[RFC,4/5] thermal: Add a sanity check for invalid state at stats update

Message ID 20200408041917.2329-4-rui.zhang@intel.com
State New
Headers show
Series
  • Untitled series #38409
Related show

Commit Message

Zhang Rui April 8, 2020, 4:19 a.m.
From: Takashi Iwai <tiwai@suse.de>

This is from the origin changelog
"The thermal sysfs handler keeps the statistics table with the fixed
size that was determined from the initial max_states() call, and the
table entry is updated at each sysfs cur_state write call.  And, when
the driver's set_cur_state() ops accepts the value given from
user-space, the thermal sysfs core blindly applies it to the
statistics table entry, which may overflow and cause an Oops.
Although it's rather a bug in the driver's ops implementations, we
shouldn't crash but rather give a proper warning instead.

This patch adds a sanity check for avoiding such an OOB access and
warns with a stack trace to show the suspicious device in question."

Part of the problem described above is gone, but I'd like to keep this
patch so that we can detect the other max_state changes from other
drivers, and fix the drivers by invoking
thermal_cdev_stats_update_max() when necessary.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
---
 drivers/thermal/thermal_sysfs.c | 5 +++++
 1 file changed, 5 insertions(+)

Patch

diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c
index 96e4a445952f..e0e21c67e78a 100644
--- a/drivers/thermal/thermal_sysfs.c
+++ b/drivers/thermal/thermal_sysfs.c
@@ -779,6 +779,11 @@  void thermal_cdev_stats_update_cur(struct thermal_cooling_device *cdev,
 
 	spin_lock(&stats->lock);
 
+	if (dev_WARN_ONCE(&cdev->device, new_state >= stats->max_states,
+			  "new state %ld exceeds max_state %ld",
+			  new_state, stats->max_states))
+		goto unlock;
+
 	if (stats->state == new_state)
 		goto unlock;