| Message ID | 20240503-mtk-thermal-lvts-ctrl-idx-fix-v1-2-f605c50ca117@baylibre.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Daniel Lezcano |
| Headers | show |
| Series | Mediatek lvts_thermal driver: Fix wrong lvts_ctrl index | expand |
On Fri, 3 May 2024, Julien Panis wrote: > In 'lvts_should_update_thresh()' and 'lvts_ctrl_start()' functions, > the parameter passed to 'lvts_for_each_valid_sensor()' macro is always > 'lvts_ctrl->lvts_data->lvts_ctrl'. In other words, the array index 0 > is systematically passed as 'struct lvts_ctrl_data' type item, even > when another item should be consumed instead. > > Hence, the 'valid_sensor_mask' value which is selected can be wrong > because unrelated to the 'struct lvts_ctrl_data' type item that should > be used. Hence, some thermal zone can be registered for a sensor 'i' > that does not actually exist. Because of the invalid address used > as 'lvts_sensor[i].msr', this situation ends up with a crash in > 'lvts_get_temp()' function, where this 'msr' pointer is passed to > 'readl_poll_timeout()' function. The following message is output: > "Unable to handle kernel NULL pointer dereference at virtual > address <msr>", with <msr> = 0. > > This patch fixes the issue. > > Fixes: 11e6f4c31447 ("thermal/drivers/mediatek/lvts_thermal: Allow early empty sensor slots") > Signed-off-by: Julien Panis <jpanis@baylibre.com> Reviewed-by: Nicolas Pitre <npitre@baylibre.com> > --- > drivers/thermal/mediatek/lvts_thermal.c | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c > index 18a796386cd0..d7df6f09938b 100644 > --- a/drivers/thermal/mediatek/lvts_thermal.c > +++ b/drivers/thermal/mediatek/lvts_thermal.c > @@ -116,9 +116,9 @@ struct lvts_ctrl_data { > ((s2) ? BIT(2) : 0) | \ > ((s3) ? BIT(3) : 0)) > > -#define lvts_for_each_valid_sensor(i, lvts_ctrl_data) \ > +#define lvts_for_each_valid_sensor(i, lvts_ctrl) \ > for ((i) = 0; (i) < LVTS_SENSOR_MAX; (i)++) \ > - if (!((lvts_ctrl_data)->valid_sensor_mask & BIT(i))) \ > + if (!((lvts_ctrl)->valid_sensor_mask & BIT(i))) \ > continue; \ > else > > @@ -145,6 +145,7 @@ struct lvts_ctrl { > const struct lvts_data *lvts_data; > u32 calibration[LVTS_SENSOR_MAX]; > u32 hw_tshut_raw_temp; > + u8 valid_sensor_mask; > int mode; > void __iomem *base; > int low_thresh; > @@ -356,7 +357,7 @@ static bool lvts_should_update_thresh(struct lvts_ctrl *lvts_ctrl, int high) > if (high > lvts_ctrl->high_thresh) > return true; > > - lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl) > + lvts_for_each_valid_sensor(i, lvts_ctrl) > if (lvts_ctrl->sensors[i].high_thresh == lvts_ctrl->high_thresh > && lvts_ctrl->sensors[i].low_thresh == lvts_ctrl->low_thresh) > return false; > @@ -617,6 +618,8 @@ static int lvts_sensor_init(struct device *dev, struct lvts_ctrl *lvts_ctrl, > lvts_sensor[i].high_thresh = INT_MIN; > }; > > + lvts_ctrl->valid_sensor_mask = lvts_ctrl_data->valid_sensor_mask; > + > return 0; > } > > @@ -1112,7 +1115,7 @@ static int lvts_ctrl_start(struct device *dev, struct lvts_ctrl *lvts_ctrl) > u32 *sensor_bitmap = lvts_ctrl->mode == LVTS_MSR_IMMEDIATE_MODE ? > sensor_imm_bitmap : sensor_filt_bitmap; > > - lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl) { > + lvts_for_each_valid_sensor(i, lvts_ctrl) { > > int dt_id = lvts_sensors[i].dt_id; > > > -- > 2.37.3 > >
