PATCH 1/2 is a minor change: it just removes 2 unused members from
'struct lvts_ctrl_data'.
PATCH 2/2 is a major bug fix: it fixes a situation where a wrong
array index is used as 'struct lvts_ctrl_data' type item.
Signed-off-by: Julien Panis <[email protected]>
---
Julien Panis (2):
thermal/drivers/mediatek/lvts_thermal: Remove unused members from struct lvts_ctrl_data
thermal/drivers/mediatek/lvts_thermal: Fix wrong lvts_ctrl index
drivers/thermal/mediatek/lvts_thermal.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
---
base-commit: 9221b2819b8a4196eecf5476d66201be60fbcf29
change-id: 20240503-mtk-thermal-lvts-ctrl-idx-fix-ca7e7ea47a0f
Best regards,
--
Julien Panis <[email protected]>
In struct lvts_ctrl_data, num_lvts_sensor and cal_offset[] are not used.
Signed-off-by: Julien Panis <[email protected]>
---
drivers/thermal/mediatek/lvts_thermal.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c
index 86b2f44355ac..18a796386cd0 100644
--- a/drivers/thermal/mediatek/lvts_thermal.c
+++ b/drivers/thermal/mediatek/lvts_thermal.c
@@ -105,8 +105,6 @@ struct lvts_sensor_data {
struct lvts_ctrl_data {
struct lvts_sensor_data lvts_sensor[LVTS_SENSOR_MAX];
- int cal_offset[LVTS_SENSOR_MAX];
- int num_lvts_sensor;
u8 valid_sensor_mask;
int offset;
int mode;
--
2.37.3
In 'lvts_should_update_thresh()' and 'lvts_ctrl_start()' functions,
the parameter passed to 'lvts_for_each_valid_sensor()' macro is always
'lvts_ctrl->lvts_data->lvts_ctrl'. In other words, the array index 0
is systematically passed as 'struct lvts_ctrl_data' type item, even
when another item should be consumed instead.
Hence, the 'valid_sensor_mask' value which is selected can be wrong
because unrelated to the 'struct lvts_ctrl_data' type item that should
be used. Hence, some thermal zone can be registered for a sensor 'i'
that does not actually exist. Because of the invalid address used
as 'lvts_sensor[i].msr', this situation ends up with a crash in
'lvts_get_temp()' function, where this 'msr' pointer is passed to
'readl_poll_timeout()' function. The following message is output:
"Unable to handle kernel NULL pointer dereference at virtual
address <msr>", with <msr> = 0.
This patch fixes the issue.
Fixes: 11e6f4c31447 ("thermal/drivers/mediatek/lvts_thermal: Allow early empty sensor slots")
Signed-off-by: Julien Panis <[email protected]>
---
drivers/thermal/mediatek/lvts_thermal.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c
index 18a796386cd0..d7df6f09938b 100644
--- a/drivers/thermal/mediatek/lvts_thermal.c
+++ b/drivers/thermal/mediatek/lvts_thermal.c
@@ -116,9 +116,9 @@ struct lvts_ctrl_data {
((s2) ? BIT(2) : 0) | \
((s3) ? BIT(3) : 0))
-#define lvts_for_each_valid_sensor(i, lvts_ctrl_data) \
+#define lvts_for_each_valid_sensor(i, lvts_ctrl) \
for ((i) = 0; (i) < LVTS_SENSOR_MAX; (i)++) \
- if (!((lvts_ctrl_data)->valid_sensor_mask & BIT(i))) \
+ if (!((lvts_ctrl)->valid_sensor_mask & BIT(i))) \
continue; \
else
@@ -145,6 +145,7 @@ struct lvts_ctrl {
const struct lvts_data *lvts_data;
u32 calibration[LVTS_SENSOR_MAX];
u32 hw_tshut_raw_temp;
+ u8 valid_sensor_mask;
int mode;
void __iomem *base;
int low_thresh;
@@ -356,7 +357,7 @@ static bool lvts_should_update_thresh(struct lvts_ctrl *lvts_ctrl, int high)
if (high > lvts_ctrl->high_thresh)
return true;
- lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl)
+ lvts_for_each_valid_sensor(i, lvts_ctrl)
if (lvts_ctrl->sensors[i].high_thresh == lvts_ctrl->high_thresh
&& lvts_ctrl->sensors[i].low_thresh == lvts_ctrl->low_thresh)
return false;
@@ -617,6 +618,8 @@ static int lvts_sensor_init(struct device *dev, struct lvts_ctrl *lvts_ctrl,
lvts_sensor[i].high_thresh = INT_MIN;
};
+ lvts_ctrl->valid_sensor_mask = lvts_ctrl_data->valid_sensor_mask;
+
return 0;
}
@@ -1112,7 +1115,7 @@ static int lvts_ctrl_start(struct device *dev, struct lvts_ctrl *lvts_ctrl)
u32 *sensor_bitmap = lvts_ctrl->mode == LVTS_MSR_IMMEDIATE_MODE ?
