From nobody Sat Jul 4 19:55:57 2026 Received: from mail-ej1-f46.google.com (mail-ej1-f46.google.com [209.85.218.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 967C4345722 for ; Sat, 4 Jul 2026 16:08:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783181316; cv=none; b=tVUVzaD5ru0knAETHbNVkrtDXHp8TZUmR+XxGeUyIy2OHV8bpvnid5ugtoZrsjJhjZdmQE7R34HQS/VSTPIdbpGflmFbXvqRbq2T+FxDtvdpGJs5fQU0ifguLIe4twupWdpDn1wrTvXRl3RmZ0Kis1bF05h0x1O+hOPcPR78sVQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783181316; c=relaxed/simple; bh=e6b8ChuhFBskKb8L1PG143Qfh8QmDgMqw8uM3DLv0Hg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ikE340G0yYPJfvtS9vxQ2I5eO9yiHlmorBv16Zh2PD4Ao7lS++Q7qQuO5M9s8wih61f5XqHev8MDGfS3ePyhM0ERK+MfHIHzL1gDF8b+6UJYhuYSvrA3RUrU521gvtmrjzA232nvgIFk20KDZgbuMVSOTHlG9HNQ74iDgkxTwMk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DEmXwiXL; arc=none smtp.client-ip=209.85.218.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DEmXwiXL" Received: by mail-ej1-f46.google.com with SMTP id a640c23a62f3a-c08acccf4a4so178356466b.3 for ; Sat, 04 Jul 2026 09:08:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783181313; x=1783786113; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GfzFaR0Y5iazGcey5nVjMT/xy6XgcHF6j7w9Vftwlc0=; b=DEmXwiXLcoOJGpUIhTjKMHJyGmAUyhrLF03HhrWzgsRq0A1ot4xKJVp7ztLhceHacK h/e6ATZSCxxpeOLAyLbgoIsAn2wwNraqNXWaae0ffAYSjT7AvNyFhSRtGdINCcxD/08u NdWfvFY5UmqbVBMAL4NMaZoQWB7eLpRK8GaPwKp/hZEDriNiKiTpEKdtbI0sbWDnfjcd 92LHBuK0WAO4fU3bn31DP8vG/C6IUM6l7DOrGwv/iOUqMIqCSXU5+EuSFW1A/WGDSfat hWRHft1O6nukTn8/Xb7f7Xfvx6iXPGueEjZLd1eosV88tulCafrQx6VGdESWo99nBcEM BwQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783181313; x=1783786113; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=GfzFaR0Y5iazGcey5nVjMT/xy6XgcHF6j7w9Vftwlc0=; b=Lsuu6r8GcGPOwjrnwj+oWQbvSErsSWJ9REWzBbReVpStWfAkoM7BGIrFUfuhrX4pOF Ux5rGJPpf7bYy94yZKTRD3It2QGXcH4pC3bODDFDgjCRoP6GH92B3RRTFvw31Rs4GfKU nXiBibgThJ5FZAj3IioBuozaatzx5ndEd+FO0+/BBe7wTyG/yBDdGDcrXHI9FTxchOv3 02sc4JHOPERfdve+WEHegUGa3aioS88ZMWWFzG756jR80jTmGIXk0/85lGsUCYQbswjk DUT7ZwyrxJcI3zcNDnYT1H/QgjhsEXk+Isku+SyyQpNhVN1mbq34Bq3bgIOy49NBMUI1 ULjw== X-Forwarded-Encrypted: i=1; AHgh+RqQUJ8sNxCWN1W500qPbh4rBcKN0kQfaQWTRnzQpB/o0/TY9q7M8lhB38vfgyMbbdEq7eISG/DXiqLv9EU=@vger.kernel.org X-Gm-Message-State: AOJu0YyLSH0XKDf+KRP0GsSw1QpW9HeoMEhDqx/zuCspa0YuUtPrHzJv MQdM70yYHjdAeZoA04X4J1/6bE+E/+TvKme81ZhrVAGRpOO+MoiEcVNx X-Gm-Gg: AfdE7cmmoYOQy1kmZxgpLVRyAzMcC2UWzdtmpRZxDNfDiRJ9z9ELhIH6e1NGC1HQiz/ OdtPTSDO2J4RWelY4Aqo+gzRktmSHx9rRhWCsp10Z8bilxzakVqlQT53o613DNwj55+mQp053e+ 36dvp/hPBGoOKXC/SQDHZYVfsCQ0y//nXpRwxgvuY6AY4DsFWNXSETW5svNeD3jGYJnWzsDSSXT e++AIG+rJ+I23V/jy5+pGCSa8/SMI1vdqzsfS3qs8ZZQOA+EgYA29XPkvKRlQG4OA2n2aKUbFqx KOexOK/QdBfbcVKKzGmXxQ15ccHmm6Ci4EVkmR9q65pnnZgAmDw26tQsn6gmrHOvroHJGPZ0TNO QT8algxvKMa9Dlkb+4SySvKQtCBzLabAXk3nTPXWOCInhyHQ57ZGE1FI2KnBOwlVllDeF+IQ9zc fexIPGb2t4Qlwd54DDIS4cCj2EiFwvUvYI/6me946QDcvSC8+mQ/eS3rJ/qk1ZSOLIYcFYx4JZC g== X-Received: by 2002:a17:907:7b85:b0:c12:34ed:da14 with SMTP id a640c23a62f3a-c12e6c2300bmr113055366b.64.1783181312699; Sat, 04 Jul 2026 09:08:32 -0700 (PDT) Received: from node ([202.47.63.86]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-c12b60575c4sm438586266b.9.2026.07.04.09.08.