Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2450262imm; Mon, 28 May 2018 08:17:56 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrAsxpQy/QLRXbKP5UrvX0XcffxE1PYv0URg1plR1Cxpg+uzibb6mIyXNLjKV8Sm3xDXtMO X-Received: by 2002:a63:740d:: with SMTP id p13-v6mr10783895pgc.327.1527520676710; Mon, 28 May 2018 08:17:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527520676; cv=none; d=google.com; s=arc-20160816; b=BhNL8TYPWjQb1WHlw9+P59ZxKlW4uRiyfRcnLOwFpWHxD18csUp4A9nqwiKcJg+XbT ZBhOBIAU3n8hyES81KRdwbjLnS6te7+zPyxSPI00+zY/qQQTLA95aDVVBPej6MxZU1Fr L8zoPn0ql0noTqMbJWgVl/ZSES8sseIAWmAJWgcuz6vWtu57nHJr5xqlvNrOuKZluV+d Xytw3QHjPZ8G6DKiShTs1bscB2MvspPnulzoVjlk/ohmBr6gW6q31/YtupGtRDXtFXRY viyMjzAA8XYe+kYL8o0kIIICPdi8Di6gzPxl71LKqJpM7aZNVspQr+VSnBl2rrfsz6ml dL6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=9d3jQ3lSzDS/d2bZngND68dGL+2PB6noImwnkDR9kKg=; b=SMwcL931xHWApfG75pzLyWXKaT3GBbZiHIRjcugvDxH4l7/q64H4bWGLKxe3PaqEeC /couXyBNV01L2rvRfJ4LltHwhlgO2DdeLJJrnVOQKUnund6VoNrGW53s05ndAFQKUQ67 Ll+/cvhjXk7BH/GMsfqu33OogHnuhHwKSWnbg/ncviexJhgbxwIPX/tcKojx8PhrrA1w EC6WUXVRuCvm1N1cueRIzBEUQLmDl4aZYwJ4R6+rEJ25qU+leilTeARhQ3/ObHJiCLg5 lZhFqV7SVer5h6krV9AgvKlnB8zgxr+0VdbZBcUUPeFcho2nYcAAoWlS7XE5lZ9wQ2mA 3JTw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=M4vaTHzA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l11-v6si15283361pgs.218.2018.05.28.08.17.41; Mon, 28 May 2018 08:17:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=M4vaTHzA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1425140AbeE1PRB (ORCPT + 99 others); Mon, 28 May 2018 11:17:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:42034 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1033537AbeE1KWj (ORCPT ); Mon, 28 May 2018 06:22:39 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 78D1220843; Mon, 28 May 2018 10:22:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527502959; bh=Uzn9j5nz2FuEQaIUHQaYlGMSA4DFZZ/fy8fRk25qeDw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M4vaTHzAY3A3HHQXCxPQBoeY8MtLomTfLZCTJa8NKKdT/vMME9one06unr6AX8sZ5 WlcDmuV/Ux/oKSo9v57no23fyRzp/3QcM5iWFWbdtybDKwm5mhHM7pDpXmZxryXUC+ de0bUNvRvRpWoMXcIVDOcnHWXosUrC8mPXbF6kY8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Frank Asseg , Jiri Kosina , Sasha Levin Subject: [PATCH 4.4 192/268] tools/thermal: tmon: fix for segfault Date: Mon, 28 May 2018 12:02:46 +0200 Message-Id: <20180528100224.066119451@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180528100202.045206534@linuxfoundation.org> References: <20180528100202.045206534@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Frank Asseg [ Upstream commit 6c59f64b7ecf2bccbe73931d7d573d66ed13b537 ] Fixes a segfault occurring when e.g. is pressed multiple times in the ncurses tmon application. The segfault is caused by incrementing cur_thermal_record in the main function without checking if it's value reached NR_THERMAL_RECORD immediately. Since the boundary check only occurred in update_thermal_data a race condition existed, which lead to an attempted read beyond the last element of the trec array. The fix was implemented by moving the cur_thermal_record incrementation to the update_thermal_data function using a temporary variable on which the boundary condition is checked before updating cur_thread_record, so that the variable is never incremented beyond the trec array's boundary. It seems the segfault does not occur on every machine: On a HP EliteBook G4 the segfault happens, while it does not happen on a Thinkpad T540p. Signed-off-by: Frank Asseg Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- tools/thermal/tmon/sysfs.c | 12 +++++++----- tools/thermal/tmon/tmon.c | 1 - 2 files changed, 7 insertions(+), 6 deletions(-) --- a/tools/thermal/tmon/sysfs.c +++ b/tools/thermal/tmon/sysfs.c @@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst int update_thermal_data() { int i; + int next_thermal_record = cur_thermal_record + 1; char tz_name[256]; static unsigned long samples; @@ -495,9 +496,9 @@ int update_thermal_data() } /* circular buffer for keeping historic data */ - if (cur_thermal_record >= NR_THERMAL_RECORDS) - cur_thermal_record = 0; - gettimeofday(&trec[cur_thermal_record].tv, NULL); + if (next_thermal_record >= NR_THERMAL_RECORDS) + next_thermal_record = 0; + gettimeofday(&trec[next_thermal_record].tv, NULL); if (tmon_log) { fprintf(tmon_log, "%lu ", ++samples); fprintf(tmon_log, "%3.1f ", p_param.t_target); @@ -507,11 +508,12 @@ int update_thermal_data() snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE, ptdata.tzi[i].instance); sysfs_get_ulong(tz_name, "temp", - &trec[cur_thermal_record].temp[i]); + &trec[next_thermal_record].temp[i]); if (tmon_log) fprintf(tmon_log, "%lu ", - trec[cur_thermal_record].temp[i]/1000); + trec[next_thermal_record].temp[i] / 1000); } + cur_thermal_record = next_thermal_record; for (i = 0; i < ptdata.nr_cooling_dev; i++) { char cdev_name[256]; unsigned long val; --- a/tools/thermal/tmon/tmon.c +++ b/tools/thermal/tmon/tmon.c @@ -336,7 +336,6 @@ int main(int argc, char **argv) show_data_w(); show_cooling_device(); } - cur_thermal_record++; time_elapsed += ticktime; controller_handler(trec[0].temp[target_tz_index] / 1000, &yk);