1. Patchew
  2. linux
  3. View series

[PATCH] ACPI: CPPC: Suppress UBSAN warning caused by field misuse

Jeremy Linton posted 1 patch 6 days, 4 hours ago 
drivers/acpi/cppc_acpi.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
[PATCH] ACPI: CPPC: Suppress UBSAN warning caused by field misuse
Posted by Jeremy Linton 6 days, 4 hours ago 
The definition of reg->access_width changes depending on the
reg->space_id type.  Type ACPI_ADR_SPACE_PLATFORM_COMM uses
access_width to indicate the PCC region, which can result in a UBSAN
if the value is greater than 4.

For example:

 UBSAN: shift-out-of-bounds in drivers/acpi/cppc_acpi.c:1090:9
 shift exponent 32 is too large for 32-bit type 'int'
 CPU: 61 UID: 0 PID: 1220 Comm: (udev-worker) Not tainted 7.0.10-201.fc44.aarch64 #1 PREEMPT(lazy)
 Hardware name: To be filled by O.E.M.
 Call trace:
  ...(trimming)
  ubsan_epilogue+0x10/0x48
  __ubsan_handle_shift_out_of_bounds+0xdc/0x1e0
  cpc_write+0x4d0/0x670
  cppc_set_perf+0x18c/0x490
  cppc_cpufreq_cpu_init+0x1c8/0x380 [cppc_cpufreq]
  ... (trimming)

Lets fix this by validating the region type, as well as whether
access_width has a value. Then since we are returning bit_width
directly for ACPI_ADR_SPACE_PLATFORM_COMM, drop the code correcting
the size.

Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses")
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
---
 drivers/acpi/cppc_acpi.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
index f370be8715ae..34edec0f2bde 100644
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -185,8 +185,13 @@ show_cppc_data(cppc_get_perf_caps, cppc_perf_caps, nominal_freq);
 
 show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time);
 
-/* Check for valid access_width, otherwise, fallback to using bit_width */
-#define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
+/*
+ * PCC reuses the access_width field as the subspace id, so only decode access
+ * size for non-PCC registers. Otherwise, use the bit_width.
+ */
+#define GET_BIT_WIDTH(reg) (((reg)->access_width &&				\
+			     (reg)->space_id != ACPI_ADR_SPACE_PLATFORM_COMM) ? \
+			    (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
 
