Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/acpi - Fix a bug that acpiec_space_handler() doesn't...
details: https://anonhg.NetBSD.org/src/rev/f005b1d74a60
branches: trunk
changeset: 1002532:f005b1d74a60
user: msaitoh <msaitoh%NetBSD.org@localhost>
date: Mon Aug 05 10:12:04 2019 +0000
description:
- Fix a bug that acpiec_space_handler() doesn't access more than 64bit
correctly. Found by kUBSan on Thinkpad X220. acpiec0 accessed 128bits from
address 0xa0. The error message was:
UBSan: Undefined Behavior in ../../../../dev/acpi/acpi_ec.c:672:32, shift exponent 64 is too large for 64-bit type 'long unsigned int'
- KNF.
The error message was:
diffstat:
sys/dev/acpi/acpi_ec.c | 79 +++++++++++++++++++++++++++----------------------
1 files changed, 44 insertions(+), 35 deletions(-)
diffs (177 lines):
diff -r 549e47e7fd9e -r f005b1d74a60 sys/dev/acpi/acpi_ec.c
--- a/sys/dev/acpi/acpi_ec.c Mon Aug 05 10:09:35 2019 +0000
+++ b/sys/dev/acpi/acpi_ec.c Mon Aug 05 10:12:04 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: acpi_ec.c,v 1.75 2017/03/11 08:26:23 tsutsui Exp $ */
+/* $NetBSD: acpi_ec.c,v 1.76 2019/08/05 10:12:04 msaitoh Exp $ */
/*-
* Copyright (c) 2007 Joerg Sonnenberger <joerg%NetBSD.org@localhost>.
@@ -59,7 +59,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: acpi_ec.c,v 1.75 2017/03/11 08:26:23 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: acpi_ec.c,v 1.76 2019/08/05 10:12:04 msaitoh Exp $");
#include <sys/param.h>
#include <sys/callout.h>
@@ -404,6 +404,7 @@
static bool
acpiec_suspend(device_t dv, const pmf_qual_t *qual)
{
+
acpiec_cold = true;
return true;
@@ -412,6 +413,7 @@
static bool
acpiec_resume(device_t dv, const pmf_qual_t *qual)
{
+
acpiec_cold = false;
return true;
@@ -454,9 +456,10 @@
ACPI_FREE(p);
return false;
}
-
+
if (p->Package.Count != 2) {
- aprint_error_dev(self, "_GPE package does not contain 2 elements\n");
+ aprint_error_dev(self,
+ "_GPE package does not contain 2 elements\n");
ACPI_FREE(p);
return false;
}
@@ -511,6 +514,7 @@
acpiec_space_setup(ACPI_HANDLE region, uint32_t func, void *arg,
void **region_arg)
{
+
if (func == ACPI_REGION_DEACTIVATE)
*region_arg = NULL;
else
@@ -528,9 +532,11 @@
mutex_enter(&sc->sc_access_mtx);
if (sc->sc_need_global_lock) {
- rv = AcpiAcquireGlobalLock(EC_LOCK_TIMEOUT, &sc->sc_global_lock);
+ rv = AcpiAcquireGlobalLock(EC_LOCK_TIMEOUT,
+ &sc->sc_global_lock);
if (rv != AE_OK) {
- aprint_error_dev(dv, "failed to acquire global lock: %s\n",
+ aprint_error_dev(dv,
+ "failed to acquire global lock: %s\n",
AcpiFormatException(rv));
return;
}
@@ -546,7 +552,8 @@
if (sc->sc_need_global_lock) {
rv = AcpiReleaseGlobalLock(sc->sc_global_lock);
if (rv != AE_OK) {
- aprint_error_dev(dv, "failed to release global lock: %s\n",
+ aprint_error_dev(dv,
+ "failed to release global lock: %s\n",
AcpiFormatException(rv));
}
}
@@ -587,7 +594,8 @@
} else if (cv_timedwait(&sc->sc_cv, &sc->sc_mtx, EC_CMD_TIMEOUT * hz)) {
mutex_exit(&sc->sc_mtx);
acpiec_unlock(dv);
- aprint_error_dev(dv, "command takes over %d sec...\n", EC_CMD_TIMEOUT);
+ aprint_error_dev(dv,
+ "command takes over %d sec...\n", EC_CMD_TIMEOUT);
return AE_ERROR;
}
@@ -634,7 +642,8 @@
} else if (cv_timedwait(&sc->sc_cv, &sc->sc_mtx, EC_CMD_TIMEOUT * hz)) {
mutex_exit(&sc->sc_mtx);
acpiec_unlock(dv);
- aprint_error_dev(dv, "command takes over %d sec...\n", EC_CMD_TIMEOUT);
+ aprint_error_dev(dv,
+ "command takes over %d sec...\n", EC_CMD_TIMEOUT);
return AE_ERROR;
}
@@ -648,43 +657,42 @@
acpiec_space_handler(uint32_t func, ACPI_PHYSICAL_ADDRESS paddr,
uint32_t width, ACPI_INTEGER *value, void *arg, void *region_arg)
{
- device_t dv;
+ device_t dv = arg;
ACPI_STATUS rv;
- uint8_t addr, reg;
- unsigned int i;
+ uint8_t addr;
+ uint8_t *reg;
+ if ((func != ACPI_READ) && (func != ACPI_WRITE)) {
+ aprint_error("%s: invalid Address Space function called: %x\n",
+ device_xname(dv), (unsigned int)func);
+ return AE_BAD_PARAMETER;
+ }
if (paddr > 0xff || width % 8 != 0 || value == NULL || arg == NULL ||
paddr + width / 8 > 0x100)
return AE_BAD_PARAMETER;
addr = paddr;
- dv = arg;
+ reg = (uint8_t *)value;
rv = AE_OK;
- switch (func) {
- case ACPI_READ:
+ if (func == ACPI_READ)
*value = 0;
- for (i = 0; i < width; i += 8, ++addr) {
- rv = acpiec_read(dv, addr, ®);
- if (rv != AE_OK)
- break;
- *value |= (ACPI_INTEGER)reg << i;
+
+ do {
+ switch (func) {
+ case ACPI_READ:
+ rv = acpiec_read(dv, addr, reg);
+ break;
+ case ACPI_WRITE:
+ rv = acpiec_write(dv, addr, *reg);
+ break;
}
- break;
- case ACPI_WRITE:
- for (i = 0; i < width; i += 8, ++addr) {
- reg = (*value >>i) & 0xff;
- rv = acpiec_write(dv, addr, reg);
- if (rv != AE_OK)
- break;
- }
- break;
- default:
- aprint_error("%s: invalid Address Space function called: %x\n",
- device_xname(dv), (unsigned int)func);
- return AE_BAD_PARAMETER;
- }
+ if (rv != AE_OK)
+ break;
+ addr++;
+ reg++;
+ } while (addr < (paddr + width / 8));
return rv;
}
@@ -867,7 +875,8 @@
ACPI_STATUS
acpiec_bus_write(device_t dv, u_int addr, ACPI_INTEGER val, int width)
{
- return acpiec_space_handler(ACPI_WRITE, addr, width * 8, &val, dv, NULL);
+ return acpiec_space_handler(ACPI_WRITE, addr, width * 8, &val, dv,
+ NULL);
}
ACPI_HANDLE
Home |
Main Index |
Thread Index |
Old Index