[PATCH 1/2] powercap: dtpm_cpu: Fix out-of-bounds read in set_pd_power_limit()

[Elazar Leibovich]

From: Sivan Zohar-Kotzer <sivany32@xxxxxxxxx>

The loop in set_pd_power_limit() looks for the first perf state whose
power exceeds the requested limit, then uses table[i - 1]. If the very
first perf state already exceeds the limit, the loop breaks at i == 0
and table[-1] is read out of bounds.

The powercap core clamps the requested limit to dtpm->power_min, but
power_min was computed by update_pd_power_uw() with the number of
online CPUs at that time. If CPUs have come online since the last
update, the clamped limit can still be below table[0].power * nr_cpus,
making the underflow reachable.

Start the scan at index 1 so the lowest perf state is used as the
fallback when even it exceeds the requested limit.

Fixes: 0e8f68d7f048 ("powercap/drivers/dtpm: Add CPU energy model based support")
Signed-off-by: Sivan Zohar-Kotzer <sivany32@xxxxxxxxx>
Co-developed-by: Elazar Leibovich <elazarl@xxxxxxxxx>
Signed-off-by: Elazar Leibovich <elazarl@xxxxxxxxx>
---
 drivers/powercap/dtpm_cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/powercap/dtpm_cpu.c b/drivers/powercap/dtpm_cpu.c
index 0a460f97bf15..5e06909ae4fc 100644
--- a/drivers/powercap/dtpm_cpu.c
+++ b/drivers/powercap/dtpm_cpu.c
@@ -54,7 +54,7 @@ static u64 set_pd_power_limit(struct dtpm *dtpm, u64 power_limit)
 
 	rcu_read_lock();
 	table = em_perf_state_from_pd(pd);
-	for (i = 0; i < pd->nr_perf_states; i++) {
+	for (i = 1; i < pd->nr_perf_states; i++) {
 
 		power = table[i].power * nr_cpus;
 
-- 
2.50.1 (Apple Git-155)