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jul 2026 09:08:32 -0700 (PDT) From: Muhammad Bilal To: hdegoede@redhat.com, ilpo.jarvinen@linux.intel.com, jorge.lopez2@hp.com, Thomas.Weissschuh@linutronix.de, platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Mario Limonciello , Armin Wolf , Muhammad Bilal Subject: [PATCH v2 1/3] platform/x86: hp-bioscfg: pass validated element count to package parsers Date: Sat, 4 Jul 2026 21:07:57 +0500 Message-ID: <20260704160759.236249-2-meatuni001@gmail.com> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260704160759.236249-1-meatuni001@gmail.com> References: <20260704160759.236249-1-meatuni001@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hp_init_bios_package_attribute() validates obj->package.count against min_elements and then hands off elements =3D obj->package.elements to one of the five per-type hp_populate_*_package_data() wrappers (string, integer, enumeration, ordered list, password). None of these wrappers receive that validated count. Instead each one re-derives it locally: hp_populate_integer_elements_from_package(integer_obj, integer_obj->package.count, instance_id); integer_obj here is elements, i.e. a pointer to elements[0] (the NAME field, always ACPI_TYPE_STRING). Reading ->package.count off a string object aliases ->string.length in the underlying union acpi_object, so the "count" passed down is not the real package size at all. For string, integer, enumeration and password attributes, hp_populate_*_elements_from_package() bounds its iteration using the corresponding per-type ELEM_CNT constant (STR_ELEM_CNT, INT_ELEM_CNT, ENUM_ELEM_CNT and PSWD_ELEM_CNT). This relies on hp_init_bios_package_attribute() rejecting packages with fewer than ELEM_CNT elements before invoking the parsers. Relaxing that check would allow shorter packages to reach these functions, making the fixed loop bounds unsafe. hp_populate_ordered_list_elements_from_package() doesn't even use the count for its main loop bound - it iterates unconditionally up to ORD_ELEM_CNT: for (elem =3D 1, eloc =3D 1; eloc < ORD_ELEM_CNT; elem++, eloc++) which relies entirely on the same coincidence. This is only safe as long as every caller is guaranteed to hand these functions a package with at least ELEM_CNT real elements. A following change relaxes that guarantee to allow shorter packages through, which would turn this into a real out-of-bounds heap read of the elements[] array once the real count drops below the fixed ELEM_CNT loop bound. Fix this at the source: thread the real, already-validated obj->package.count down through each *_package_data() wrapper instead of letting the per-type code guess at it, and use it to also bound hp_populate_ordered_list_elements_from_package()'s main loop. This is a no-op for any package that already meets the existing ELEM_CNT minimums, and is a prerequisite for safely accepting shorter packages. Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 5 +++++ drivers/platform/x86/hp/hp-bioscfg/bioscfg.h | 5 +++++ drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 3 ++- drivers/platform/x86/hp/hp-bioscfg/int-attributes.c | 3 ++- drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 7 ++++--- drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +++-- drivers/platform/x86/hp/hp-bioscfg/string-attributes.c | 3 ++- 7 files changed, 23 insertions(+), 8 deletions(-) diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platfor= m/x86/hp/hp-bioscfg/bioscfg.c index 27fd6cd215290..768330d291da8 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c +++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c @@ -731,26 +731,31 @@ static int hp_init_bios_package_attribute(enum hp_wmi= _data_type attr_type, switch (attr_type) { case HPWMI_STRING_TYPE: ret =3D hp_populate_string_package_data(elements, + obj->package.count, instance_id, attr_name_kobj); break; case HPWMI_INTEGER_TYPE: ret =3D hp_populate_integer_package_data(elements, + obj->package.count, instance_id, attr_name_kobj); break; case HPWMI_ENUMERATION_TYPE: ret =3D hp_populate_enumeration_package_data(elements, + obj->package.count, instance_id, attr_name_kobj); break; case HPWMI_ORDERED_LIST_TYPE: ret =3D hp_populate_ordered_list_package_data(elements, + obj->package.count, instance_id, attr_name_kobj); break; case HPWMI_PASSWORD_TYPE: ret =3D hp_populate_password_package_data(elements, + obj->package.count, instance_id, attr_name_kobj); break; diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h b/drivers/platfor= m/x86/hp/hp-bioscfg/bioscfg.h index f1eec0e4ba075..416d7e7aaaae3 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h +++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h @@ -401,6 +401,7 @@ int hp_populate_string_buffer_data(u8 *buffer_ptr, u32 = *buffer_size, int hp_alloc_string_data(void); void hp_exit_string_attributes(void); int hp_populate_string_package_data(union acpi_object *str_obj, + int str_obj_count, int instance_id, struct kobject *attr_name_kobj); =20 @@ -411,6 +412,7 @@ int hp_populate_integer_buffer_data(u8 *buffer_ptr, u32= *buffer_size, int hp_alloc_integer_data(void); void hp_exit_integer_attributes(void); int hp_populate_integer_package_data(union acpi_object *integer_obj, + int integer_obj_count, int instance_id, struct kobject *attr_name_kobj); =20 @@ -421,6 +423,7 @@ int hp_populate_enumeration_buffer_data(u8 *buffer_ptr,= u32 *buffer_size, int hp_alloc_enumeration_data(void); void hp_exit_enumeration_attributes(void); int hp_populate_enumeration_package_data(union acpi_object *enum_obj, + int enum_obj_count, int instance_id, struct kobject *attr_name_kobj); =20 @@ -432,6 +435,7 @@ int hp_populate_ordered_list_buffer_data(u8 *buffer_ptr, int hp_alloc_ordered_list_data(void); void hp_exit_ordered_list_attributes(void); int hp_populate_ordered_list_package_data(union acpi_object *order_obj, + int order_obj_count, int instance_id, struct kobject *attr_name_kobj); =20 @@ -440,6 +444,7 @@ int hp_populate_password_buffer_data(u8 *buffer_ptr, u3= 2 *buffer_size, int instance_id, struct kobject *attr_name_kobj); int hp_populate_password_package_data(union acpi_object *password_obj, + int password_obj_count, int instance_id, struct kobject *attr_name_kobj); int hp_alloc_password_data(void); diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers= /platform/x86/hp/hp-bioscfg/enum-attributes.c index af4d1920d4880..3aa2c440e0528 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c +++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c @@ -304,6 +304,7 @@ static int hp_populate_enumeration_elements_from_packag= e(union acpi_object *enum * @attr_name_kobj: The parent kernel object */ int hp_populate_enumeration_package_data(union acpi_object *enum_obj, + int enum_obj_count, int instance_id, struct kobject *attr_name_kobj) { @@ -312,7 +313,7 @@ int hp_populate_enumeration_package_data(union acpi_obj= ect *enum_obj, enum_data->attr_name_kobj =3D attr_name_kobj; =20 