sensor_imm_bitmap : sensor_filt_bitmap;
- lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl) {
+ lvts_for_each_valid_sensor(i, lvts_ctrl) {
int dt_id = lvts_sensors[i].dt_id;
--
2.37.3
On Fri, 3 May 2024, Julien Panis wrote:
> In 'lvts_should_update_thresh()' and 'lvts_ctrl_start()' functions,
> the parameter passed to 'lvts_for_each_valid_sensor()' macro is always
> 'lvts_ctrl->lvts_data->lvts_ctrl'. In other words, the array index 0
> is systematically passed as 'struct lvts_ctrl_data' type item, even
> when another item should be consumed instead.
>
> Hence, the 'valid_sensor_mask' value which is selected can be wrong
> because unrelated to the 'struct lvts_ctrl_data' type item that should
> be used. Hence, some thermal zone can be registered for a sensor 'i'
> that does not actually exist. Because of the invalid address used
> as 'lvts_sensor[i].msr', this situation ends up with a crash in
> 'lvts_get_temp()' function, where this 'msr' pointer is passed to
> 'readl_poll_timeout()' function. The following message is output:
> "Unable to handle kernel NULL pointer dereference at virtual
> address <msr>", with <msr> = 0.
>
> This patch fixes the issue.
>
> Fixes: 11e6f4c31447 ("thermal/drivers/mediatek/lvts_thermal: Allow early empty sensor slots")
> Signed-off-by: Julien Panis <[email protected]>
Reviewed-by: Nicolas Pitre <[email protected]>
> ---
> drivers/thermal/mediatek/lvts_thermal.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c
> index 18a796386cd0..d7df6f09938b 100644
> --- a/drivers/thermal/mediatek/lvts_thermal.c
> +++ b/drivers/thermal/mediatek/lvts_thermal.c
> @@ -116,9 +116,9 @@ struct lvts_ctrl_data {
> ((s2) ? BIT(2) : 0) | \
> ((s3) ? BIT(3) : 0))
>
> -#define lvts_for_each_valid_sensor(i, lvts_ctrl_data) \
> +#define lvts_for_each_valid_sensor(i, lvts_ctrl) \
> for ((i) = 0; (i) < LVTS_SENSOR_MAX; (i)++) \
> - if (!((lvts_ctrl_data)->valid_sensor_mask & BIT(i))) \
> + if (!((lvts_ctrl)->valid_sensor_mask & BIT(i))) \
> continue; \
> else
>
> @@ -145,6 +145,7 @@ struct lvts_ctrl {
> const struct lvts_data *lvts_data;
> u32 calibration[LVTS_SENSOR_MAX];
> u32 hw_tshut_raw_temp;
> + u8 valid_sensor_mask;
> int mode;
> void __iomem *base;
> int low_thresh;
> @@ -356,7 +357,7 @@ static bool lvts_should_update_thresh(struct lvts_ctrl *lvts_ctrl, int high)
> if (high > lvts_ctrl->high_thresh)
> return true;
>
> - lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl)
> + lvts_for_each_valid_sensor(i, lvts_ctrl)
> if (lvts_ctrl->sensors[i].high_thresh == lvts_ctrl->high_thresh
> && lvts_ctrl->sensors[i].low_thresh == lvts_ctrl->low_thresh)
> return false;
> @@ -617,6 +618,8 @@ static int lvts_sensor_init(struct device *dev, struct lvts_ctrl *lvts_ctrl,
> lvts_sensor[i].high_thresh = INT_MIN;
> };
>
> + lvts_ctrl->valid_sensor_mask = lvts_ctrl_data->valid_sensor_mask;
> +
> return 0;
> }
>
> @@ -1112,7 +1115,7 @@ static int lvts_ctrl_start(struct device *dev, struct lvts_ctrl *lvts_ctrl)
> u32 *sensor_bitmap = lvts_ctrl->mode == LVTS_MSR_IMMEDIATE_MODE ?
