Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4384513ybb; Tue, 7 Apr 2020 06:32:28 -0700 (PDT) X-Google-Smtp-Source: APiQypLQPcFKceR+99+QNFhussvqpmbxAheYEZ5DKkRfSpjkZ66LKwHacsrWnLFI5wKDmefULEZ0 X-Received: by 2002:aca:39c3:: with SMTP id g186mr1733300oia.168.1586266348221; Tue, 07 Apr 2020 06:32:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586266348; cv=none; d=google.com; s=arc-20160816; b=ACa6H1t0iWcnFg1oFliECfHC1kEVayecF92LI3xL7n8VC2TmsppPKq/ScpKsIMVZpe 5uVVp+S28EXUiA4wazGOwDlEpZStQN7TGpW7d6kLnJhv8u2w3rSkldCEyk/M1Ui2e9+h vIjw3nFQ72sMQKi9uTpz/9KH+w8+z/YJcxgMV6uuPwUriYt6pFboUcE9YiboPnvlbfO6 FhUY44m+ffvSRmi8e8s0+KK6yJ3tG0aEycjfeK0Hev4o4lgj99o2hVRZeGD2WySRfoIU x8+KX5p5Xv8sVLX1Qywf1PuUSDL2XuSc+J/BQi4HL0fW4LmhyyJXo8yimEkXPMqWOEE9 kQKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=1PuP95pVbFQYLwVP/nv0qO9FfBSm3TrhJmC4ds9qXhk=; b=cChjVp8Byi9arLo59FPvEQuGVGIO+tQwTM6/VK2p37a1cE0hK/FEX2LSCTWz41CJ7s uWD5MvDJhJ8cuQz6FVZ3OVqBr7ru9L764q4fjJo08ZBlqgy4f8MX/qDkhlm5c+osXfby 6mKh/R2KJ66zaJzT/9KFBitTj9YAf6bHi9jiqKAf18w4/Er6Ii5E8OUAaM7ydh8OJvH2 e6MmSzYRqlzgTYUQhxv8AGLbsoPpRp4lJBxinAfrtl6+r+VK3h3bQ2K+ivP8XOMF52NN biGorVhr6+80xKa0Svk3caUkhlFa3NsiSpjW29PcL1Ux5YC7pe8+7TEMNae78nYdseVz fdJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@verdurent-com.20150623.gappssmtp.com header.s=20150623 header.b=1w1df4RU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l126si1079508oih.31.2020.04.07.06.32.15; Tue, 07 Apr 2020 06:32:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@verdurent-com.20150623.gappssmtp.com header.s=20150623 header.b=1w1df4RU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728919AbgDGNbF (ORCPT + 99 others); Tue, 7 Apr 2020 09:31:05 -0400 Received: from mail-vs1-f66.google.com ([209.85.217.66]:37127 "EHLO mail-vs1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728643AbgDGNbF (ORCPT ); Tue, 7 Apr 2020 09:31:05 -0400 Received: by mail-vs1-f66.google.com with SMTP id o3so2181583vsd.4 for ; Tue, 07 Apr 2020 06:31:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verdurent-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1PuP95pVbFQYLwVP/nv0qO9FfBSm3TrhJmC4ds9qXhk=; b=1w1df4RUeeL0VXPeqcyMGJbfByV2WYJmZC7sKAeNL9F9J9/8ILhODXlqWk8iLFAhnb w/HDEYdNoDrwBasbNfqwV9lp3R40WUFTTN4Lxf/+SjA4k7SJSgtJKax8PQuyBimSyf9q 1JcejYcYCOahTojFNZqTKl8Z/S9zO6wlH8DyUqrZiUVMMiYnTUJvsN4d6uWZGrViK8Il N+hErK9txJfx0zOnl3HEShvCd4kM+/6CaCGGopJtZHL3tY8oNk94Ps+euXHg5dN/vrs3 /fTV5DRZPFUwMrJM/zqIg9g46dgGOTLTAPICvLEIoPuTMXn6SuVVo/4gk8kj6YB5enRr RWSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1PuP95pVbFQYLwVP/nv0qO9FfBSm3TrhJmC4ds9qXhk=; b=TObaSV7wZONVRmWqA4GOC2RT8AIbKwxkPKMX2gj47W9h8iU8au24O36Vh7y6XQYBOJ heGedM7rlRdskDnuTOfgOJJXNiRLlgQSV/qsUD9WmQR/K8RAYcT8pqRwMaBui5d7JuPU OaRWA3VBoE/BmeOfp5hFwww8gNLJIcdSGeQaPlzd4kH2/Hm7AIJGU6ElbaAAXRAgASUc