hp_populate_enumeration_elements_from_package(enum_obj, - enum_obj->package.count, + enum_obj_count, instance_id); hp_update_attribute_permissions(enum_data->common.is_readonly, &enumeration_current_val); diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/= platform/x86/hp/hp-bioscfg/int-attributes.c index d96e160953e39..107e4cf1efb8a 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c +++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c @@ -279,6 +279,7 @@ static int hp_populate_integer_elements_from_package(un= ion acpi_object *integer_ * @attr_name_kobj: The parent kernel object */ int hp_populate_integer_package_data(union acpi_object *integer_obj, + int integer_obj_count, int instance_id, struct kobject *attr_name_kobj) { @@ -286,7 +287,7 @@ int hp_populate_integer_package_data(union acpi_object = *integer_obj, =20 integer_data->attr_name_kobj =3D attr_name_kobj; hp_populate_integer_elements_from_package(integer_obj, - integer_obj->package.count, + integer_obj_count, instance_id); hp_update_attribute_permissions(integer_data->common.is_readonly, &integer_current_val); diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/d= rivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c index f09489a085c86..a50d074125268 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c +++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c @@ -145,7 +145,7 @@ static int hp_populate_ordered_list_elements_from_packa= ge(union acpi_object *ord if (!order_obj) return -EINVAL; =20 - for (elem =3D 1, eloc =3D 1; eloc < ORD_ELEM_CNT; elem++, eloc++) { + for (elem =3D 1, eloc =3D 1; eloc < ORD_ELEM_CNT && elem < order_obj_coun= t; elem++, eloc++) { =20 switch (order_obj[elem].type) { case ACPI_TYPE_STRING: @@ -301,7 +301,8 @@ static int hp_populate_ordered_list_elements_from_packa= ge(union acpi_object *ord * @instance_id: The instance to enumerate * @attr_name_kobj: The parent kernel object */ -int hp_populate_ordered_list_package_data(union acpi_object *order_obj, in= t instance_id, +int hp_populate_ordered_list_package_data(union acpi_object *order_obj, in= t order_obj_count, + int instance_id, struct kobject *attr_name_kobj) { struct ordered_list_data *ordered_list_data =3D &bioscfg_drv.ordered_list= _data[instance_id]; @@ -309,7 +310,7 @@ int hp_populate_ordered_list_package_data(union acpi_ob= ject *order_obj, int inst ordered_list_data->attr_name_kobj =3D attr_name_kobj; =20 hp_populate_ordered_list_elements_from_package(order_obj, - order_obj->package.count, + order_obj_count, instance_id); hp_update_attribute_permissions(ordered_list_data->common.is_readonly, &ordered_list_current_val); diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/dr= ivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c index 4d79eb8056a5d..89316d90454d2 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c +++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c @@ -388,7 +388,8 @@ static int hp_populate_password_elements_from_package(u= nion acpi_object *passwor * @instance_id: The instance to enumerate * @attr_name_kobj: The parent kernel object */ -int hp_populate_password_package_data(union acpi_object *password_obj, int= instance_id, +int hp_populate_password_package_data(union acpi_object *password_obj, int= password_obj_count, + int instance_id, struct kobject *attr_name_kobj) { struct password_data *password_data =3D &bioscfg_drv.password_data[instan= ce_id]; @@ -396,7 +397,7 @@ int hp_populate_password_package_data(union acpi_object= *password_obj, int insta password_data->attr_name_kobj =3D attr_name_kobj; =20 hp_populate_password_elements_from_package(password_obj, - password_obj->package.count, + password_obj_count, instance_id); =20 hp_friendly_user_name_update(password_data->common.path, diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drive= rs/platform/x86/hp/hp-bioscfg/string-attributes.c index fe5a9a3a4ef17..da5e81f1d188f 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c +++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c @@ -267,6 +267,7 @@ static int hp_populate_string_elements_from_package(uni= on acpi_object *string_ob * @attr_name_kobj: The parent kernel object */ int hp_populate_string_package_data(union acpi_object *string_obj, + int string_obj_count, int instance_id, struct kobject *attr_name_kobj) { @@ -275,7 +276,7 @@ int hp_populate_string_package_data(union acpi_object *= string_obj, string_data->attr_name_kobj =3D attr_name_kobj; =20 hp_populate_string_elements_from_package(string_obj, - string_obj->package.count, + string_obj_count, instance_id); =20 hp_update_attribute_permissions(string_data->common.is_readonly, --=20 2.55.0 From nobody Sat Jul 4 19:55:57 2026 Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 826643BCD33 for ; Sat, 4 Jul 2026 16:08:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783181319; cv=none; b=dW0KpLeNs5vTcyH6iNMhtCC7jdf1UnidC9zNHMMYw0uNpnjgUi/jUAq5qUQLXNlAA8PX381LisiU+joKuwJBhS3+SLsYjceb99QPRD3NyODzLuYJjVs0VbijaElHGdixpV8dUlj0Hx1QdVb1tL8eaG/a7ytoQ4EYZOVYA0SKJDI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783181319; c=relaxed/simple; bh=4NG8zneOYe7p0UrTp9P9R7HnMyKE7GyM9DN8ppk6JVo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iM+QFasSfHGpCtyxtOm2zoz+1e9NMgWH3IzWUimJLES7AcDc5RcSS4uDyvbrNkP6//+vVJkayG0kEsSardi63yNd0VB93ByUM8hqO75hD0zst3zhQlnq3x/kv/iNzIc0JAk3RbgfCMWSHJ6qvHpvHfV7pckj9gC788kTHbghAKM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nAyHmCdu; arc=none smtp.client-ip=209.85.208.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nAyHmCdu" Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-697bd21fdc2so2596441a12.1 for ; Sat, 04 Jul 2026 09:08:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783181316; x=1783786116; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UMhE6Jch/T1UvoknEZxvYaZzdpc2xBp5cw8Z7tMZGzI=; b=nAyHmCduIRga9XqSsxm6NHkRUl5TrvjCy/cOLYHXTKxqRSkFqeDSwKZz9NAeqh2jPL nYIK0+T8Z8IbRnx1kLShK3jYXeForJfBmwctcfgNeps7fzj/hIo/NNWj1ezrXoHR1+hj 4m9J6PSW/lcuJb2qxCUEmLJsoZNhvMaSV+Cox7GByzO7eG+Shjt6C4Tp6jR5A413a7pd im96xUQ4uoQqMnZ8G+5oTTSB3ZBxNcpyz8NzEAF4WnrSZiWbZEzOne+TR1QRSRadD7KF 8viq74ACEWZd4XgJRLGrYHHteyh/jmEFG47endbjItsKd27MMIPPeLWaqUyK46YBV70u DazQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783181316; x=1783786116; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=UMhE6Jch/T1UvoknEZxvYaZzdpc2xBp5cw8Z7tMZGzI=; b=PwD8hhS3mTQ8CISRw0srZCGEAiNkI+cTOZCI3d/BGaU2kgB+BQinkmn9CPsUN8SIZm enoRm5Iw3Qq2xcfE+KwEThsF4dzYRDKuyPVastzpsa7zm49hxua1DURSnDT8/6LSSCaT kq6x1QTGoZ/oGKsCHJ5TwNYHdox9iTrjT+dV3RwBdkA67cCzwwznBI2SM0t5eDf3mM8K BNnUC52SKqDUaTx0qqGIjtj3+eWu6iwXsNosL6qPhiaJBLN28bgxhExDa/4+CxUGoMSp 4BkViT0hcpMJdnIWoGISQeUKdaHiQcAfE5CYYqS2WTv0bK6SvnZx1YhU8sJf3HlWb6lx 51lA== X-Forwarded-Encrypted: i=1; AHgh+RrtjevFk8QQTNZ3oziHDAhodfxof/8S+5Bl8mTZ/JthlHPgbK/PpRGM9T4E6xx0ZqsN1fchvNOE8aKX7rM=@vger.kernel.org X-Gm-Message-State: AOJu0YyT4W9q/bIUlTleKr8LlB+9YeJt1Yt+BAXtRHJpmHmUx9hdwbCI JjXOKiqTTtQ0lbCXnGtglpc7MJzqNCDajIdwW3cjtsintqn4Dmwuvcwp X-Gm-Gg: