| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Dec 2018 11:57:32 -0800
From: Matthias Kaehlcke <mka@...omium.org>
To: Evan Green <evgreen@...omium.org>
Cc: Jonathan Cameron <jic23@...nel.org>, linux-iio@...r.kernel.org,
Hartmut Knaack <knaack.h@....de>,
Siddartha Mohanadoss <smohanad@...eaurora.org>,
linux-kernel@...r.kernel.org, Lars-Peter Clausen <lars@...afoo.de>,
Peter Meerwald-Stadler <pmeerw@...erw.net>
Subject: Re: [PATCH] iio: adc: qcom-spmi-adc5: Initialize prescale properly
On Tue, Dec 04, 2018 at 11:14:19AM -0800, Evan Green wrote:
> adc5_get_dt_data uses a local, prop, feeds it to adc5_get_dt_channel_data,
> and then puts the result into adc->chan_props. The problem is
> adc5_get_dt_channel_data may not initialize that structure fully, so a
> garbage value is used for prescale if the optional "qcom,pre-scaling" is
> not defined in DT. adc5_read_raw then uses this as an array index,
> generating a crash that looks like this:
>
> [ 6.683186] Unable to handle kernel paging request at virtual address ffffff90e78c7964
> Call trace:
> qcom_vadc_scale_code_voltage_factor+0x74/0x104
> qcom_vadc_scale_hw_calib_die_temp+0x20/0x60
> qcom_adc5_hw_scale+0x78/0xa4
> adc5_read_raw+0x3d0/0x65c
> iio_channel_read+0x240/0x30c
> iio_read_channel_processed+0x10c/0x150
> qpnp_tm_get_temp+0xc0/0x40c
> of_thermal_get_temp+0x7c/0x98
> thermal_zone_get_temp+0xac/0xd8
> thermal_zone_device_update+0xc0/0x38c
> qpnp_tm_probe+0x624/0x81c
> platform_drv_probe+0xe4/0x11c
> really_probe+0x188/0x3fc
> driver_probe_device+0xb8/0x188
> __device_attach_driver+0x114/0x180
> bus_for_each_drv+0xd8/0x118
> __device_attach+0x180/0x27c
> device_initial_probe+0x20/0x2c
> bus_probe_device+0x78/0x124
> deferred_probe_work_func+0xfc/0x138
> process_one_work+0x3d8/0x8b0
> process_scheduled_works+0x48/0x6c
> worker_thread+0x488/0x7cc
> kthread+0x24c/0x264
> ret_from_fork+0x10/0x18
>
> Unfortunately, when I went to add the initializer for this and tried to
> boot it, my machine shut down immediately, complaining that it was
> hotter than the sun. It appears that adc5_chans_pmic and adc5_chans_rev2
> were initializing prescale_index as if it were directly a divisor,
> rather than the index into adc5_prescale_ratios that it is.
>
> Fix the uninitialized value, and change the static initialization to use
> indices into adc5_prescale_ratios.
>
> Signed-off-by: Evan Green <evgreen@...omium.org>
> ---
>
> drivers/iio/adc/qcom-spmi-adc5.c | 58 +++++++++++++++++---------------
> 1 file changed, 31 insertions(+), 27 deletions(-)
>
> diff --git a/drivers/iio/adc/qcom-spmi-adc5.c b/drivers/iio/adc/qcom-spmi-adc5.c
> index f9af6b082916b..6a866cc187f7d 100644
> --- a/drivers/iio/adc/qcom-spmi-adc5.c
> +++ b/drivers/iio/adc/qcom-spmi-adc5.c
> @@ -423,6 +423,7 @@ struct adc5_channels {
> enum vadc_scale_fn_type scale_fn_type;
> };
>
> +/* In these definitions, _pre refers to an index into adc5_prescale_ratios. */
> #define ADC5_CHAN(_dname, _type, _mask, _pre, _scale) \
> { \
> .datasheet_name = _dname, \
> @@ -443,63 +444,63 @@ struct adc5_channels {
> _pre, _scale) \
>
> static const struct adc5_channels adc5_chans_pmic[ADC5_MAX_CHANNEL] = {
> - [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 1,
> + [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 0,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 1,
> + [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 0,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 3,
> + [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 1,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 3,
> + [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 1,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 1,
> + [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 0,
> SCALE_HW_CALIB_PMIC_THERM)
> - [ADC5_USB_IN_I] = ADC5_CHAN_VOLT("usb_in_i_uv", 1,
> + [ADC5_USB_IN_I] = ADC5_CHAN_VOLT("usb_in_i_uv", 0,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_USB_IN_V_16] = ADC5_CHAN_VOLT("usb_in_v_div_16", 16,
