When setting a trip point temperature from sysfs, there is an upper
bound check on the user input, but no lower bound check.
As hardware register has 7 bits for a trip point temperature, the offset
to tj_max of the input temperature must be equal to/less than 0x7f.
Or else,
1. bogus temperature is updated into the trip temperature bits.
2. the upper bits of the register can be polluted.
For example,
$ rdmsr 0x1b2
2000003
$ echo -180000 > /sys/class/thermal/thermal_zone1/trip_point_1_temp
$ rdmsr 0x1b2
3980003
Not only the trip point temp is set to 76C on this platform (tj_max is
100), the Power Notification (Bit 24) is also enabled erronously.
Fix the problem by adding lower bound check for sysfs input.
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/all/add7a378-4d50-4ba1-81d3-a0c17db25a0b@kili.mountain/
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
{
struct zone_device *zonedev = tzd->devdata;
u32 l, h, mask, shift, intr;
- int tj_max, ret;
+ int tj_max, val, ret;
tj_max = intel_tcc_get_tjmax(zonedev->cpu);
if (tj_max < 0)
return tj_max;
tj_max *= 1000;
- if (trip >= MAX_NUMBER_OF_TRIPS || temp >= tj_max)
+ val = (tj_max - temp)/1000;
+
+ if (trip >= MAX_NUMBER_OF_TRIPS || val < 0 || val > 0x7f)
return -EINVAL;
ret = rdmsr_on_cpu(zonedev->cpu, MSR_IA32_PACKAGE_THERM_INTERRUPT,
if (!temp) {
l &= ~intr;
} else {
- l |= (tj_max - temp)/1000 << shift;
+ l |= val << shift;
l |= intr;
}
projects / platform / kernel / linux-starfive.git / commitdiff