AfdE7ckpWmxoUIq99IuspJQPAO0aGauQ8Mva3MWOl91u4he+Eva46LoeWKScNIr/Kbi rCqzCFpfNavk0MYrIhagNVYMbPjZEkReYAD28U5tzghOyl9FM1If07XFuZusqLO/z2GdFYjx51G k9amiPIUbIwFuhA4BL5gO7spbgnOMTvdRa9RVPX8ZnRXsTJmD2iFZRqJJ4iPGY+5GoiUSPxN1oS G/537fQxBLTLIojFeaiL6cyauLFOuI7F050Q9/gpbrwMSpzD0GjTQKrq0eRKedJhIRT9htVewGk ea8BG7WZMYQz0vFxs7LI3V2dapun7BjskKgcbcHawoDcLpITfClFV/RgxdqZBXD/mWXJU5flRY5 KNknw1tZiuSLnWjUT+GJWCIAreeO8yNp0jX5T2wqihQigloo4+UVwLkvF4P99YxJVKqEf17I78U 25pc02oHaYXCMenjxd16kBDCqjfiLleesrskG771GxbEqV427EEv6/RYL9VkAuuj0= X-Received: by 2002:a17:907:998d:b0:c12:d64:ca50 with SMTP id a640c23a62f3a-c12e6ab6f98mr119057566b.16.1783181315826; Sat, 04 Jul 2026 09:08:35 -0700 (PDT) Received: from node ([202.47.63.86]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-c12b60575c4sm438586266b.9.2026.07.04.09.08.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jul 2026 09:08:35 -0700 (PDT) From: Muhammad Bilal To: hdegoede@redhat.com, ilpo.jarvinen@linux.intel.com, jorge.lopez2@hp.com, Thomas.Weissschuh@linutronix.de, platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Mario Limonciello , Armin Wolf , Muhammad Bilal Subject: [PATCH v2 2/3] platform/x86: hp-bioscfg: accept reduced ACPI packages from older HP BIOS Date: Sat, 4 Jul 2026 21:07:58 +0500 Message-ID: <20260704160759.236249-3-meatuni001@gmail.com> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260704160759.236249-1-meatuni001@gmail.com> References: <20260704160759.236249-1-meatuni001@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hp_init_bios_package_attribute() hard-fails when a WMI ACPI package contains fewer elements than the type-specific expected count (e.g. 11 elements instead of 13 for INTEGER or ENUMERATION attributes). This causes the entire hp_bioscfg driver to skip attribute enumeration on older HP hardware whose BIOS returns shortened packages when optional fields like prerequisites or possible values are absent. Observed on HP EliteBook 840 G2 (BIOS M71 Ver. 01.31): hp_bioscfg: ACPI-package does not have enough elements: 11 < 13 The element layout has two tiers: - Elements 0-9 (SECURITY_LEVEL+1 =3D 10): common to all attribute types - Elements 10-N: type-specific (bounds, values, encodings, ...) The per-type populate functions (hp_populate_*_elements_from_package) already handle sparse packages correctly via their own elem < count loop guards and inner-loop bounds checks. The only unsafe case is when we lack even the common elements needed to register the attribute. Fix by introducing COMMON_ELEM_CNT to mark the hard minimum (10), and splitting the check into two tiers: - Fewer than COMMON_ELEM_CNT elements: hard fail, can't proceed. - Fewer than expected type-specific elements: warn, but let the populate function parse what is available. Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 11 ++++++++--- drivers/platform/x86/hp/hp-bioscfg/bioscfg.h | 3 +++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platfor= m/x86/hp/hp-bioscfg/bioscfg.c index 768330d291da8..78019644ec358 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c +++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c @@ -661,12 +661,17 @@ static int hp_init_bios_package_attribute(enum hp_wmi= _data_type attr_type, int ret =3D 0; =20 /* Take action appropriate to each ACPI TYPE */ - if (obj->package.count < min_elements) { - pr_err("ACPI-package does not have enough elements: %d < %d\n", - obj->package.count, min_elements); + if (obj->package.count < COMMON_ELEM_CNT) { + pr_err("ACPI-package is missing common elements: %d < %d\n", + obj->package.count, COMMON_ELEM_CNT); goto pack_attr_exit; } =20 + if (obj->package.count < min_elements) { + pr_warn("ACPI-package has fewer elements than expected: %d < %d, parsing= available elements\n", + obj->package.count, min_elements); + } + elements =3D obj->package.elements; =20 /* sanity checking */ diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h b/drivers/platfor= m/x86/hp/hp-bioscfg/bioscfg.h index 416d7e7aaaae3..ac57d6eab4c35 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h +++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.h @@ -279,6 +279,9 @@ enum hp_wmi_data_elements { PSWD_ENCODINGS =3D 13, PSWD_IS_SET =3D 14, PSWD_ELEM_CNT =3D 15, + + /* Minimum elements shared by all attribute types (NAME..SECURITY_LEVEL) = */ + COMMON_ELEM_CNT =3D SECURITY_LEVEL + 1, }; =20 #define GET_INSTANCE_ID(type) \ --=20 2.55.0 From nobody Sat Jul 4 19:55:57 2026 Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D67D2353A82 for ; Sat, 4 Jul 2026 16:08:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783181324; cv=none; b=DyB14VIa8tS4uJQVj0ee/kLxIEOi3LhVCT9L6vxt58QQ7tMtzC37sa3CxQ0MTOrsX0eds4hUBiTI/rxaCsK5xrO4Usci/GX86SE4B90dwEuByfI7Ink7egjmksCJxvhX2GlxFzrJS8/1SLRIBOqhmPa6xkxhmD2Vl2cFbXQYlKU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783181324; c=relaxed/simple; bh=wjEuLU1CJf1Zs2tXMZxRP+871Bsd20sx3b5ZT1x35tE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dT15FZIhLVMefbEduP7KlRF4PKShE8mdZkFL3COektG1JhpPBTzCLNsdydLivLcNj4LyVgE5bCiivMnSB78QM0dHQMg7n5N2/vYcA8NEBi/hZzgZeB1VttNPSKbJstertUNZfx4WkjH01mPHKDoPDNMi0DeYyYaFmKGqdO7DKEQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gqdl5Rag; arc=none smtp.client-ip=209.85.218.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gqdl5Rag" Received: by mail-ej1-f50.google.com with SMTP id a640c23a62f3a-c1276b8c7e2so144054666b.3 for ; Sat, 04 Jul 2026 09:08:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783181319; x=1783786119; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to:content-type; bh=Q4PVKheO70omY7vqhOkhAKukkc1icX8PYGa0AwAUYlQ=; b=gqdl5RagVKpJ+nqyuzL6mXbrz7Ti49Tu+xW3h/uI5T8bbDGodSXc06roYdqHpPvOOw hAkRTiRoGw/8WnoBx/zxnH1v/93RAncJoA/zbjHPX73RVjKnixNDvDRxL9TmrUW7hEEI liEasWDAzJggc9EdBx3jl6//ofrKbUWchzDgBhCa3DNN1S0D8AhtOumLm22/1mVhLBPu oPLp4SHrE6JxdlE9ZLpSR5ahS3h5WuaWWvScd1WhqUZ3r/KY74ylBYNKADatxm2TDbmy UxRGYoW2eroy1Qlzpcqwih6jpzOQhI5fI7UxFf1jJ4nOBJlyedJi52BBkRRyi3mfMK8t vBNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783181319; x=1783786119; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to:content-type; bh=Q4PVKheO70omY7vqhOkhAKukkc1icX8PYGa0AwAUYlQ=; b=iPrTtuY5i42UF/uECZSekHJ3HgNs306Hbh/3ptbRUnVoNxjm5Tnucofn1IOfCiD3zX 71XfmXYTzgdx+pZcSlCas1GSd2VIrE2h7ddtlczXVzjQpZhbc/UE/+qEX5Tg5ZGiXCa7 Bj00EJKkfzDiArQcmoRJaJFnQte1z7CHQuga8fTDD8T5wSelODf2Lkg/snjCLw1mF/Pb +DXQLx3Gfoh+5zh6hCgzptlPzSP7hNP5bqgZAcPEMwhS5UwW8ZkRqLxhqbH/pugyEWc0 gezN7h4p1/+IHlA6C10OHuUuDZCJn2iVwevNTtGc3v6iVT12d3WYPSeILN/JA2fyG49q xyFg== X-Forwarded-Encrypted: i=1; AFNElJ/R/vsfNE96PtqME376Jgbdd5h0IaKztIBXhVAdbxC15aw2iDaduv9rxAPp28pphSApbaBxycK6oVzEizY=@vger.kernel.org X-Gm-Message-State: AOJu0YwLdV2Qib/36OZ7GqQYXETPYn9Bi9TU2x2Im3bd72nBXLechezw TaUHNnJZcDnP3/m1HFeCVSCQuqB3ebQCHAcg/prwMw1+7Np7Dm5UgfZz X-Gm-Gg: AfdE7clL5dI0CNyiN8h2h2yo+6XNqBFdPR5KZkpBXTaqQNG8koHtsCLQwEY+YYlEHQz