TcIB+6Sojowk19+E8Yu5Jj80Bfm4HoDAOJEkg7i/zMy45ShFA1Y5NicbYrd4QiJjfdld Agxlox0dHYqzoV5uh+V3OZAYEPvEsU0q59tuxKtfuSQLgTlt4n7gSaY322re+HXv6OCl 3iVA== X-Gm-Message-State: AGi0PuZuH+hOyvPUZEuubPASL1CwIeEnQz0PpavgSGfNPqkiRjh3tH+u ScHCaLbZZDGzLpg2in8Kmn+Wrx+rRFvQnKy75Q2ZLg== X-Received: by 2002:a67:69d5:: with SMTP id e204mr1615782vsc.159.1586266262706; Tue, 07 Apr 2020 06:31:02 -0700 (PDT) MIME-Version: 1.0 References: <20200330140859.12535-1-tiwai@suse.de> In-Reply-To: <20200330140859.12535-1-tiwai@suse.de> From: Amit Kucheria Date: Tue, 7 Apr 2020 19:00:51 +0530 Message-ID: Subject: Re: [PATCH] thermal: Add a sanity check for invalid state at stats update To: Takashi Iwai Cc: Zhang Rui , Daniel Lezcano , Linux PM list , LKML Content-Type: multipart/mixed; boundary="0000000000001bff0005a2b36595" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --0000000000001bff0005a2b36595 Content-Type: text/plain; charset="UTF-8" On Mon, Mar 30, 2020 at 7:39 PM Takashi Iwai wrote: > > The thermal sysfs handler keeps the statistics table with the fixed > size that was determined from the initial max_states() call, and the > table entry is updated at each sysfs cur_state write call. And, when > the driver's set_cur_state() ops accepts the value given from > user-space, the thermal sysfs core blindly applies it to the > statistics table entry, which may overflow and cause an Oops. > Although it's rather a bug in the driver's ops implementations, we > shouldn't crash but rather give a proper warning instead. > > This patch adds a sanity check for avoiding such an OOB access and > warns with a stack trace to show the suspicious device in question. Hi Takashi, Instead of this warning, I think we should reject such input when writing to cur_state. See attached patch. If you think this OK, I'll submit it. Regards, Amit > Signed-off-by: Takashi Iwai > --- > > We've hit some crash by stress tests, and this patch at least works > around the crash itself. While the actual bug fix of the buggy driver > is still being investigated, I submit the hardening in the core side > at first. > > drivers/thermal/thermal_sysfs.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c > index aa99edb4dff7..a23c4e701d63 100644 > --- a/drivers/thermal/thermal_sysfs.c > +++ b/drivers/thermal/thermal_sysfs.c > @@ -772,6 +772,11 @@ void thermal_cooling_device_stats_update(struct thermal_cooling_device *cdev, > > spin_lock(&stats->lock); > > + if (dev_WARN_ONCE(&cdev->device, new_state >= stats->max_states, > + "new state %ld exceeds max_state %ld", > + new_state, stats->max_states)) > + goto unlock; > + > if (stats->state == new_state) > goto unlock; > > -- > 2.16.4 > --0000000000001bff0005a2b36595 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-thermal-Reject-invalid-cur_state-input-from-userspac.patch" Content-Disposition: attachment; filename="0001-thermal-Reject-invalid-cur_state-input-from-userspac.