Armin Wolf f233d2be38 hwmon: (gpio-fan) Fix array out of bounds access
The driver does not check if the cooling state passed to
gpio_fan_set_cur_state() exceeds the maximum cooling state as
stored in fan_data->num_speeds. Since the cooling state is later
used as an array index in set_fan_speed(), an array out of bounds
access can occur.
This can be exploited by setting the state of the thermal cooling device
to arbitrary values, causing for example a kernel oops when unavailable
memory is accessed this way.

Example kernel oops:
[  807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064
[  807.987369] Mem abort info:
[  807.987398]   ESR = 0x96000005
[  807.987428]   EC = 0x25: DABT (current EL), IL = 32 bits
[  807.987477]   SET = 0, FnV = 0
[  807.987507]   EA = 0, S1PTW = 0
[  807.987536]   FSC = 0x05: level 1 translation fault
[  807.987570] Data abort info:
[  807.987763]   ISV = 0, ISS = 0x00000005
[  807.987801]   CM = 0, WnR = 0
[  807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000
[  807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
[  807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[  807.987992] Modules linked in: cmac algif_hash aes_arm64 algif_skcipher af_alg bnep hci_uart btbcm bluetooth ecdh_generic ecc 8021q garp stp llc snd_soc_hdmi_codec brcmfmac vc4 brcmutil cec drm_kms_helper snd_soc_core cfg80211 snd_compress bcm2835_codec(C) snd_pcm_dmaengine syscopyarea bcm2835_isp(C) bcm2835_v4l2(C) sysfillrect v4l2_mem2mem bcm2835_mmal_vchiq(C) raspberrypi_hwmon sysimgblt videobuf2_dma_contig videobuf2_vmalloc fb_sys_fops videobuf2_memops rfkill videobuf2_v4l2 videobuf2_common i2c_bcm2835 snd_bcm2835(C) videodev snd_pcm snd_timer snd mc vc_sm_cma(C) gpio_fan uio_pdrv_genirq uio drm fuse drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
[  807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G         C        5.15.56-v8+ #1575
[  807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[  807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  807.988608] pc : set_fan_speed.part.5+0x34/0x80 [gpio_fan]
[  807.988654] lr : gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
[  807.988691] sp : ffffffc008cf3bd0
[  807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000
[  807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920
[  807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c
[  807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000
[  807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70
[  807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[  807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c
[  807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009
[  807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8
[  807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060
[  807.989084] Call trace:
[  807.989091]  set_fan_speed.part.5+0x34/0x80 [gpio_fan]
[  807.989113]  gpio_fan_set_cur_state+0x34/0x50 [gpio_fan]
[  807.989199]  cur_state_store+0x84/0xd0
[  807.989221]  dev_attr_store+0x20/0x38
[  807.989262]  sysfs_kf_write+0x4c/0x60
[  807.989282]  kernfs_fop_write_iter+0x130/0x1c0
[  807.989298]  new_sync_write+0x10c/0x190
[  807.989315]  vfs_write+0x254/0x378
[  807.989362]  ksys_write+0x70/0xf8
[  807.989379]  __arm64_sys_write+0x24/0x30
[  807.989424]  invoke_syscall+0x4c/0x110
[  807.989442]  el0_svc_common.constprop.3+0xfc/0x120
[  807.989458]  do_el0_svc+0x2c/0x90
[  807.989473]  el0_svc+0x24/0x60
[  807.989544]  el0t_64_sync_handler+0x90/0xb8
[  807.989558]  el0t_64_sync+0x1a0/0x1a4
[  807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416)
[  807.989627] ---[ end trace 8ded4c918658445b ]---

Fix this by checking the cooling state and return an error if it
exceeds the maximum cooling state.

Tested on a Raspberry Pi 3.

Fixes: b5cf88e46bad ("(gpio-fan): Add thermal control hooks")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://lore.kernel.org/r/20220830011101.178843-1-W_Armin@gmx.de
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2022-08-29 21:23:23 -07:00

605 lines
14 KiB
C

// SPDX-License-Identifier: GPL-2.0-or-later
/*
* gpio-fan.c - Hwmon driver for fans connected to GPIO lines.
