From patchwork Mon Oct 17 15:41:12 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
X-Patchwork-Id: 9379639
X-Patchwork-Delegate: rjw@sisk.pl
Return-Path: <linux-pm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A6E0C607D4 for <patchwork-linux-pm@patchwork.kernel.org>;
	Mon, 17 Oct 2016 15:42:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9886A29262
	for <patchwork-linux-pm@patchwork.kernel.org>;
	Mon, 17 Oct 2016 15:42:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 8D49229268; Mon, 17 Oct 2016 15:42:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 298C529262
	for <patchwork-linux-pm@patchwork.kernel.org>;
	Mon, 17 Oct 2016 15:42:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933362AbcJQPmR (ORCPT
	<rfc822;patchwork-linux-pm@patchwork.kernel.org>);
	Mon, 17 Oct 2016 11:42:17 -0400
Received: from mail-pa0-f65.google.com ([209.85.220.65]:33184 "EHLO
	mail-pa0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932930AbcJQPmR (ORCPT
	<rfc822;linux-pm@vger.kernel.org>); Mon, 17 Oct 2016 11:42:17 -0400
Received: by mail-pa0-f65.google.com with SMTP id hh10so9366373pac.0;
	Mon, 17 Oct 2016 08:42:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=LkWGiJcPXWgaM+ljN92DGeci/kgLci9mZTSk41AVWeE=;
	b=nPTylViBo4uvCxdMgEOorEBglbYeS3DVJ4ZtgwnWAVuk2mkhKypFcTnxqOzFY7y9BX
	ippX94bNw//Tz0j0gl4ew2r2BSpIYbix8wj7DTBk6h2asQyfeaddRT+IdtJKRXR+k7hG
	uShAwexWvAIShnsUMRkmXZ1q2Smcdr401krm2x9If5x0m1AmWbenmOGM42IzOxt62R73
	axUL/rkRqLFfRrqJphar4wWXVKjrrmzK7XgYm1QbFHb70o/f6lKJ+bcTkJYUI90VQ49J
	U71VhmOMKWgLNYmed1yC1K9CKLNkptVz9pwukf64n6WtvmtpYKg0zywibBpnMzDFeviT
	HHUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=LkWGiJcPXWgaM+ljN92DGeci/kgLci9mZTSk41AVWeE=;
	b=lY4Srd8Yx4ga1RV7DL2K55tWTA8nIjV/HXmezxgWqxboG0S7xYx3ovq/oCEw/xDLKS
	E3JS3s52xTPSXzTWKl3JuARqTKE9avtFVqQyWSb3H2ut9828Qt28nCDT/CiEc6CtO9c2
	2F0Ij/sPMNhcAUKXqkKN3JEJn5rP8/F4wul/p+8TDYhNZmVn0yj06bDKFqdeuvSpbfnc
	su+qAVRmcJX6qF7jILuqKJJUAM4PztAkzt8MsUvE6mdqKWoEQWQVn7ROzm6vIVJSC/zv
	IEMUC0JhmHxTCCY2eKvsMMbeD7J2p14KjmBj0XreaZSIuVWr3Xz5/PEWAL4KV0T+FEG/
	cUEw==
X-Gm-Message-State: 
 AA6/9RkYd/Eyod+a3sFIsyCBSujeNMAIBsfWjiRz4svC/ieOEdnw4DYkgdL3BNlXoXGDJw==
X-Received: by 10.66.189.194 with SMTP id gk2mr32153154pac.211.1476718936398;
	Mon, 17 Oct 2016 08:42:16 -0700 (PDT)
Received: from localhost.localdomain ([112.168.75.135])
	by smtp.gmail.com with ESMTPSA id
	x190sm49083867pfd.20.2016.10.17.08.42.12
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 17 Oct 2016 08:42:15 -0700 (PDT)
From: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
To: "Rafael J . Wysocki" <rafael.j.wysocki@intel.com>
Cc: Viresh Kumar <viresh.kumar@linaro.org>,
	Aaro Koskinen <aaro.koskinen@iki.fi>, linux-pm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Sergey Senozhatsky <sergey.senozhatsky@gmail.com>,
	Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
Subject: [PATCHv2] cpufreq: fix overflow in cpufreq_table_find_index_dl()
Date: Tue, 18 Oct 2016 00:41:12 +0900
Message-Id: <20161017154112.1111-1-sergey.senozhatsky@gmail.com>
X-Mailer: git-send-email 2.10.1.382.ga23ca1b
In-Reply-To: <20161017151456.3573-1-sergey.senozhatsky@gmail.com>
References: <20161017151456.3573-1-sergey.senozhatsky@gmail.com>
Sender: linux-pm-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-pm.vger.kernel.org>
X-Mailing-List: linux-pm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

'best' is always less or equals to 'pos', so `best - pos' returns
a negative value which is then getting casted to `unsigned int'
and passed to __cpufreq_driver_target()->acpi_cpufreq_target()
for policy->freq_table selection. This results in

 BUG: unable to handle kernel paging request at ffff881019b469f8
 IP: [<ffffffffa00356c1>] acpi_cpufreq_target+0x4f/0x190 [acpi_cpufreq]
 PGD 267f067
 PUD 0

 Oops: 0000 [#1] PREEMPT SMP
 CPU: 6 PID: 70 Comm: kworker/6:1 Not tainted 4.9.0-rc1-next-20161017-dbg-dirty
 Workqueue: events dbs_work_handler
 task: ffff88041b808000 task.stack: ffff88041b810000
 RIP: 0010:[<ffffffffa00356c1>]  [<ffffffffa00356c1>] acpi_cpufreq_target+0x4f/0x190 [acpi_cpufreq]
 RSP: 0018:ffff88041b813c60  EFLAGS: 00010282
 RAX: ffff880419b46a00 RBX: ffff88041b848400 RCX: ffff880419b20f80
 RDX: 00000000001dff38 RSI: 00000000ffffffff RDI: ffff88041b848400
 RBP: ffff88041b813cb0 R08: 0000000000000006 R09: 0000000000000040
 R10: ffffffff8207f9e0 R11: ffffffff8173595b R12: 0000000000000000
 R13: ffff88041f1dff38 R14: 0000000000262900 R15: 0000000bfffffff4
 FS:  0000000000000000(0000) GS:ffff88041f000000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: ffff881019b469f8 CR3: 000000041a2d3000 CR4: 00000000001406e0
 Stack:
  ffff88041b813cb0 ffffffff813347f9 ffff88041b813ca0 ffffffff81334663
  ffff88041f1d4bc0 ffff88041b848400 0000000000000000 0000000000000000
  0000000000262900 0000000000000000 ffff88041b813d00 ffffffff813355dc
 Call Trace:
  [<ffffffff813347f9>] ? cpufreq_freq_transition_begin+0xf1/0xfc
  [<ffffffff81334663>] ? get_cpu_idle_time+0x97/0xa6
  [<ffffffff813355dc>] __cpufreq_driver_target+0x3b6/0x44e
  [<ffffffff81336ca3>] cs_dbs_timer+0x11a/0x135
  [<ffffffff81336fda>] dbs_work_handler+0x39/0x62
  [<ffffffff81057823>] process_one_work+0x280/0x4a5
  [<ffffffff81058719>] worker_thread+0x24f/0x397
  [<ffffffff810584ca>] ? rescuer_thread+0x30b/0x30b
  [<ffffffff81418380>] ? nl80211_get_key+0x29/0x36a
  [<ffffffff8105d2b7>] kthread+0xfc/0x104
  [<ffffffff8107ceea>] ? put_lock_stats.isra.9+0xe/0x20
  [<ffffffff8105d1bb>] ? kthread_create_on_node+0x3f/0x3f
  [<ffffffff814b2092>] ret_from_fork+0x22/0x30
 Code: 56 4d 6b ff 0c 41 55 41 54 53 48 83 ec 28 48 8b 15 ad 1e 00 00 44 8b 41
 08 48 8b 87 c8 00 00 00 49 89 d5 4e 03 2c c5 80 b2 78 81 <46> 8b 74 38 04 45
 3b 75 00 75 11 31 c0 83 39 00 0f 84 1c 01 00
 RIP  [<ffffffffa00356c1>] acpi_cpufreq_target+0x4f/0x190 [acpi_cpufreq]
  RSP <ffff88041b813c60>
 CR2: ffff881019b469f8
 ---[ end trace 16d9fc7a17897d37 ]---

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
---
 include/linux/cpufreq.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h
index 5fa55fc..32dc0cbd 100644
--- a/include/linux/cpufreq.h
+++ b/include/linux/cpufreq.h
@@ -677,10 +677,10 @@ static inline int cpufreq_table_find_index_dl(struct cpufreq_policy *policy,
 		if (best == table - 1)
 			return pos - table;
 
-		return best - pos;
+		return best - table;
 	}
 
-	return best - pos;
+	return best - table;
 }
 
 /* Works only on sorted freq-tables */