e7OJasyqZ85TfAsLrldL1uFOZgRr/Y4w7SpAvZqAxIkPLKM97XfL4/f/PIcyQWVqn85bDmEnV1n JURP1hxXMxPoWQxmlAJqwHGeCodFv6qGqqVswu3Z4SEMp2Bne5CEqM1DDNWTWbGyjhersjYC53r 8F0I/3oOeZn0g8jjv6Zv3Ltl1FeAwx55Byq1ymy5kj5MbxhrubaACRGDLKWr9kRa6Z8ZIxiytCL gh6pypR1kambMFnhHA8EU8i5HbuuFniI7AwK5I/+f+mnXkF8hByDwgJR0BGWM56I719NfvHNJWs iyQ3hxJO3/REWT+WT7pVMiPvo/NX+F0eS8a3m8oewB7I9oHUdAPl5i7ur+qRBMM91ihTJ64VEH9 VnDRym7y2XH9K5KsRARhMyAM0UScMc7QSOV/eOfUIymxMkIGPmg2YphGgmfILqZsU= X-Received: by 2002:a17:906:99c1:b0:c0e:883e:e4f2 with SMTP id a640c23a62f3a-c12e6c2fccemr104916966b.30.1783181318994; Sat, 04 Jul 2026 09:08:38 -0700 (PDT) Received: from node ([202.47.63.86]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-c12b60575c4sm438586266b.9.2026.07.04.09.08.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 Jul 2026 09:08:38 -0700 (PDT) From: Muhammad Bilal To: hdegoede@redhat.com, ilpo.jarvinen@linux.intel.com, jorge.lopez2@hp.com, Thomas.Weissschuh@linutronix.de, platform-driver-x86@vger.kernel.org, linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Mario Limonciello , Armin Wolf , Muhammad Bilal Subject: [PATCH v2 3/3] platform/x86: hp-bioscfg: warn on element type mismatch instead of failing Date: Sat, 4 Jul 2026 21:07:59 +0500 Message-ID: <20260704160759.236249-4-meatuni001@gmail.com> X-Mailer: git-send-email 2.55.0 In-Reply-To: <20260704160759.236249-1-meatuni001@gmail.com> References: <20260704160759.236249-1-meatuni001@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" hp_populate_enumeration_elements_from_package() returns -EIO and aborts enumeration of the entire attribute when any single element has an unexpected ACPI type. This is observed on HP EliteBook 840 G2 when the BIOS returns malformed ACPI data following a failed WMI query: ACPI BIOS Error (bug): AE_AML_BUFFER_LIMIT, Index (0x000000032) is beyond end of object (length 0x32) ACPI Error: Aborting method \_SB.WMID.WQBE due to previous error Error expected type 2 for elem 13, but got type 1 instead hp_bioscfg: Returned error 0x3, "Invalid command value/Feature not supported" A type mismatch on one element does not necessarily corrupt the attribute being built, especially for non-critical type-specific elements such as possible values or bounds. Failing fatally here discards attributes that could otherwise be partially useful. Change the type mismatch handling from a fatal pr_err + return -EIO to a pr_warn + continue, freeing the accumulated string value and skipping the affected element. The attribute is still registered with whatever valid elements the BIOS did supply. Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers= /platform/x86/hp/hp-bioscfg/enum-attributes.c index 3aa2c440e0528..b834303e5bc79 100644 --- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c +++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c @@ -163,10 +163,11 @@ static int hp_populate_enumeration_elements_from_pack= age(union acpi_object *enum =20 /* Check that both expected and read object type match */ if (expected_enum_types[eloc] !=3D enum_obj[elem].type) { - pr_err("Error expected type %d for elem %d, but got type %d instead\n", - expected_enum_types[eloc], elem, enum_obj[elem].type); + pr_warn("Unexpected element type at elem %d: expected %d, got %d, skipp= ing\n", + elem, expected_enum_types[eloc], enum_obj[elem].type); kfree(str_value); - return -EIO; + str_value =3D NULL; + continue; } =20 /* Assign appropriate element value to corresponding field */ --=20 2.55.0