*
* Copyright (C) 2010 LaCie
*
* Author: Simon Guinot <sguinot@lacie.com>
*/
#include <linux/module.h>
#include <linux/init.h>
#include <linux/slab.h>
#include <linux/interrupt.h>
#include <linux/irq.h>
#include <linux/platform_device.h>
#include <linux/err.h>
#include <linux/mutex.h>
#include <linux/hwmon.h>
#include <linux/gpio/consumer.h>
#include <linux/of.h>
#include <linux/of_platform.h>
#include <linux/thermal.h>
struct gpio_fan_speed {
int rpm;
int ctrl_val;
};
struct gpio_fan_data {
struct device *dev;
struct device *hwmon_dev;
/* Cooling device if any */
struct thermal_cooling_device *cdev;
struct mutex lock; /* lock GPIOs operations. */
int num_gpios;
struct gpio_desc **gpios;
int num_speed;
struct gpio_fan_speed *speed;
int speed_index;
#ifdef CONFIG_PM_SLEEP
int resume_speed;
#endif
bool pwm_enable;
struct gpio_desc *alarm_gpio;
struct work_struct alarm_work;
};
/*
* Alarm GPIO.
*/
static void fan_alarm_notify(struct work_struct *ws)
{
struct gpio_fan_data *fan_data =
container_of(ws, struct gpio_fan_data, alarm_work);
sysfs_notify(&fan_data->hwmon_dev->kobj, NULL, "fan1_alarm");
kobject_uevent(&fan_data->hwmon_dev->kobj, KOBJ_CHANGE);
}
static irqreturn_t fan_alarm_irq_handler(int irq, void *dev_id)
{
struct gpio_fan_data *fan_data = dev_id;
schedule_work(&fan_data->alarm_work);
return IRQ_NONE;
}
static ssize_t fan1_alarm_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n",
gpiod_get_value_cansleep(fan_data->alarm_gpio));
}
static DEVICE_ATTR_RO(fan1_alarm);
static int fan_alarm_init(struct gpio_fan_data *fan_data)
{
int alarm_irq;
struct device *dev = fan_data->dev;
/*
* If the alarm GPIO don't support interrupts, just leave
* without initializing the fail notification support.
*/
alarm_irq = gpiod_to_irq(fan_data->alarm_gpio);
if (alarm_irq <= 0)
return 0;
INIT_WORK(&fan_data->alarm_work, fan_alarm_notify);
irq_set_irq_type(alarm_irq, IRQ_TYPE_EDGE_BOTH);
return devm_request_irq(dev, alarm_irq, fan_alarm_irq_handler,
IRQF_SHARED, "GPIO fan alarm", fan_data);
}
/*
* Control GPIOs.
*/
/* Must be called with fan_data->lock held, except during initialization. */
static void __set_fan_ctrl(struct gpio_fan_data *fan_data, int ctrl_val)
{
int i;
for (i = 0; i < fan_data->num_gpios; i++)
gpiod_set_value_cansleep(fan_data->gpios[i],
(ctrl_val >> i) & 1);
}
static int __get_fan_ctrl(struct gpio_fan_data *fan_data)
{
int i;
int ctrl_val = 0;
for (i = 0; i < fan_data->num_gpios; i++) {
int value;
value = gpiod_get_value_cansleep(fan_data->gpios[i]);
ctrl_val |= (value << i);
}
return ctrl_val;
}
/* Must be called with fan_data->lock held, except during initialization. */
static void set_fan_speed(struct gpio_fan_data *fan_data, int speed_index)
{
if (fan_data->speed_index == speed_index)
return;
__set_fan_ctrl(fan_data, fan_data->speed[speed_index].ctrl_val);
fan_data->speed_index = speed_index;
}
static int get_fan_speed_index(struct gpio_fan_data *fan_data)
{
int ctrl_val = __get_fan_ctrl(fan_data);
int i;
for (i = 0; i < fan_data->num_speed; i++)
if (fan_data->speed[i].ctrl_val == ctrl_val)
return i;
dev_warn(fan_data->dev,
"missing speed array entry for GPIO value 0x%x\n", ctrl_val);
return -ENODEV;
}
static int rpm_to_speed_index(struct gpio_fan_data *fan_data, unsigned long rpm)
{
struct gpio_fan_speed *speed = fan_data->speed;
int i;
for (i = 0; i < fan_data->num_speed; i++)
if (speed[i].rpm >= rpm)
return i;
return fan_data->num_speed - 1;
}
static ssize_t pwm1_show(struct device *dev, struct device_attribute *attr,
