: avoid corrupting memory via memset Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 84/88] kasan: test: disable kmalloc_memmove_invalid_size for HW_TAGS Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 85/88] kasan: test: only do kmalloc_uaf_memset for generic mode Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 86/88] kasan: test: clean up ksize_uaf Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 87/88] kasan: test: avoid corrupting memory in copy_user_test Sasha Levin
2021-09-10 0:18 ` [PATCH AUTOSEL 5.13 88/88] kasan: test: avoid corrupting memory in kasan_rcu_uaf Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210910001820.174272-42-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=andy.shevchenko@gmail.com \
--cc=david.e.box@linux.intel.com \
--cc=hdegoede@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=novikov@ispras.ru \
--cc=platform-driver-x86@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox