In 'lvts_should_update_thresh()' and 'lvts_ctrl_start()' functions,
the parameter passed to 'lvts_for_each_valid_sensor()' macro is always
'lvts_ctrl->lvts_data->lvts_ctrl'. In other words, the array index 0
is systematically passed as 'struct lvts_ctrl_data' type item, even
when another item should be consumed instead.
Hence, the 'valid_sensor_mask' value which is selected can be wrong
because unrelated to the 'struct lvts_ctrl_data' type item that should
be used. Hence, some thermal zone can be registered for a sensor 'i'
that does not actually exist. Because of the invalid address used
as 'lvts_sensor[i].msr', this situation ends up with a crash in
'lvts_get_temp()' function, where this 'msr' pointer is passed to
'readl_poll_timeout()' function. The following message is output:
"Unable to handle kernel NULL pointer dereference at virtual
address <msr>", with <msr> = 0.
This patch fixes the issue.
Fixes: 11e6f4c31447 ("thermal/drivers/mediatek/lvts_thermal: Allow early empty sensor slots")
Signed-off-by: Julien Panis <jpanis@baylibre.com>
---
drivers/thermal/mediatek/lvts_thermal.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c
index 18a796386cd0..d7df6f09938b 100644
--- a/drivers/thermal/mediatek/lvts_thermal.c
+++ b/drivers/thermal/mediatek/lvts_thermal.c
@@ -116,9 +116,9 @@ struct lvts_ctrl_data {
((s2) ? BIT(2) : 0) | \
((s3) ? BIT(3) : 0))
-#define lvts_for_each_valid_sensor(i, lvts_ctrl_data) \
+#define lvts_for_each_valid_sensor(i, lvts_ctrl) \
for ((i) = 0; (i) < LVTS_SENSOR_MAX; (i)++) \
- if (!((lvts_ctrl_data)->valid_sensor_mask & BIT(i))) \
+ if (!((lvts_ctrl)->valid_sensor_mask & BIT(i))) \
continue; \
else
@@ -145,6 +145,7 @@ struct lvts_ctrl {
const struct lvts_data *lvts_data;
u32 calibration[LVTS_SENSOR_MAX];
u32 hw_tshut_raw_temp;
+ u8 valid_sensor_mask;
int mode;
void __iomem *base;
int low_thresh;
@@ -356,7 +357,7 @@ static bool lvts_should_update_thresh(struct lvts_ctrl *lvts_ctrl, int high)
if (high > lvts_ctrl->high_thresh)
return true;
- lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl)
+ lvts_for_each_valid_sensor(i, lvts_ctrl)
if (lvts_ctrl->sensors[i].high_thresh == lvts_ctrl->high_thresh
&& lvts_ctrl->sensors[i].low_thresh == lvts_ctrl->low_thresh)
return false;
@@ -617,6 +618,8 @@ static int lvts_sensor_init(struct device *dev, struct lvts_ctrl *lvts_ctrl,
lvts_sensor[i].high_thresh = INT_MIN;
};
+ lvts_ctrl->valid_sensor_mask = lvts_ctrl_data->valid_sensor_mask;
+
return 0;
}
@@ -1112,7 +1115,7 @@ static int lvts_ctrl_start(struct device *dev, struct lvts_ctrl *lvts_ctrl)
u32 *sensor_bitmap = lvts_ctrl->mode == LVTS_MSR_IMMEDIATE_MODE ?
