From patchwork Thu Mar 21 14:56:09 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bethany Jamison <bethany.jamison@canonical.com>
X-Patchwork-Id: 1914458
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4V0pSr2P4fz1yWs
	for <incoming@patchwork.ozlabs.org>; Fri, 22 Mar 2024 01:56:43 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rnJqH-00087O-6T; Thu, 21 Mar 2024 14:56:29 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <bethany.jamison@canonical.com>)
 id 1rnJq1-00084m-MJ
 for kernel-team@lists.ubuntu.com; Thu, 21 Mar 2024 14:56:13 +0000
Received: from mail-io1-f72.google.com (mail-io1-f72.google.com
 [209.85.166.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 465CF3F16A
 for <kernel-team@lists.ubuntu.com>; Thu, 21 Mar 2024 14:56:13 +0000 (UTC)
Received: by mail-io1-f72.google.com with SMTP id
 ca18e2360f4ac-7cc7a6a04d9so124249539f.3
 for <kernel-team@lists.ubuntu.com>; Thu, 21 Mar 2024 07:56:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1711032971; x=1711637771;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=DL8yKTlq6YPG2y4VO2BJGvzi3G20X1Ayj1vAsZ/YjkQ=;
 b=hlsLTQHppE3pF4adZQiLhu1DtVdpXV6Tqjd44gqLkjxDiOxerrnUQflPSXD6eEtAUA
 RQSjF8LQ5FJD80jWaHZZhPhC4Mzl2NieppAVaVjW5iXUqfes9Oz0T9X4GorbRfpj+/wJ
 N4Z8UI8pt70cJJ5Xeo36WpLcY31wAqjqlxZg09H7gkce60jxLBd+ZngDazRhqcZ76Hlm
 4KMEdAGTZAqmfM/7jMrghXjaoCl4WQ+sWGXovfpqtsWUmmaZX+iqUPhQDiSP/8HI+Nuw
 dUmbiQLG5FddWm89ihu8/cjVywLtSZgYKX6Oc9Jnfo542ohqCLXkCo2woBLLkFMKMEAy
 2iJQ==
X-Gm-Message-State: AOJu0YyAQuoVvKuzRT22a6kRlEc6bT1zAXcxxBDvtvAa2c+I8A1neYZv
 tfbkC8a+Paiple847JgJppvpbpUzp4hpLwU04d0M35XfzrhFkn9BNiXiSRyHXwrmBitud5lUw+X
 Wzu/bLW+JDLNZ6jVPLjo4B5wSvDsDcCKPBogZATNJ8MzQ9uK2tsKLmmm5MDeJ3V3/EJgePskBNs
 Y5XVQ4X6dgFA==
X-Received: by 2002:a05:6e02:20e3:b0:368:45aa:3ac with SMTP id
 q3-20020a056e0220e300b0036845aa03acmr3212906ilv.0.1711032971789;
 Thu, 21 Mar 2024 07:56:11 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGR+yRpzFVVRfLuT4skjoCZ3+FMD4TkXJAIJ5Fi01RhOX9kn7eE1xkM2niPKZby02BGP9wODw==
X-Received: by 2002:a05:6e02:20e3:b0:368:45aa:3ac with SMTP id
 q3-20020a056e0220e300b0036845aa03acmr3212888ilv.0.1711032971550;
 Thu, 21 Mar 2024 07:56:11 -0700 (PDT)
Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net.
 [104.218.69.129]) by smtp.gmail.com with ESMTPSA id
 c18-20020a056e02059200b0036850669876sm1565428ils.21.2024.03.21.07.56.11
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 21 Mar 2024 07:56:11 -0700 (PDT)
From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F][PATCH 1/1] thermal/drivers/cpufreq_cooling: Fix slab OOB
 issue
Date: Thu, 21 Mar 2024 09:56:09 -0500
Message-Id: <20240321145609.8159-2-bethany.jamison@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240321145609.8159-1-bethany.jamison@canonical.com>
References: <20240321145609.8159-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: brian-sy yang <brian-sy.yang@mediatek.com>

Slab OOB issue is scanned by KASAN in cpu_power_to_freq().
If power is limited below the power of OPP0 in EM table,
it will cause slab out-of-bound issue with negative array
index.

Return the lowest frequency if limited power cannot found
a suitable OPP in EM table to fix this issue.

Backtrace:
[<ffffffd02d2a37f0>] die+0x104/0x5ac
[<ffffffd02d2a5630>] bug_handler+0x64/0xd0
[<ffffffd02d288ce4>] brk_handler+0x160/0x258
[<ffffffd02d281e5c>] do_debug_exception+0x248/0x3f0
[<ffffffd02d284488>] el1_dbg+0x14/0xbc
[<ffffffd02d75d1d4>] __kasan_report+0x1dc/0x1e0
[<ffffffd02d75c2e0>] kasan_report+0x10/0x20
[<ffffffd02d75def8>] __asan_report_load8_noabort+0x18/0x28
[<ffffffd02e6fce5c>] cpufreq_power2state+0x180/0x43c
[<ffffffd02e6ead80>] power_actor_set_power+0x114/0x1d4
[<ffffffd02e6fac24>] allocate_power+0xaec/0xde0
[<ffffffd02e6f9f80>] power_allocator_throttle+0x3ec/0x5a4
[<ffffffd02e6ea888>] handle_thermal_trip+0x160/0x294
[<ffffffd02e6edd08>] thermal_zone_device_check+0xe4/0x154
[<ffffffd02d351cb4>] process_one_work+0x5e4/0xe28
[<ffffffd02d352f44>] worker_thread+0xa4c/0xfac
[<ffffffd02d360124>] kthread+0x33c/0x358
[<ffffffd02d289940>] ret_from_fork+0xc/0x18

Fixes: 371a3bc79c11b ("thermal/drivers/cpufreq_cooling: Fix wrong frequency converted from power")
Signed-off-by: brian-sy yang <brian-sy.yang@mediatek.com>
Signed-off-by: Michael Kao <michael.kao@mediatek.com>
Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
Cc: stable@vger.kernel.org #v5.7
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20201229050831.19493-1-michael.kao@mediatek.com
(backported from commit 34ab17cc6c2c1ac93d7e5d53bb972df9a968f085)
[bjamison: context conflict - fix commit changes the range of a for-loop from
[0, max_level] to (0, max_level], Focal's for-loop is set-up differently
than upstream, I changed the range from [0, max_level) to match the fix range]
CVE-2020-36776
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
---
 drivers/thermal/cpu_cooling.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/thermal/cpu_cooling.c b/drivers/thermal/cpu_cooling.c
index 9d24bc05df0da..ba3df71bb877f 100644
--- a/drivers/thermal/cpu_cooling.c
+++ b/drivers/thermal/cpu_cooling.c
@@ -210,7 +210,7 @@ static u32 cpu_power_to_freq(struct cpufreq_cooling_device *cpufreq_cdev,
 	int i;
 	struct freq_table *freq_table = cpufreq_cdev->freq_table;
 
-	for (i = 0; i < cpufreq_cdev->max_level; i++)
+	for (i = 1; i <= cpufreq_cdev->max_level; i++)
 		if (power >= freq_table[i].power)
 			break;