 /* Shift and apply the mask for CPC reads/writes */
 #define MASK_VAL_READ(reg, val) (((val) >> (reg)->bit_offset) &				\
@@ -1045,7 +1050,6 @@ static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val)
 		 * by the bit width field; the access size is used to indicate
 		 * the PCC subspace id.
 		 */
-		size = reg->bit_width;
 		vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id);
 	}
 	else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
@@ -1118,7 +1122,6 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
 		 * by the bit width field; the access size is used to indicate
 		 * the PCC subspace id.
 		 */
-		size = reg->bit_width;
 		vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id);
 	}
 	else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
-- 
2.54.0
Re: [PATCH] ACPI: CPPC: Suppress UBSAN warning caused by field misuse
Posted by Easwar Hariharan 2 days, 11 hours ago 
On 6/1/2026 16:58, Jeremy Linton wrote:
> The definition of reg->access_width changes depending on the
> reg->space_id type.  Type ACPI_ADR_SPACE_PLATFORM_COMM uses
> access_width to indicate the PCC region, which can result in a UBSAN
> if the value is greater than 4.
> 
> For example:
> 
>  UBSAN: shift-out-of-bounds in drivers/acpi/cppc_acpi.c:1090:9
>  shift exponent 32 is too large for 32-bit type 'int'
>  CPU: 61 UID: 0 PID: 1220 Comm: (udev-worker) Not tainted 7.0.10-201.fc44.aarch64 #1 PREEMPT(lazy)
>  Hardware name: To be filled by O.E.M.
>  Call trace:
>   ...(trimming)
>   ubsan_epilogue+0x10/0x48
>   __ubsan_handle_shift_out_of_bounds+0xdc/0x1e0
>   cpc_write+0x4d0/0x670
>   cppc_set_perf+0x18c/0x490
>   cppc_cpufreq_cpu_init+0x1c8/0x380 [cppc_cpufreq]
>   ... (trimming)
> 
> Lets fix this by validating the region type, as well as whether
> access_width has a value. Then since we are returning bit_width
> directly for ACPI_ADR_SPACE_PLATFORM_COMM, drop the code correcting
> the size.
> 
> Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses")
> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
> ---
>  drivers/acpi/cppc_acpi.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
Reviewed-by: Easwar Hariharan <easwar.hariharan@linux.microsoft.com>
Re: [PATCH] ACPI: CPPC: Suppress UBSAN warning caused by field misuse
Posted by Jarred White 5 days, 9 hours ago 
On 6/1/2026 4:58 PM, Jeremy Linton wrote:
> The definition of reg->access_width changes depending on the
> reg->space_id type.  Type ACPI_ADR_SPACE_PLATFORM_COMM uses
> access_width to indicate the PCC region, which can result in a UBSAN
> if the value is greater than 4.
> 
> For example:
> 
>   UBSAN: shift-out-of-bounds in drivers/acpi/cppc_acpi.c:1090:9
>   shift exponent 32 is too large for 32-bit type 'int'
>   CPU: 61 UID: 0 PID: 1220 Comm: (udev-worker) Not tainted 7.0.10-201.fc44.aarch64 #1 PREEMPT(lazy)
>   Hardware name: To be filled by O.E.M.
>   Call trace:
>    ...(trimming)
>    ubsan_epilogue+0x10/0x48
>    __ubsan_handle_shift_out_of_bounds+0xdc/0x1e0
>    cpc_write+0x4d0/0x670
>    cppc_set_perf+0x18c/0x490
>    cppc_cpufreq_cpu_init+0x1c8/0x380 [cppc_cpufreq]
>    ... (trimming)
> 
> Lets fix this by validating the region type, as well as whether
> access_width has a value. Then since we are returning bit_width
> directly for ACPI_ADR_SPACE_PLATFORM_COMM, drop the code correcting
> the size.
> 
> Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses")
> Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
> ---
>   drivers/acpi/cppc_acpi.c | 11 +++++++----
>   1 file changed, 7 insertions(+), 4 deletions(-)
> 

This change looks good!
Tested-by: Jarred White <jarredwhite@linux.microsoft.com>
Reviewed-by: Jarred White <jarredwhite@linux.microsoft.com>

> diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
> index f370be8715ae..34edec0f2bde 100644
> --- a/drivers/acpi/cppc_acpi.c
> +++ b/drivers/acpi/cppc_acpi.c
> @@ -185,8 +185,13 @@ show_cppc_data(cppc_get_perf_caps, cppc_perf_caps, nominal_freq);
>   
>   show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time);
>   
> -/* Check for valid access_width, otherwise, fallback to using bit_width */
> -#define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
> +/*
> + * PCC reuses the access_width field as the subspace id, so only decode access
> + * size for non-PCC registers. Otherwise, use the bit_width.
> + */
> +#define GET_BIT_WIDTH(reg) (((reg)->access_width &&				\
> +			     (reg)->space_id != ACPI_ADR_SPACE_PLATFORM_COMM) ? \
> +			    (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
>   
>   /* Shift and apply the mask for CPC reads/writes */
>   #define MASK_VAL_READ(reg, val) (((val) >> (reg)->bit_offset) &				\
> @@ -1045,7 +1050,6 @@ static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val)
>   		 * by the bit width field; the access size is used to indicate
>   		 * the PCC subspace id.
>   		 */
> -		size = reg->bit_width;
>   		vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id);
>   	}
>   	else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
> @@ -1118,7 +1122,6 @@ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
>   		 * by the bit width field; the access size is used to indicate
>   		 * the PCC subspace id.
>   		 */
> -		size = reg->bit_width;
>   		vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id);
>   	}
>   	else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.