github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 05:55:44 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
2ee85ac1b2
linux/drivers/hwmon
History
Armin Wolf 517dba7987 hwmon: (gpio-fan) Fix array out of bounds access 
[ Upstream commit f233d2be38 ]

The driver does not check if the cooling state passed to
gpio_fan_set_cur_state() exceeds the maximum cooling state as
stored in fan_data->num_speeds. Since the cooling state is later
used as an array index in set_fan_speed(), an array out of bounds
access can occur.
This can be exploited by setting the state of the thermal cooling device
to arbitrary values, causing for example a kernel oops when unavailable
memory is accessed this way.

Example kernel oops:
[  807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064
[  807.987369] Mem abort info:
[  807.987398]   ESR = 0x96000005
[  807.987428]   EC = 0x25: DABT (current EL), IL = 32 bits
[  807.987477]   SET = 0, FnV = 0
[  807.987507]   EA = 0, S1PTW = 0
[  807.987536]   FSC = 0x05: level 1 translation fault
[  807.987570] Data abort info:
[  807.987763]   ISV = 0, ISS = 0x00000005
[  807.987801]   CM = 0, WnR = 0
[  807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000
[  807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[  807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[  807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
[  807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G         C        5.15.56-v8+ #1575
[  807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[  807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan]
[  807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
[  807.988691] sp : ffffffc008cf3bd0
[  807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000
[  807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920
[  807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c
[  807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000
[  807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70
[  807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[  807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c
[  807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009
[  807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8
[  807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060
[  807.989084] Call trace:
[  807.989091]  set_fan_speed.part.5+0x34/0x80 [gpio_fan]
[  807.989113]  gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
[  807.989199]  cur_state_store+0x84/0xd0
[  807.989221]  dev_attr_store+0x20/0x38
[  807.989262]  sysfs_kf_write+0x4c/0x60
[  807.989282]  kernfs_fop_write_iter+0x130/0x1c0
[  807.989298]  new_sync_write+0x10c/0x190
[  807.989315]  vfs_write+0x254/0x378
[  807.989362]  ksys_write+0x70/0xf8
[  807.989379]  __arm64_sys_write+0x24/0x30
[  807.989424]  invoke_syscall+0x4c/0x110
[  807.989442]  el0_svc_common.constprop.3+0xfc/0x120
[  807.989458]  do_el0_svc+0x2c/0x90
[  807.989473]  el0_svc+0x24/0x60
[  807.989544]  el0t_64_sync_handler+0x90/0xb8
[  807.989558]  el0t_64_sync+0x1a0/0x1a4
[  807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416)
[  807.989627] ---[ end trace 8ded4c918658445b ]---

Fix this by checking the cooling state and return an error if it
exceeds the maximum cooling state.

Tested on a Raspberry Pi 3.

