Hi Rui, Matthew,
I think this regression should be corrected still in the 5.8 release
cycle. It may cause kernel panic if .set_mode() is called before
current_uuid_store(), and from what I see both operations can be
triggered from sysfs. What I'm not 100% sure about is if we should
apply the above fix, or rather revert the driver to its default
behaviour of using uuid=0 if it wasn't set from userspace (this is how
it was before Matthew's commit). What do you think?
Best regards,
Bartosz
On Wed, Jul 8, 2020 at 3:46 PM Bartosz Szczepanek <b...@semihalf.com> wrote:
>
> Starting from commit "thermal/int340x_thermal: Don't require IDSP to
> exist", priv->current_uuid_index is initialized to -1. This value may
> be passed to int3400_thermal_run_osc() from int3400_thermal_set_mode,
> contributing to page fault when accessing int3400_thermal_uuids array
> at index -1.
>
> This commit adds a check on uuid value to int3400_thermal_run_osc.
>
> Signed-off-by: Bartosz Szczepanek <b...@semihalf.com>
> ---
> drivers/thermal/intel/int340x_thermal/int3400_thermal.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
> b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
> index 0b3a62655843..12448ccd27f1 100644
> --- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
> +++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c
> @@ -216,11 +216,16 @@ static int int3400_thermal_run_osc(acpi_handle handle,
> acpi_status status;
> int result = 0;
> struct acpi_osc_context context = {
> - .uuid_str = int3400_thermal_uuids[uuid],
> + .uuid_str = NULL,
> .rev = 1,
> .cap.length = 8,
> };
>
> + if (uuid < 0 || uuid >= INT3400_THERMAL_MAXIMUM_UUID)
> + return -EINVAL;
> +
> + context.uuid_str = int3400_thermal_uuids[uuid];
> +
> buf[OSC_QUERY_DWORD] = 0;
> buf[OSC_SUPPORT_DWORD] = enable;
>
> --
> 2.17.1
>