char *buf)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
u8 pwm = fan_data->speed_index * 255 / (fan_data->num_speed - 1);
return sprintf(buf, "%d\n", pwm);
}
static ssize_t pwm1_store(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
unsigned long pwm;
int speed_index;
int ret = count;
if (kstrtoul(buf, 10, &pwm) || pwm > 255)
return -EINVAL;
mutex_lock(&fan_data->lock);
if (!fan_data->pwm_enable) {
ret = -EPERM;
goto exit_unlock;
}
speed_index = DIV_ROUND_UP(pwm * (fan_data->num_speed - 1), 255);
set_fan_speed(fan_data, speed_index);
exit_unlock:
mutex_unlock(&fan_data->lock);
return ret;
}
static ssize_t pwm1_enable_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", fan_data->pwm_enable);
}
static ssize_t pwm1_enable_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
unsigned long val;
if (kstrtoul(buf, 10, &val) || val > 1)
return -EINVAL;
if (fan_data->pwm_enable == val)
return count;
mutex_lock(&fan_data->lock);
fan_data->pwm_enable = val;
/* Disable manual control mode: set fan at full speed. */
if (val == 0)
set_fan_speed(fan_data, fan_data->num_speed - 1);
mutex_unlock(&fan_data->lock);
return count;
}
static ssize_t pwm1_mode_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "0\n");
}
static ssize_t fan1_min_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", fan_data->speed[0].rpm);
}
static ssize_t fan1_max_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n",
fan_data->speed[fan_data->num_speed - 1].rpm);
}
static ssize_t fan1_input_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", fan_data->speed[fan_data->speed_index].rpm);
}
static ssize_t set_rpm(struct device *dev, struct device_attribute *attr,
const char *buf, size_t count)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
unsigned long rpm;
int ret = count;
if (kstrtoul(buf, 10, &rpm))
return -EINVAL;
mutex_lock(&fan_data->lock);
if (!fan_data->pwm_enable) {
ret = -EPERM;
goto exit_unlock;
}
set_fan_speed(fan_data, rpm_to_speed_index(fan_data, rpm));
exit_unlock:
mutex_unlock(&fan_data->lock);
return ret;
}
static DEVICE_ATTR_RW(pwm1);
static DEVICE_ATTR_RW(pwm1_enable);
static DEVICE_ATTR_RO(pwm1_mode);
static DEVICE_ATTR_RO(fan1_min);
static DEVICE_ATTR_RO(fan1_max);
static DEVICE_ATTR_RO(fan1_input);
static DEVICE_ATTR(fan1_target, 0644, fan1_input_show, set_rpm);
static umode_t gpio_fan_is_visible(struct kobject *kobj,
struct attribute *attr, int index)
{
struct device *dev = kobj_to_dev(kobj);
struct gpio_fan_data *data = dev_get_drvdata(dev);
if (index == 0 && !data->alarm_gpio)
return 0;
if (index > 0 && !data->gpios)
return 0;
return attr->mode;
}
static struct attribute *gpio_fan_attributes[] = {
&dev_attr_fan1_alarm.attr, /* 0 */
&dev_attr_pwm1.attr, /* 1 */
&dev_attr_pwm1_enable.attr,
&dev_attr_pwm1_mode.attr,
&dev_attr_fan1_input.attr,
&dev_attr_fan1_target.attr,
&dev_attr_fan1_min.attr,
&dev_attr_fan1_max.attr,
NULL
};
static const struct attribute_group gpio_fan_group = {
.attrs = gpio_fan_attributes,
.is_visible = gpio_fan_is_visible,
};
static const struct attribute_group *gpio_fan_groups[] = {
&gpio_fan_group,
NULL
};
static int fan_ctrl_init(struct gpio_fan_data *fan_data)
{
int num_gpios = fan_data->num_gpios;
struct gpio_desc **gpios = fan_data->gpios;
int i, err;
for (i = 0; i < num_gpios; i++) {
/*
* The GPIO descriptors were retrieved with GPIOD_ASIS so here
* we set the GPIO into output mode, carefully preserving the
* current value by setting it to whatever it is already set
* (no surprise changes in default fan speed).
