The panasonic laptop code in various places uses the sinf array with index values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the sinf array is big enough.
Check for a minimum SQTY value of SINF_CUR_BRIGHT to avoid out of bounds accesses of the sinf array.
Note SQTY returning SINF_CUR_BRIGHT is ok because the driver adds one extra entry to the sinf array.
Fixes: e424fb8cc4e6 ("panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()") Cc: stable@vger.kernel.org Tested-by: James Harmison jharmison@redhat.com Signed-off-by: Hans de Goede hdegoede@redhat.com --- drivers/platform/x86/panasonic-laptop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c index cf845ee1c7b1..d7f9017a5a13 100644 --- a/drivers/platform/x86/panasonic-laptop.c +++ b/drivers/platform/x86/panasonic-laptop.c @@ -963,8 +963,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
num_sifr = acpi_pcc_get_sqty(device);
- if (num_sifr < 0 || num_sifr > 255) { - pr_err("num_sifr out of range"); + if (num_sifr < SINF_CUR_BRIGHT || num_sifr > 255) { + pr_err("num_sifr %d out of range %d - 255\n", num_sifr, SINF_CUR_BRIGHT); return -ENODEV; }
Some DSDT-s have an of by one bug where the SINF package count is one higher then the SQTY reported value, allocate 1 entry extra.
Also make the SQTY <-> SINF package count mismatch error more verbose to help debugging similar issues in the future.
This fixes the panasonic-laptop driver failing to probe() on some devices with the following errors:
[ 3.958887] SQTY reports bad SINF length SQTY: 37 SINF-pkg-count: 38 [ 3.958892] Couldn't retrieve BIOS data [ 3.983685] Panasonic Laptop Support - With Macros: probe of MAT0019:00 failed with error -5
Fixes: 709ee531c153 ("panasonic-laptop: add Panasonic Let's Note laptop extras driver v0.94") Cc: stable@vger.kernel.org Tested-by: James Harmison jharmison@redhat.com Signed-off-by: Hans de Goede hdegoede@redhat.com --- drivers/platform/x86/panasonic-laptop.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c index d7f9017a5a13..4c9e20e1afe8 100644 --- a/drivers/platform/x86/panasonic-laptop.c +++ b/drivers/platform/x86/panasonic-laptop.c @@ -337,7 +337,8 @@ static int acpi_pcc_retrieve_biosdata(struct pcc_acpi *pcc) }
if (pcc->num_sifr < hkey->package.count) { - pr_err("SQTY reports bad SINF length\n"); + pr_err("SQTY reports bad SINF length SQTY: %ld SINF-pkg-count: %d\n", + pcc->num_sifr, hkey->package.count); status = AE_ERROR; goto end; } @@ -968,6 +969,12 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) return -ENODEV; }
+ /* + * Some DSDT-s have an of by one bug where the SINF package count is + * one higher then the SQTY reported value, allocate 1 entry extra. + */ + num_sifr++; + pcc = kzalloc(sizeof(struct pcc_acpi), GFP_KERNEL); if (!pcc) { pr_err("Couldn't allocate mem for pcc");
On Tue, 3 Sep 2024, Hans de Goede wrote:
Some DSDT-s have an of by one bug where the SINF package count is
of -> off
one higher then the SQTY reported value, allocate 1 entry extra.
Also make the SQTY <-> SINF package count mismatch error more verbose to help debugging similar issues in the future.
This fixes the panasonic-laptop driver failing to probe() on some devices with the following errors:
[ 3.958887] SQTY reports bad SINF length SQTY: 37 SINF-pkg-count: 38 [ 3.958892] Couldn't retrieve BIOS data [ 3.983685] Panasonic Laptop Support - With Macros: probe of MAT0019:00 failed with error -5
Fixes: 709ee531c153 ("panasonic-laptop: add Panasonic Let's Note laptop extras driver v0.94") Cc: stable@vger.kernel.org Tested-by: James Harmison jharmison@redhat.com Signed-off-by: Hans de Goede hdegoede@redhat.com
drivers/platform/x86/panasonic-laptop.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c index d7f9017a5a13..4c9e20e1afe8 100644 --- a/drivers/platform/x86/panasonic-laptop.c +++ b/drivers/platform/x86/panasonic-laptop.c @@ -337,7 +337,8 @@ static int acpi_pcc_retrieve_biosdata(struct pcc_acpi *pcc) } if (pcc->num_sifr < hkey->package.count) {
pr_err("SQTY reports bad SINF length\n");
pr_err("SQTY reports bad SINF length SQTY: %ld SINF-pkg-count: %d\n",pcc->num_sifr, hkey->package.count);
Both are unsigned so dont use d but u formatting.
status = AE_ERROR; goto end;} @@ -968,6 +969,12 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) return -ENODEV; }
- /*
* Some DSDT-s have an of by one bug where the SINF package count is
off
* one higher then the SQTY reported value, allocate 1 entry extra.*/- num_sifr++;
- pcc = kzalloc(sizeof(struct pcc_acpi), GFP_KERNEL); if (!pcc) { pr_err("Couldn't allocate mem for pcc");
On Tue, Sep 3, 2024 at 1:33 PM Ilpo Järvinen ilpo.jarvinen@linux.intel.com wrote:
On Tue, 3 Sep 2024, Hans de Goede wrote:
Some DSDT-s have an of by one bug where the SINF package count is
of -> off
I even dare to ask for an "off-by-one" form (similar (grammatically!) to step-by-step).
one higher then the SQTY reported value, allocate 1 entry extra.
than
/** Some DSDT-s have an of by one bug where the SINF package count isoff
Ditto.
* one higher then the SQTY reported value, allocate 1 entry extra.
than
*/
On Tue, 3 Sep 2024, Hans de Goede wrote:
The panasonic laptop code in various places uses the sinf array with index values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the sinf array is big enough.
Check for a minimum SQTY value of SINF_CUR_BRIGHT to avoid out of bounds accesses of the sinf array.
This description is a bit misleading. The patch is _not_ adding a bounds check to sinf array access paths but ensuring the allocation is big enough for those accesses. It took me a while to figure out so I suggest the wording is improved to clearly explain how the problem has been addressed.
linux-stable-mirror@lists.linaro.org
-
Andy Shevchenko -
Hans de Goede -
Ilpo Järvinen