> sensor_imm_bitmap : sensor_filt_bitmap;
>
> - lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl) {
> + lvts_for_each_valid_sensor(i, lvts_ctrl) {
>
> int dt_id = lvts_sensors[i].dt_id;
>
>
> --
> 2.37.3
>
>
On Fri, 3 May 2024, Julien Panis wrote:
> In struct lvts_ctrl_data, num_lvts_sensor and cal_offset[] are not used.
>
> Signed-off-by: Julien Panis <[email protected]>
Reviewed-by: Nicolas Pitre <[email protected]>
> ---
> drivers/thermal/mediatek/lvts_thermal.c | 2 --
> 1 file changed, 2 deletions(-)
>
> diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c
> index 86b2f44355ac..18a796386cd0 100644
> --- a/drivers/thermal/mediatek/lvts_thermal.c
> +++ b/drivers/thermal/mediatek/lvts_thermal.c
> @@ -105,8 +105,6 @@ struct lvts_sensor_data {
>
> struct lvts_ctrl_data {
> struct lvts_sensor_data lvts_sensor[LVTS_SENSOR_MAX];
> - int cal_offset[LVTS_SENSOR_MAX];
> - int num_lvts_sensor;
> u8 valid_sensor_mask;
> int offset;
> int mode;
>
> --
> 2.37.3
>
>
On 03/05/2024 17:35, Julien Panis wrote:
> PATCH 1/2 is a minor change: it just removes 2 unused members from
> 'struct lvts_ctrl_data'.
>
> PATCH 2/2 is a major bug fix: it fixes a situation where a wrong
> array index is used as 'struct lvts_ctrl_data' type item.
>
> Signed-off-by: Julien Panis <[email protected]>
> ---
Applied, thanks
--
<http://www.linaro.org/> Linaro.org │ Open source software for ARM SoCs
Follow Linaro: <http://www.facebook.com/pages/Linaro> Facebook |
<http://twitter.com/#!/linaroorg> Twitter |
<http://www.linaro.org/linaro-blog/> Blog
Il 03/05/24 17:35, Julien Panis ha scritto:
> In struct lvts_ctrl_data, num_lvts_sensor and cal_offset[] are not used.
>
> Signed-off-by: Julien Panis <[email protected]>
Reviewed-by: AngeloGioacchino Del Regno <[email protected]>
Il 03/05/24 17:35, Julien Panis ha scritto:
> In 'lvts_should_update_thresh()' and 'lvts_ctrl_start()' functions,
> the parameter passed to 'lvts_for_each_valid_sensor()' macro is always
> 'lvts_ctrl->lvts_data->lvts_ctrl'. In other words, the array index 0
> is systematically passed as 'struct lvts_ctrl_data' type item, even
> when another item should be consumed instead.
>
> Hence, the 'valid_sensor_mask' value which is selected can be wrong
> because unrelated to the 'struct lvts_ctrl_data' type item that should
> be used. Hence, some thermal zone can be registered for a sensor 'i'
> that does not actually exist. Because of the invalid address used
> as 'lvts_sensor[i].msr', this situation ends up with a crash in
> 'lvts_get_temp()' function, where this 'msr' pointer is passed to
> 'readl_poll_timeout()' function. The following message is output:
> "Unable to handle kernel NULL pointer dereference at virtual
> address <msr>", with <msr> = 0.
>
> This patch fixes the issue.
>
> Fixes: 11e6f4c31447 ("thermal/drivers/mediatek/lvts_thermal: Allow early empty sensor slots")
> Signed-off-by: Julien Panis <[email protected]>
Reviewed-by: AngeloGioacchino Del Regno <[email protected]>