*/
err = gpiod_direction_output(gpios[i],
gpiod_get_value_cansleep(gpios[i]));
if (err)
return err;
}
fan_data->pwm_enable = true; /* Enable manual fan speed control. */
fan_data->speed_index = get_fan_speed_index(fan_data);
if (fan_data->speed_index < 0)
return fan_data->speed_index;
return 0;
}
static int gpio_fan_get_max_state(struct thermal_cooling_device *cdev,
unsigned long *state)
{
struct gpio_fan_data *fan_data = cdev->devdata;
if (!fan_data)
return -EINVAL;
*state = fan_data->num_speed - 1;
return 0;
}
static int gpio_fan_get_cur_state(struct thermal_cooling_device *cdev,
unsigned long *state)
{
struct gpio_fan_data *fan_data = cdev->devdata;
if (!fan_data)
return -EINVAL;
*state = fan_data->speed_index;
return 0;
}
static int gpio_fan_set_cur_state(struct thermal_cooling_device *cdev,
unsigned long state)
{
struct gpio_fan_data *fan_data = cdev->devdata;
if (!fan_data)
return -EINVAL;
if (state >= fan_data->num_speed)
return -EINVAL;
set_fan_speed(fan_data, state);
return 0;
}
static const struct thermal_cooling_device_ops gpio_fan_cool_ops = {
.get_max_state = gpio_fan_get_max_state,
.get_cur_state = gpio_fan_get_cur_state,
.set_cur_state = gpio_fan_set_cur_state,
};
/*
* Translate OpenFirmware node properties into platform_data
*/
static int gpio_fan_get_of_data(struct gpio_fan_data *fan_data)
{
struct gpio_fan_speed *speed;
struct device *dev = fan_data->dev;
struct device_node *np = dev->of_node;
struct gpio_desc **gpios;
unsigned i;
u32 u;
struct property *prop;
const __be32 *p;
/* Alarm GPIO if one exists */
fan_data->alarm_gpio = devm_gpiod_get_optional(dev, "alarm", GPIOD_IN);
if (IS_ERR(fan_data->alarm_gpio))
return PTR_ERR(fan_data->alarm_gpio);
/* Fill GPIO pin array */
fan_data->num_gpios = gpiod_count(dev, NULL);
if (fan_data->num_gpios <= 0) {
if (fan_data->alarm_gpio)
return 0;
dev_err(dev, "DT properties empty / missing");
return -ENODEV;
}
gpios = devm_kcalloc(dev,
fan_data->num_gpios, sizeof(struct gpio_desc *),
GFP_KERNEL);
if (!gpios)
return -ENOMEM;
for (i = 0; i < fan_data->num_gpios; i++) {
gpios[i] = devm_gpiod_get_index(dev, NULL, i, GPIOD_ASIS);
if (IS_ERR(gpios[i]))
return PTR_ERR(gpios[i]);
}
fan_data->gpios = gpios;
/* Get number of RPM/ctrl_val pairs in speed map */
prop = of_find_property(np, "gpio-fan,speed-map", &i);
if (!prop) {
dev_err(dev, "gpio-fan,speed-map DT property missing");
return -ENODEV;
}
i = i / sizeof(u32);
if (i == 0 || i & 1) {
dev_err(dev, "gpio-fan,speed-map contains zero/odd number of entries");
return -ENODEV;
}
fan_data->num_speed = i / 2;
/*
* Populate speed map
* Speed map is in the form <RPM ctrl_val RPM ctrl_val ...>
* this needs splitting into pairs to create gpio_fan_speed structs
*/
speed = devm_kcalloc(dev,
fan_data->num_speed, sizeof(struct gpio_fan_speed),
GFP_KERNEL);
if (!speed)
return -ENOMEM;
p = NULL;
for (i = 0; i < fan_data->num_speed; i++) {