Il 03/05/24 17:35, Julien Panis ha scritto: > In 'lvts_should_update_thresh()' and 'lvts_ctrl_start()' functions, > the parameter passed to 'lvts_for_each_valid_sensor()' macro is always > 'lvts_ctrl->lvts_data->lvts_ctrl'. In other words, the array index 0 > is systematically passed as 'struct lvts_ctrl_data' type item, even > when another item should be consumed instead. > > Hence, the 'valid_sensor_mask' value which is selected can be wrong > because unrelated to the 'struct lvts_ctrl_data' type item that should > be used. Hence, some thermal zone can be registered for a sensor 'i' > that does not actually exist. Because of the invalid address used > as 'lvts_sensor[i].msr', this situation ends up with a crash in > 'lvts_get_temp()' function, where this 'msr' pointer is passed to > 'readl_poll_timeout()' function. The following message is output: > "Unable to handle kernel NULL pointer dereference at virtual > address <msr>", with <msr> = 0. > > This patch fixes the issue. > > Fixes: 11e6f4c31447 ("thermal/drivers/mediatek/lvts_thermal: Allow early empty sensor slots") > Signed-off-by: Julien Panis <jpanis@baylibre.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c index 18a796386cd0..d7df6f09938b 100644 --- a/drivers/thermal/mediatek/lvts_thermal.c +++ b/drivers/thermal/mediatek/lvts_thermal.c @@ -116,9 +116,9 @@ struct lvts_ctrl_data { ((s2) ? BIT(2) : 0) | \ ((s3) ? BIT(3) : 0)) -#define lvts_for_each_valid_sensor(i, lvts_ctrl_data) \ +#define lvts_for_each_valid_sensor(i, lvts_ctrl) \ for ((i) = 0; (i) < LVTS_SENSOR_MAX; (i)++) \ - if (!((lvts_ctrl_data)->valid_sensor_mask & BIT(i))) \ + if (!((lvts_ctrl)->valid_sensor_mask & BIT(i))) \ continue; \ else @@ -145,6 +145,7 @@ struct lvts_ctrl { const struct lvts_data *lvts_data; u32 calibration[LVTS_SENSOR_MAX]; u32 hw_tshut_raw_temp; + u8 valid_sensor_mask; int mode; void __iomem *base; int low_thresh; @@ -356,7 +357,7 @@ static bool lvts_should_update_thresh(struct lvts_ctrl *lvts_ctrl, int high) if (high > lvts_ctrl->high_thresh) return true; - lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl) + lvts_for_each_valid_sensor(i, lvts_ctrl) if (lvts_ctrl->sensors[i].high_thresh == lvts_ctrl->high_thresh && lvts_ctrl->sensors[i].low_thresh == lvts_ctrl->low_thresh) return false; @@ -617,6 +618,8 @@ static int lvts_sensor_init(struct device *dev, struct lvts_ctrl *lvts_ctrl, lvts_sensor[i].high_thresh = INT_MIN; }; + lvts_ctrl->valid_sensor_mask = lvts_ctrl_data->valid_sensor_mask; + return 0; } @@ -1112,7 +1115,7 @@ static int lvts_ctrl_start(struct device *dev, struct lvts_ctrl *lvts_ctrl) u32 *sensor_bitmap = lvts_ctrl->mode == LVTS_MSR_IMMEDIATE_MODE ? sensor_imm_bitmap : sensor_filt_bitmap; - lvts_for_each_valid_sensor(i, lvts_ctrl->lvts_data->lvts_ctrl) { + lvts_for_each_valid_sensor(i, lvts_ctrl) { int dt_id = lvts_sensors[i].dt_id;
In 'lvts_should_update_thresh()' and 'lvts_ctrl_start()' functions, the parameter passed to 'lvts_for_each_valid_sensor()' macro is always 'lvts_ctrl->lvts_data->lvts_ctrl'. In other words, the array index 0 is systematically passed as 'struct lvts_ctrl_data' type item, even when another item should be consumed instead. Hence, the 'valid_sensor_mask' value which is selected can be wrong because unrelated to the 'struct lvts_ctrl_data' type item that should be used. Hence, some thermal zone can be registered for a sensor 'i' that does not actually exist. Because of the invalid address used as 'lvts_sensor[i].msr', this situation ends up with a crash in 'lvts_get_temp()' function, where this 'msr' pointer is passed to 'readl_poll_timeout()' function. The following message is output: "Unable to handle kernel NULL pointer dereference at virtual address <msr>", with <msr> = 0. This patch fixes the issue. Fixes: 11e6f4c31447 ("thermal/drivers/mediatek/lvts_thermal: Allow early empty sensor slots") Signed-off-by: Julien Panis <jpanis@baylibre.com> --- drivers/thermal/mediatek/lvts_thermal.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)