[PATCH 2/2] powercap: dtpm_devfreq: Fix out-of-bounds read in set_pd_power_limit()

[Elazar Leibovich]

From: Sivan Zohar-Kotzer <sivany32@xxxxxxxxx>

The loop in set_pd_power_limit() looks for the first perf state whose
power exceeds the requested limit, then uses table[i - 1]. If the very
first perf state already exceeds the limit, the loop breaks at i == 0
and table[-1] is read out of bounds.

The powercap core clamps the requested limit to dtpm->power_min, but
power_min is only captured by update_pd_power_uw() at setup time. If
the energy model table is updated at runtime via
em_dev_update_perf_domain() and the power of the lowest perf state
grows past the stale power_min, the clamped limit can still be below
table[0].power, making the underflow reachable.

Start the scan at index 1 so the lowest perf state is used as the
fallback when even it exceeds the requested limit.

Fixes: e44655617317 ("powercap/drivers/dtpm: Add dtpm devfreq with energy model support")
Signed-off-by: Sivan Zohar-Kotzer <sivany32@xxxxxxxxx>
Co-developed-by: Elazar Leibovich <elazarl@xxxxxxxxx>
Signed-off-by: Elazar Leibovich <elazarl@xxxxxxxxx>
---
 drivers/powercap/dtpm_devfreq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/powercap/dtpm_devfreq.c b/drivers/powercap/dtpm_devfreq.c
index cf16e2756481..1afaae234c01 100644
--- a/drivers/powercap/dtpm_devfreq.c
+++ b/drivers/powercap/dtpm_devfreq.c
@@ -68,7 +68,7 @@ static u64 set_pd_power_limit(struct dtpm *dtpm, u64 power_limit)
 
 	rcu_read_lock();
 	table = em_perf_state_from_pd(pd);
-	for (i = 0; i < pd->nr_perf_states; i++) {
+	for (i = 1; i < pd->nr_perf_states; i++) {
 		if (table[i].power > power_limit)
 			break;
 	}
-- 
2.50.1 (Apple Git-155)