sensor_imm_bitmap : sensor_filt_bitmap;
- lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl) {
+ lvts_for_each_valid_sensor(i, lvts_ctrl) {
int dt_id = lvts_sensors[i].dt_id;
--
2.37.3
Il 03/05/24 17:35, Julien Panis ha scritto: > In 'lvts_should_update_thresh()' and 'lvts_ctrl_start()' functions, > the parameter passed to 'lvts_for_each_valid_sensor()' macro is always > 'lvts_ctrl->lvts_data->lvts_ctrl'. In other words, the array index 0 > is systematically passed as 'struct lvts_ctrl_data' type item, even > when another item should be consumed instead. > > Hence, the 'valid_sensor_mask' value which is selected can be wrong > because unrelated to the 'struct lvts_ctrl_data' type item that should > be used. Hence, some thermal zone can be registered for a sensor 'i' > that does not actually exist. Because of the invalid address used > as 'lvts_sensor[i].msr', this situation ends up with a crash in > 'lvts_get_temp()' function, where this 'msr' pointer is passed to > 'readl_poll_timeout()' function. The following message is output: > "Unable to handle kernel NULL pointer dereference at virtual > address <msr>", with <msr> = 0. > > This patch fixes the issue. > > Fixes: 11e6f4c31447 ("thermal/drivers/mediatek/lvts_thermal: Allow early empty sensor slots") > Signed-off-by: Julien Panis <jpanis@baylibre.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
On Fri, 3 May 2024, Julien Panis wrote: > In 'lvts_should_update_thresh()' and 'lvts_ctrl_start()' functions, > the parameter passed to 'lvts_for_each_valid_sensor()' macro is always > 'lvts_ctrl->lvts_data->lvts_ctrl'. In other words, the array index 0 > is systematically passed as 'struct lvts_ctrl_data' type item, even > when another item should be consumed instead. > > Hence, the 'valid_sensor_mask' value which is selected can be wrong > because unrelated to the 'struct lvts_ctrl_data' type item that should > be used. Hence, some thermal zone can be registered for a sensor 'i' > that does not actually exist. Because of the invalid address used > as 'lvts_sensor[i].msr', this situation ends up with a crash in > 'lvts_get_temp()' function, where this 'msr' pointer is passed to > 'readl_poll_timeout()' function. The following message is output: > "Unable to handle kernel NULL pointer dereference at virtual > address <msr>", with <msr> = 0. > > This patch fixes the issue. > > Fixes: 11e6f4c31447 ("thermal/drivers/mediatek/lvts_thermal: Allow early empty sensor slots") > Signed-off-by: Julien Panis <jpanis@baylibre.com> Reviewed-by: Nicolas Pitre <npitre@baylibre.com> > --- > drivers/thermal/mediatek/lvts_thermal.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c > index 18a796386cd0..d7df6f09938b 100644 > --- a/drivers/thermal/mediatek/lvts_thermal.c > +++ b/drivers/thermal/mediatek/lvts_thermal.c > @@ -116,9 +116,9 @@ struct lvts_ctrl_data { > ((s2) ? BIT(2) : 0) | \ > ((s3) ? BIT(3) : 0)) > > -#define lvts_for_each_valid_sensor(i, lvts_ctrl_data) \ > +#define lvts_for_each_valid_sensor(i, lvts_ctrl) \ > for ((i) = 0; (i) < LVTS_SENSOR_MAX; (i)++) \ > - if (!((lvts_ctrl_data)->valid_sensor_mask & BIT(i))) \ > + if (!((lvts_ctrl)->valid_sensor_mask & BIT(i))) \ > continue; \ > else > > @@ -145,6 +145,7 @@ struct lvts_ctrl { > const struct lvts_data *lvts_data; > u32 calibration[LVTS_SENSOR_MAX]; > u32 hw_tshut_raw_temp; > + u8 valid_sensor_mask; > int mode; > void __iomem *base; > int low_thresh; > @@ -356,7 +357,7 @@ static bool lvts_should_update_thresh(struct lvts_ctrl *lvts_ctrl, int high) > if (high > lvts_ctrl->high_thresh) > return true; > > - lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl) > + lvts_for_each_valid_sensor(i, lvts_ctrl) > if (lvts_ctrl->sensors[i].high_thresh == lvts_ctrl->high_thresh > && lvts_ctrl->sensors[i].low_thresh == lvts_ctrl->low_thresh) > return false; > @@ -617,6 +618,8 @@ static int lvts_sensor_init(struct device *dev, struct lvts_ctrl *lvts_ctrl, > lvts_sensor[i].high_thresh = INT_MIN; > }; > > + lvts_ctrl->valid_sensor_mask = lvts_ctrl_data->valid_sensor_mask; > + > return 0; > } > > @@ -1112,7 +1115,7 @@ static int lvts_ctrl_start(struct device *dev, struct lvts_ctrl *lvts_ctrl) > u32 *sensor_bitmap = lvts_ctrl->mode == LVTS_MSR_IMMEDIATE_MODE ? > sensor_imm_bitmap : sensor_filt_bitmap; > > - lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl) { > + lvts_for_each_valid_sensor(i, lvts_ctrl) { > > int dt_id = lvts_sensors[i].dt_id; > > > -- > 2.37.3 > >
© 2016 - 2024 Red Hat, Inc.