ACPI: CPPC: Avoid out of bounds access when parsing _CPC data

commit 40d8abf364bcab23bc715a9221a3c8623956257b upstream.

If the NumEntries field in the _CPC return package is less than 2, do
not attempt to access the "Revision" element of that package, because
it may not be present then.

Fixes: 337aadff8e45 ("ACPI: Introduce CPU performance controls using CPPC")
BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
index 5b2e58cbeb354c59a2b1f9e8cdc6ecc350d835bb..54ec4e191a8ecc90b97fe1c2cceb29f953cf7098 100644 (file)
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -678,6 +678,11 @@ int acpi_cppc_processor_probe(struct acpi_processor *pr)
        cpc_obj = &out_obj->package.elements[0];
        if (cpc_obj->type == ACPI_TYPE_INTEGER) {
                num_ent = cpc_obj->integer.value;
+               if (num_ent <= 1) {
+                       pr_debug("Unexpected _CPC NumEntries value (%d) for CPU:%d\n",
+                                num_ent, pr->id);
+                       goto out_free;
+               }
        } else {
                pr_debug("Unexpected entry type(%d) for NumEntries\n",
                                cpc_obj->type);