Fixes: b5cf88e46b ("(gpio-fan): Add thermal control hooks")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://lore.kernel.org/r/20220830011101.178843-1-W_Armin@gmx.de
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-09-08 11:11:38 +02:00
..
occ hwmon: (occ) Fix poll rate limiting 2021-05-19 10:13:13 +02:00
pmbus hwmon: (pmbus) Add Vin unit off handling 2022-04-08 14:40:02 +02:00
ab8500.c hwmon: ab8500: Convert to IIO ADC 2019-10-18 19:37:08 +01:00
abituguru.c hwmon: abituguru: make array probe_order static, makes object smaller 2019-11-06 14:37:19 -08:00
abituguru3.c
abx500.c
abx500.h
acpi_power_meter.c hwmon: (acpi_power_meter) Fix potential memory leak in acpi_power_meter_add() 2020-06-25 16:06:06 -07:00
ad7314.c
ad7414.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ad7418.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
adc128d818.c hwmon: use simple i2c probe function (take 2) 2020-09-23 09:42:40 -07:00
adcxx.c
adm1021.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
adm1025.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
adm1026.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
adm1029.c hwmon: (adm1029) use simple i2c probe 2020-09-23 09:42:39 -07:00
adm1031.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
adm1177.c hwmon: (adm1177) use simple i2c probe 2020-09-23 09:42:39 -07:00
adm9240.c hwmon: (adm9240) Convert to regmap 2020-09-24 07:44:51 -07:00
ads7828.c hwmon: use simple i2c probe function (take 2) 2020-09-23 09:42:40 -07:00
ads7871.c
adt7x10.c
adt7x10.h
adt7310.c
adt7410.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
adt7411.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
adt7462.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
adt7470.c hwmon: (adt7470) Fix warning on module removal 2022-05-12 12:25:37 +02:00
adt7475.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
amc6821.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
amd_energy.c hwmon: (amd_energy) fix allocation of hwmon_channel_info config 2021-01-12 20:18:22 +01:00
applesmc.c hwmon: (applesmc) Re-work SMC comms 2020-11-12 07:00:59 -08:00
as370-hwmon.c
asb100.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
asc7621.c hwmon: (asc7621) use simple i2c probe 2020-09-23 09:42:40 -07:00
aspeed-pwm-tacho.c hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow 2020-07-05 20:45:45 -07:00
asus_atk0110.c
atxp1.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
axi-fan-control.c hwmon: (axi-fan-control) remove duplicate macros 2020-08-04 14:27:20 -07:00
bt1-pvt.c hwmon: (bt1-pvt) Wait for the completion with timeout 2020-10-04 08:40:10 -07:00
bt1-pvt.h hwmon: (bt1-pvt) Cache current update timeout 2020-10-04 08:40:10 -07:00
coretemp.c hwmon: Convert to new X86 CPU match macros 2020-03-24 21:33:36 +01:00
corsair-cpro.c hwmon: (corsair-cpro) add reading pwm values 2020-07-24 07:44:57 -07:00
da9052-hwmon.c hwmon: (da9052) Synchronize access with mfd 2020-05-13 10:06:09 -07:00
da9055-hwmon.c
dell-smm-hwmon.c hwmon: (dell-smm) Speed up setting of fan speed 2022-02-16 12:54:30 +01:00
dme1737.c hwmon: (dme1737) use simple i2c probe 2020-09-23 09:42:40 -07:00
drivetemp.c hwmon: (drivetemp) Add module alias 2022-08-21 15:15:35 +02:00
ds620.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ds1621.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
emc6w201.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
emc1403.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
emc2103.c hwmon: (emc2103) use simple i2c probe 2020-09-23 09:42:40 -07:00
f71805f.c
f71882fg.c hwmon: (f71882fg) Fix negative temperature 2022-05-18 10:23:45 +02:00
f75375s.c hwmon: (f75375s) use simple i2c probe 2020-09-23 09:42:40 -07:00
fam15h_power.c x86/msr: Lift AMD family 0x15 power-specific MSRs 2020-06-15 19:25:53 +02:00
fschmd.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ftsteutates.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
g760a.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
g762.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
gl518sm.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
gl520sm.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
gpio-fan.c hwmon: (gpio-fan) Fix array out of bounds access 2022-09-08 11:11:38 +02:00
gsc-hwmon.c hwmon: (gsc-hwmon) add fan sensor 2020-09-23 09:42:41 -07:00
hih6130.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
hwmon-vid.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
hwmon.c hwmon: Handle failure to register sensor with thermal zone correctly 2022-03-02 11:42:48 +01:00
i5k_amb.c hwmon: (i5k_amb, vt8231) Drop uses of pci_read_config_*() return value 2020-08-04 14:24:39 -07:00
i5500_temp.c
ibmaem.c hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails 2022-07-07 17:52:20 +02:00
ibmpex.c
ibmpowernv.c hwmon: (ibmpowernv) Use scnprintf() for avoiding potential buffer overflow 2020-03-11 08:09:31 -07:00
iio_hwmon.c
ina2xx.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ina209.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ina3221.c hwmon: (ina3221) Fix PM usage counter unbalance in ina3221_write_enable 2020-12-30 11:53:31 +01:00
intel-m10-bmc-hwmon.c hwmon: Add hwmon driver for Intel MAX 10 BMC 2020-10-04 08:40:10 -07:00
it87.c
jc42.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
k8temp.c
k10temp.c hwmon: (k10temp) Remove support for displaying voltage and current on Zen CPUs 2020-12-30 11:52:55 +01:00
Kconfig hwmon: (ltq-cputemp) restrict it to SOC_XWAY 2022-05-18 10:23:44 +02:00
lineage-pem.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm63.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm70.c hwmon: (lm70) Revert "hwmon: (lm70) Add support for ACPI" 2021-07-14 16:56:07 +02:00
lm73.c hwmon: (lm73) use simple i2c probe 2020-09-23 09:42:40 -07:00
lm75.c hwmon: (lm75) Add regulator support 2020-10-04 08:40:10 -07:00
lm75.h hwmon: (lm75) Fix all coding-style warnings on lm75 driver 2020-05-22 06:28:38 -07:00
lm77.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm78.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm80.c Revert "hwmon: (lm80) fix a missing check of bus read in lm80 probe" 2021-05-26 12:06:54 +02:00
lm83.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm85.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm87.c hwmon: use simple i2c probe function (take 2) 2020-09-23 09:42:40 -07:00
lm90.c hwmon: (lm90) Mark alert as broken for MAX6654 2022-02-01 17:25:46 +01:00
lm92.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm93.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm95234.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm95241.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lm95245.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
lochnagar-hwmon.c
ltc2945.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ltc2947-core.c hwmon: (ltc2947) Properly handle errors when looking for the external clock 2021-10-17 10:43:33 +02:00
ltc2947-i2c.c hwmon: (ltc2947) use simple i2c probe 2020-09-23 09:42:40 -07:00
ltc2947-spi.c hwmon: Add support for ltc2947 2019-11-06 14:37:19 -08:00
ltc2947.h hwmon: Add support for ltc2947 2019-11-06 14:37:19 -08:00
ltc2990.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ltc4151.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ltc4215.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ltc4222.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ltc4245.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ltc4260.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ltc4261.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
ltq-cputemp.c
Makefile - New Drivers 2020-10-14 15:56:58 -07:00
max197.c
max1111.c
max1619.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
max1668.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
max6621.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
max6639.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
max6642.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
max6650.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
max6697.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
max16065.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
max31722.c hwmon: (max31722) Remove non-standard ACPI device IDs 2021-07-14 16:56:07 +02:00
max31730.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
max31790.c hwmon: (max31790) Fix fan speed reporting for fan7..12 2021-07-14 16:56:08 +02:00
mc13783-adc.c
mcp3021.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
menf21bmc_hwmon.c
mlxreg-fan.c hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs 2021-10-06 15:55:51 +02:00
mr75203.c hwmon: (mr75203) fix wrong power-up delay value 2022-01-27 10:54:00 +01:00
nct6683.c hwmon: (nct6683) Replace container_of() with kobj_to_dev() 2020-07-19 16:25:20 -07:00
nct6775.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
nct7802.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
nct7904.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
npcm750-pwm-fan.c
nsa320-hwmon.c
ntc_thermistor.c
pc87360.c
pc87427.c
pcf8591.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
powr1220.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
pwm-fan.c hwmon: (pwm-fan) Ensure that calculation doesn't discard big period values 2021-01-19 18:27:25 +01:00
raspberrypi-hwmon.c
s3c-hwmon.c ARM: s3c: adc: move header to linux/soc/samsung 2020-08-19 21:44:11 +02:00
sch56xx-common.c hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING 2022-04-08 14:40:00 +02:00
sch56xx-common.h
sch5627.c
sch5636.c
scmi-hwmon.c hwmon: (scmi-hwmon) Avoid comma separated statements 2020-09-23 09:42:41 -07:00
scpi-hwmon.c hwmon: (scpi-hwmon) shows the negative temperature properly 2021-06-23 14:42:49 +02:00
sht3x.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
sht15.c
sht21.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
shtc1.c hwmon: shtc1: add support for device tree bindings 2020-09-23 09:42:40 -07:00
sis5595.c
sl28cpld-hwmon.c hwmon: Add support for the sl28cpld hardware monitoring controller 2020-09-17 16:02:42 +01:00
smm665.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
smsc47b397.c
smsc47m1.c
smsc47m192.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
sparx5-temp.c hwmon: (sparx5) Fix initial reading of temperature 2020-09-23 09:39:40 -07:00
stts751.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
tc74.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
tc654.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
thmc50.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
tmp102.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
tmp103.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
tmp108.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
tmp401.c hwmon: (tmp401) Add OF device ID table 2022-05-18 10:23:42 +02:00
tmp421.c hwmon: (tmp421) fix rounding for negative values 2021-10-06 15:55:53 +02:00
tmp513.c hwmon: (tmp513) fix spelling typo in comments 2020-10-04 08:40:10 -07:00
ultra45_env.c
vexpress-hwmon.c
via-cputemp.c hwmon: Convert to new X86 CPU match macros 2020-03-24 21:33:36 +01:00
via686a.c
vt1211.c
vt8231.c hwmon: (i5k_amb, vt8231) Drop uses of pci_read_config_*() return value 2020-08-04 14:24:39 -07:00
w83l785ts.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
w83l786ng.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
w83627ehf.c hwmon: (w83627ehf) Fix a resource leak in probe 2020-09-23 09:40:33 -07:00
w83627hf.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
w83773g.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
w83781d.c hwmon: use simple i2c probe function 2020-09-23 09:42:39 -07:00
w83791d.c hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field 2021-10-06 15:55:47 +02:00
w83792d.c hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field 2021-10-06 15:55:47 +02:00
w83793.c hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field 2021-10-06 15:55:47 +02:00
w83795.c hwmon: use simple i2c probe function (take 2) 2020-09-23 09:42:40 -07:00
wm831x-hwmon.c
wm8350-hwmon.c
xgene-hwmon.c