Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1456425ybb; Thu, 2 Apr 2020 00:49:34 -0700 (PDT) X-Google-Smtp-Source: APiQypIlIE7ZxpFmjUC27rD0v/qlPAU/bEcP+fn7rlrFRjpPL3boING70RaaS9kDG9rPHmN82ZU3 X-Received: by 2002:aca:5444:: with SMTP id i65mr1239185oib.101.1585813773879; Thu, 02 Apr 2020 00:49:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585813773; cv=none; d=google.com; s=arc-20160816; b=vA9FHHhJFOSM7tNSrddNGO+DA/eGAFk5fV72ySQS+LTCuh2KcQ3hinWwtM0cDAz9L/ 77FXDpQ5DMSnqOHxeEJxlFapvNoDrJWYkipRkItBfYBG9wpG0yI6yAqIObOl19iURGrh ImdZhby29t5QGwQnWAaOIpnl05YyRYor3Lhto+dm0ef9M0WV+SOeNw8bhx5f6tf75Yms ZXlQMd/bv83saA87X/C+g0ct9KmB4VxYfcIen/FJ5VAaEuPwC45nDnpTOgUaSzF1P9Zp OEEV4EXi3xhhXBghIo8DtncqwfymRs1we5saDP3lPOT+kxmQ8+6189rDwPPOytU/lm8Z O4JA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:ironport-sdr:ironport-sdr; bh=toijg3Wq9F+RUgo4zbPDlLNDWGXPSSVbsCK2NKI0R58=; b=bqtteXofuK0yl2Zn2DknMEiPgH1lhLI4HUaZTfk1xjJk9BT8AOHGLTJUg4idg17ilO xXYe1M5tTQ9GTb/uPPHkLKiSVV6zmxib1o2sPbXhszLM15RDuVbNGKCvAqhCig9SNhFk 5L1gXqqitUvgj/jgyyAY/1yHluBTiSrCpPFcZkh3Yzw1Msxp+dTjX6LpUkpMA9KiBPym YvWA8nBhjda0i0mEjmW/d7fJO9W2T6zkZl2mC3Apz1uDl9G6zMF+EGtRQnhFR1gbB0RS 27HAzvtZtbxb4YUFYLK+RUizPaGNqdD7TnZaCucNwYZ4GKBPHV64onLbCWT/drOLTN3n +QDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l13si1928712oib.268.2020.04.02.00.49.21; Thu, 02 Apr 2020 00:49:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387482AbgDBHtB convert rfc822-to-8bit (ORCPT + 99 others); Thu, 2 Apr 2020 03:49:01 -0400 Received: from mga12.intel.com ([192.55.52.136]:4785 "EHLO mga12.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725965AbgDBHtA (ORCPT ); Thu, 2 Apr 2020 03:49:00 -0400 IronPort-SDR: bRfx4nvFkBkTWlRyuZpNn31ylIAG/Cb9kg5DjNLxKFesEv8/J2JS3pIbICOh8Ptmi+FVeiIUBx l2XOvPR5zbPQ== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Apr 2020 00:49:00 -0700 IronPort-SDR: 4v+838BTvv5dSQJgqNNoDW1HyJDXWviBpViFsaEAdbPvFCcyfksE/qNkxfGGJhuEHsPThYg4yT g8ByHB4Aatuw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.72,335,1580803200"; d="scan'208";a="240752819" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga007.fm.intel.com with ESMTP; 02 Apr 2020 00:49:00 -0700 Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 2 Apr 2020 00:49:00 -0700 Received: from fmsmsx601.amr.corp.intel.com (10.18.126.81) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Thu, 2 Apr 2020 00:48:59 -0700 Received: from shsmsx152.ccr.corp.intel.com (10.239.6.52) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Thu, 2 Apr 2020 00:48:59 -0700 Received: from shsmsx108.ccr.corp.intel.com ([169.254.8.7]) by SHSMSX152.ccr.corp.intel.com ([169.254.6.209]) with mapi id 14.03.0439.000; Thu, 2 Apr 2020 15:47:51 +0800 From: "Zhang, Rui" To: Takashi Iwai , "linux-acpi@vger.kernel.org" CC: "Rafael J. Wysocki" , Len Brown , "linux-kernel@vger.kernel.org" Subject: RE: OOB access on ACPI processor thermal device via sysfs write Thread-Topic: OOB access on ACPI processor thermal device via sysfs write Thread-Index: AQHWCMInBN92pltZsEqESgUJHFcCaKhlcwvw Date: Thu, 2 Apr 2020 07:47:50 +0000 Message-ID: <744357E9AAD1214791ACBA4B0B90926377CEB399@SHSMSX108.ccr.corp.intel.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org CC Viresh. Yes, I've received it. To me, there is not a hard rule that the cooling device max_state must be static. We should be able to detect the max_state change and reset the stats table when necessary. I just finished a prototype patch to do so, and will paste it later. Thanks, rui -----Original Message----- From: Takashi Iwai Sent: Thursday, April 02, 2020 3:42 PM To: linux-acpi@vger.kernel.org Cc: Zhang, Rui ; Rafael J. Wysocki ; Len Brown ; linux-kernel@vger.kernel.org Subject: OOB access on ACPI processor thermal device via sysfs write Importance: High [ My post yesterday didn't seem go out properly, so I'm resending with a different MTA setup; sorry if you already received it ] Hi, after my recent patch [*], I started looking at the root cause more closely, and found that it's a side-effect of the device initialization order between acpi_processor_driver and cpufreq. [*] https://lore.kernel.org/linux-pm/20200330140859.12535-1-tiwai@suse.de/ In short: - acpi_processor_driver_init() is called fairly early boot stage, and it registers a thermal device for each CPU. - A thermal device allocates a statistics table with the fixed size determined by get_max_state() ops call at its probe time. (The table entry is updated at each time a write to thermal state file happens.) For ACPI, processor_get_max_state() is called and it invokes acpi_processor_max_state() that calculates the max states depending on cpufreq, cpufreq_get_max_state(). cpufreq_get_max_state() returns 0 at this stage because no cpufreq driver is available. So the table size is set to 1. - Later on, after cpufreq get initialized, the following sysfs write causes an OOB access and corrupts memory (eventually Oops): # echo 3 > /sys/class/thermal/cooling_device0/cur_state The reason is that now processor_get_max_state() returns 3 as cpufreq became available. So the thermal driver believes as if it were a valid value, and updates the table accordingly although it overflows. My patch above detects and avoids such an overflow, but it's no real fix for the cause. The proper fix needs either the shuffling of the device creation order or some automatic resize of statistics table. Do you guys have any suggestion how to solve it? FWIW, I could reproduce the problem locally on my laptop with 5.6 kernel, and I believe this can be seen generically on most of machines. thanks, Takashi