Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1451903ybb; Thu, 2 Apr 2020 00:42:09 -0700 (PDT) X-Google-Smtp-Source: APiQypK0nYUmyMn5qImHCu2XyeNwU5Ora/2n7A7RtcNHyJHLk+sX70s9uyRBAwpuHVHTxOvP5bEc X-Received: by 2002:aca:4c12:: with SMTP id z18mr1270824oia.43.1585813329088; Thu, 02 Apr 2020 00:42:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585813329; cv=none; d=google.com; s=arc-20160816; b=ltH9qazsq+UD/geqm0bnmlshpH6YiX/UDYQSiznbYIVL/pdkAZmWxw55A5x8SN4ChE CXUIxFWXz8S+NuUIrn8GVS2y/ftLuTu4mv1W7OOWoLaylKS27nKUN62kNjffPxWTG6Zy eiaDBdfH/XSs9IiT/6tT2DB2i+aWhdB5EwVBYMWo9LVZSjsoxbyyEd3UZEd7fMsqxX4k kVzWVaJByNVzS9JHXj5HQpw68mS6abAoAE6va/nH6Es4TyoO23NFuqabkUEmNRrltrqc O5nIOA3jrRyguoinZ+J3D7du0H+WI9+XMTQJu8cwvv3jva2vA7QzxkWGh5OrrrdTI85o krCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:subject:cc:to :from:message-id:date; bh=F60K9yS0+GwR73QUTV6HcVEanCqYO7ga/th06bOyRR8=; b=b3m5e/wsOPyXQtuoOIIOGHY5iMFTDKlxZRhFYXiHuxAArR3BuYksWbvSX8kzeGKAFD W/2Hf8PgfU//PJFLNRZcVNMt7i5XMHaWU2wsKrj+9jR790aLnZfqZ1U02+otr+RUxODM k+/+4Ixfap/RP4RrRjahwNRH0cVkja1q5Ug9++HMLJt1GM3ApiFVI/fzsTHxfuLsKte8 phkdghCY4ZI3jNSg79zu6mEcVxaitpSYIu/VXdaEgKOLARzGHYTwFpAc4ubeQt256iBV zV6C+gHYXq7gph14gXwQlJOM5Iay9o4dgYW5vNw7Lpy/TLNLsQ1XRZpFKl7U77Hs7q+3 EgDA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l15si2159344otb.8.2020.04.02.00.41.57; Thu, 02 Apr 2020 00:42:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387482AbgDBHlg (ORCPT + 99 others); Thu, 2 Apr 2020 03:41:36 -0400 Received: from mx2.suse.de ([195.135.220.15]:49716 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727012AbgDBHlg (ORCPT ); Thu, 2 Apr 2020 03:41:36 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 872BDAD66; Thu, 2 Apr 2020 07:41:34 +0000 (UTC) Date: Thu, 02 Apr 2020 09:41:34 +0200 Message-ID: From: Takashi Iwai To: linux-acpi@vger.kernel.org Cc: Zhang Rui , "Rafael J. Wysocki" , Len Brown , linux-kernel@vger.kernel.org Subject: OOB access on ACPI processor thermal device via sysfs write User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ My post yesterday didn't seem go out properly, so I'm resending with a different MTA setup; sorry if you already received it ] Hi, after my recent patch [*], I started looking at the root cause more closely, and found that it's a side-effect of the device initialization order between acpi_processor_driver and cpufreq. [*] https://lore.kernel.org/linux-pm/20200330140859.12535-1-tiwai@suse.de/ In short: - acpi_processor_driver_init() is called fairly early boot stage, and it registers a thermal device for each CPU. - A thermal device allocates a statistics table with the fixed size determined by get_max_state() ops call at its probe time. (The table entry is updated at each time a write to thermal state file happens.) For ACPI, processor_get_max_state() is called and it invokes acpi_processor_max_state() that calculates the max states depending on cpufreq, cpufreq_get_max_state(). cpufreq_get_max_state() returns 0 at this stage because no cpufreq driver is available. So the table size is set to 1. - Later on, after cpufreq get initialized, the following sysfs write causes an OOB access and corrupts memory (eventually Oops): # echo 3 > /sys/class/thermal/cooling_device0/cur_state The reason is that now processor_get_max_state() returns 3 as cpufreq became available. So the thermal driver believes as if it were a valid value, and updates the table accordingly although it overflows. My patch above detects and avoids such an overflow, but it's no real fix for the cause. The proper fix needs either the shuffling of the device creation order or some automatic resize of statistics table. Do you guys have any suggestion how to solve it? FWIW, I could reproduce the problem locally on my laptop with 5.6 kernel, and I believe this can be seen generically on most of machines. thanks, Takashi