p = of_prop_next_u32(prop, p, &u);
if (!p)
return -ENODEV;
speed[i].rpm = u;
p = of_prop_next_u32(prop, p, &u);
if (!p)
return -ENODEV;
speed[i].ctrl_val = u;
}
fan_data->speed = speed;
return 0;
}
static const struct of_device_id of_gpio_fan_match[] = {
{ .compatible = "gpio-fan", },
{},
};
MODULE_DEVICE_TABLE(of, of_gpio_fan_match);
static void gpio_fan_stop(void *data)
{
set_fan_speed(data, 0);
}
static int gpio_fan_probe(struct platform_device *pdev)
{
int err;
struct gpio_fan_data *fan_data;
struct device *dev = &pdev->dev;
struct device_node *np = dev->of_node;
fan_data = devm_kzalloc(dev, sizeof(struct gpio_fan_data),
GFP_KERNEL);
if (!fan_data)
return -ENOMEM;
fan_data->dev = dev;
err = gpio_fan_get_of_data(fan_data);
if (err)
return err;
platform_set_drvdata(pdev, fan_data);
mutex_init(&fan_data->lock);
/* Configure control GPIOs if available. */
if (fan_data->gpios && fan_data->num_gpios > 0) {
if (!fan_data->speed || fan_data->num_speed <= 1)
return -EINVAL;
err = fan_ctrl_init(fan_data);
if (err)
return err;
err = devm_add_action_or_reset(dev, gpio_fan_stop, fan_data);
if (err)
return err;
}
/* Make this driver part of hwmon class. */
fan_data->hwmon_dev =
devm_hwmon_device_register_with_groups(dev,
"gpio_fan", fan_data,
gpio_fan_groups);
if (IS_ERR(fan_data->hwmon_dev))
return PTR_ERR(fan_data->hwmon_dev);
/* Configure alarm GPIO if available. */
if (fan_data->alarm_gpio) {
err = fan_alarm_init(fan_data);
if (err)
return err;
}
/* Optional cooling device register for Device tree platforms */
fan_data->cdev = devm_thermal_of_cooling_device_register(dev, np,
"gpio-fan", fan_data, &gpio_fan_cool_ops);
dev_info(dev, "GPIO fan initialized\n");
return 0;
}
static void gpio_fan_shutdown(struct platform_device *pdev)
{
struct gpio_fan_data *fan_data = platform_get_drvdata(pdev);
if (fan_data->gpios)
set_fan_speed(fan_data, 0);
}
#ifdef CONFIG_PM_SLEEP
static int gpio_fan_suspend(struct device *dev)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
if (fan_data->gpios) {
fan_data->resume_speed = fan_data->speed_index;
set_fan_speed(fan_data, 0);
}
return 0;
}
static int gpio_fan_resume(struct device *dev)
{
struct gpio_fan_data *fan_data = dev_get_drvdata(dev);
if (fan_data->gpios)
set_fan_speed(fan_data, fan_data->resume_speed);
return 0;
}
static SIMPLE_DEV_PM_OPS(gpio_fan_pm, gpio_fan_suspend, gpio_fan_resume);
#define GPIO_FAN_PM (&gpio_fan_pm)
#else
#define GPIO_FAN_PM NULL
#endif
static struct platform_driver gpio_fan_driver = {
.probe = gpio_fan_probe,
.shutdown = gpio_fan_shutdown,
.driver = {
.name = "gpio-fan",
.pm = GPIO_FAN_PM,
.of_match_table = of_match_ptr(of_gpio_fan_match),
},
};
module_platform_driver(gpio_fan_driver);
MODULE_AUTHOR("Simon Guinot <sguinot@lacie.com>");
MODULE_DESCRIPTION("GPIO FAN driver");
MODULE_LICENSE("GPL");
MODULE_ALIAS("platform:gpio-fan");