> + [ADC5_USB_IN_V_16] = ADC5_CHAN_VOLT("usb_in_v_div_16", 8,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_CHG_TEMP] = ADC5_CHAN_TEMP("chg_temp", 1,
> + [ADC5_CHG_TEMP] = ADC5_CHAN_TEMP("chg_temp", 0,
> SCALE_HW_CALIB_PM5_CHG_TEMP)
> /* Charger prescales SBUx and MID_CHG to fit within 1.8V upper unit */
> - [ADC5_SBUx] = ADC5_CHAN_VOLT("chg_sbux", 3,
> + [ADC5_SBUx] = ADC5_CHAN_VOLT("chg_sbux", 1,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_MID_CHG_DIV6] = ADC5_CHAN_VOLT("chg_mid_chg", 6,
> + [ADC5_MID_CHG_DIV6] = ADC5_CHAN_VOLT("chg_mid_chg", 3,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm", 1,
> + [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm", 0,
> SCALE_HW_CALIB_XOTHERM)
> - [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 1,
> + [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 0,
> SCALE_HW_CALIB_THERM_100K_PULLUP)
> - [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 1,
> + [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 0,
> SCALE_HW_CALIB_THERM_100K_PULLUP)
> - [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 1,
> + [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 0,
> SCALE_HW_CALIB_THERM_100K_PULLUP)
> - [ADC5_AMUX_THM2] = ADC5_CHAN_TEMP("amux_thm2", 1,
> + [ADC5_AMUX_THM2] = ADC5_CHAN_TEMP("amux_thm2", 0,
> SCALE_HW_CALIB_PM5_SMB_TEMP)
> };
>
> static const struct adc5_channels adc5_chans_rev2[ADC5_MAX_CHANNEL] = {
> - [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 1,
> + [ADC5_REF_GND] = ADC5_CHAN_VOLT("ref_gnd", 0,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 1,
> + [ADC5_1P25VREF] = ADC5_CHAN_VOLT("vref_1p25", 0,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 3,
> + [ADC5_VPH_PWR] = ADC5_CHAN_VOLT("vph_pwr", 1,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 3,
> + [ADC5_VBAT_SNS] = ADC5_CHAN_VOLT("vbat_sns", 1,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_VCOIN] = ADC5_CHAN_VOLT("vcoin", 3,
> + [ADC5_VCOIN] = ADC5_CHAN_VOLT("vcoin", 1,
> SCALE_HW_CALIB_DEFAULT)
> - [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 1,
> + [ADC5_DIE_TEMP] = ADC5_CHAN_TEMP("die_temp", 0,
> SCALE_HW_CALIB_PMIC_THERM)
> - [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 1,
> + [ADC5_AMUX_THM1_100K_PU] = ADC5_CHAN_TEMP("amux_thm1_100k_pu", 0,
> SCALE_HW_CALIB_THERM_100K_PULLUP)
> - [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 1,
> + [ADC5_AMUX_THM2_100K_PU] = ADC5_CHAN_TEMP("amux_thm2_100k_pu", 0,
> SCALE_HW_CALIB_THERM_100K_PULLUP)
> - [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 1,
> + [ADC5_AMUX_THM3_100K_PU] = ADC5_CHAN_TEMP("amux_thm3_100k_pu", 0,
> SCALE_HW_CALIB_THERM_100K_PULLUP)
> - [ADC5_AMUX_THM4_100K_PU] = ADC5_CHAN_TEMP("amux_thm4_100k_pu", 1,
> + [ADC5_AMUX_THM4_100K_PU] = ADC5_CHAN_TEMP("amux_thm4_100k_pu", 0,
> SCALE_HW_CALIB_THERM_100K_PULLUP)
> - [ADC5_AMUX_THM5_100K_PU] = ADC5_CHAN_TEMP("amux_thm5_100k_pu", 1,
> + [ADC5_AMUX_THM5_100K_PU] = ADC5_CHAN_TEMP("amux_thm5_100k_pu", 0,
> SCALE_HW_CALIB_THERM_100K_PULLUP)
> - [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm_100k_pu", 1,
> + [ADC5_XO_THERM_100K_PU] = ADC5_CHAN_TEMP("xo_therm_100k_pu", 0,
> SCALE_HW_CALIB_THERM_100K_PULLUP)
> };
>
> @@ -558,6 +559,9 @@ static int adc5_get_dt_channel_data(struct adc5_chip *adc,
> return ret;
> }
> prop->prescale = ret;
> + } else {
> + prop->prescale =
> + adc->data->adc_chans[prop->channel].prescale_index;
> }
>
> ret = of_property_read_u32(node, "qcom,hw-settle-time", &value);
Reviewed-by: Matthias Kaehlcke <mka@...omium.org>
Good as an immediate fix.
In the long term I wonder if it would be better to pass a ratio to
ADC5_CHAN_XYZ and store it in struct adc5_channel_prop, instead of
specifying the index, which is more error prone and errors are harder
to spot. With this adc5_prescale_ratios would still exist, but only be
used for the sanity check of prescaling values from the DT.
Powered by blists - more mailing lists