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_k8pxym180 RnJvbSA1NDI2NjI2MGQ0ODNhYjQ0NzY1MTBkZDQ0NjFhMWNhZmM2MTFlMTdkIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpNZXNzYWdlLUlkOiA8NTQyNjYyNjBkNDgzYWI0NDc2NTEwZGQ0NDYxYTFj YWZjNjExZTE3ZC4xNTg2MjY2MjI0LmdpdC5hbWl0Lmt1Y2hlcmlhQGxpbmFyby5vcmc+CkZyb206 IEFtaXQgS3VjaGVyaWEgPGFtaXQua3VjaGVyaWFAbGluYXJvLm9yZz4KRGF0ZTogVHVlLCA3IEFw ciAyMDIwIDE4OjQ4OjE0ICswNTMwClN1YmplY3Q6IFtQQVRDSF0gdGhlcm1hbDogUmVqZWN0IGlu dmFsaWQgY3VyX3N0YXRlIGlucHV0IGZyb20gdXNlcnNwYWNlCgpXZSBkb24ndCBjaGVjayBpZiB0 aGUgY3VyX3N0YXRlIHZhbHVlIGlucHV0IGluIHN5c2ZzIGlzIGdyZWF0ZXIgdGhhbiB0aGUKbWF4 aW11bSBjb29saW5nIHN0YXRlIHRoYXQgdGhlIGNvb2xpbmcgZGV2aWNlIHN1cHBvcnRzLiBUaGlz IGNhbiBjYXVzZQphY2Nlc3MgdG8gdW5hbGxvY2F0ZWQgbWVtb3J5IGluIGNhc2UgVEhFUk1BTF9T VEFUSVNUSUNTIGluIGVuYWJsZWQgYW5kCmNvdWxkIGFsc28gY3Jhc2ggY29vbGluZyBkZXZpY2Vz IHRoYXQgZG9uJ3QgY2hlY2sgZm9yIGFuIGludmFsaWQgc3RhdGUgaW4KdGhlaXIgc2V0X2N1cl9z dGF0ZSgpIGNhbGxiYWNrLgoKUmV0dXJuIGFuIGVycm9yIGlmIHRoZSBzdGF0ZSBiZWluZyByZXF1 ZXN0ZWQgaW4gZ3JlYXRlciB0aGFuIHRoZSBtYXhpbXVtCmNvb2xpbmcgc3RhdGUgdGhlIGRldmlj ZSBzdXBwb3J0cy4KClJlcG9ydGVkLWJ5OiBUYWthc2hpIEl3YWkgPHRpd2FpQHN1c2UuZGU+ClNp Z25lZC1vZmYtYnk6IEFtaXQgS3VjaGVyaWEgPGFtaXQua3VjaGVyaWFAbGluYXJvLm9yZz4KLS0t CiBkcml2ZXJzL3RoZXJtYWwvdGhlcm1hbF9zeXNmcy5jIHwgOSArKysrKysrKy0KIDEgZmlsZSBj aGFuZ2VkLCA4IGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkKCmRpZmYgLS1naXQgYS9kcml2 ZXJzL3RoZXJtYWwvdGhlcm1hbF9zeXNmcy5jIGIvZHJpdmVycy90aGVybWFsL3RoZXJtYWxfc3lz ZnMuYwppbmRleCA3ZTFkMTFiZGQyNTguLjgwMzNlNWE5Mzg2YSAxMDA2NDQKLS0tIGEvZHJpdmVy cy90aGVybWFsL3RoZXJtYWxfc3lzZnMuYworKysgYi9kcml2ZXJzL3RoZXJtYWwvdGhlcm1hbF9z eXNmcy5jCkBAIC03MDMsNyArNzAzLDcgQEAgY3VyX3N0YXRlX3N0b3JlKHN0cnVjdCBkZXZpY2Ug KmRldiwgc3RydWN0IGRldmljZV9hdHRyaWJ1dGUgKmF0dHIsCiAJCWNvbnN0IGNoYXIgKmJ1Ziwg c2l6ZV90IGNvdW50KQogewogCXN0cnVjdCB0aGVybWFsX2Nvb2xpbmdfZGV2aWNlICpjZGV2ID0g dG9fY29vbGluZ19kZXZpY2UoZGV2KTsKLQl1bnNpZ25lZCBsb25nIHN0YXRlOworCXVuc2lnbmVk IGxvbmcgc3RhdGUsIG1heF9zdGF0ZTsKIAlpbnQgcmVzdWx0OwogCiAJaWYgKHNzY2FuZihidWYs ICIlbGRcbiIsICZzdGF0ZSkgIT0gMSkKQEAgLTcxMiw2ICs3MTIsMTMgQEAgY3VyX3N0YXRlX3N0 b3JlKHN0cnVjdCBkZXZpY2UgKmRldiwgc3RydWN0IGRldmljZV9hdHRyaWJ1dGUgKmF0dHIsCiAJ aWYgKChsb25nKXN0YXRlIDwgMCkKIAkJcmV0dXJuIC1FSU5WQUw7CiAKKwlyZXN1bHQgPSBjZGV2 LT5vcHMtPmdldF9tYXhfc3RhdGUoY2RldiwgJm1heF9zdGF0ZSk7CisJaWYgKHJlc3VsdCkKKwkJ cmV0dXJuIHJlc3VsdDsKKworCWlmIChzdGF0ZSA+PSBtYXhfc3RhdGUpCisJCXJldHVybiAtRUlO VkFMOworCiAJbXV0ZXhfbG9jaygmY2Rldi0+bG9jayk7CiAKIAlyZXN1bHQgPSBjZGV2LT5vcHMt PnNldF9jdXJfc3RhdGUoY2Rldiwgc3RhdGUpOwotLSAKMi4yMC4xCgo= --0000000000001bff0005a2b36595--