mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
* [PATCH 1/3] remoteproc: fix coding style issues in remoteproc.h
@ 2026-06-11 18:05 Mukesh Ojha
  2026-06-11 18:05 ` [PATCH 2/3] remoteproc: add SPDX-License-Identifier tag to remoteproc.h Mukesh Ojha
  2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
  0 siblings, 2 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-11 18:05 UTC (permalink / raw)
  To: Bjorn Andersson, Mathieu Poirier
  Cc: linux-remoteproc, linux-kernel, Mukesh Ojha

The function pointer declarations for find_loaded_rsc_table() and
get_loaded_rsc_table() had their opening parenthesis at the end of
the line. Move the first argument onto the same line as the opening
parenthesis to fix the checkpatch warning.

Also remove a spurious blank line after the opening brace in
struct rproc_vdev.

Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
 include/linux/remoteproc.h | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/include/linux/remoteproc.h b/include/linux/remoteproc.h
index 7c1546d48008..e0e212328acf 100644
--- a/include/linux/remoteproc.h
+++ b/include/linux/remoteproc.h
@@ -127,10 +127,10 @@ struct rproc_ops {
 	int (*parse_fw)(struct rproc *rproc, const struct firmware *fw);
 	int (*handle_rsc)(struct rproc *rproc, u32 rsc_type, void *rsc,
 			  int offset, int avail);
-	struct resource_table *(*find_loaded_rsc_table)(
-				struct rproc *rproc, const struct firmware *fw);
-	struct resource_table *(*get_loaded_rsc_table)(
-				struct rproc *rproc, size_t *size);
+	struct resource_table *(*find_loaded_rsc_table)(struct rproc *rproc,
+							const struct firmware *fw);
+	struct resource_table *(*get_loaded_rsc_table)(struct rproc *rproc,
+						       size_t *size);
 	int (*load)(struct rproc *rproc, const struct firmware *fw);
 	int (*sanity_check)(struct rproc *rproc, const struct firmware *fw);
 	u64 (*get_boot_addr)(struct rproc *rproc, const struct firmware *fw);
@@ -375,7 +375,6 @@ struct rproc_vring {
  * @index: vdev position versus other vdev declared in resource table
  */
 struct rproc_vdev {
-
 	struct rproc_subdev subdev;
 	struct platform_device *pdev;
 
-- 
2.53.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 2/3] remoteproc: add SPDX-License-Identifier tag to remoteproc.h
  2026-06-11 18:05 [PATCH 1/3] remoteproc: fix coding style issues in remoteproc.h Mukesh Ojha
@ 2026-06-11 18:05 ` Mukesh Ojha
  2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
  1 sibling, 0 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-11 18:05 UTC (permalink / raw)
  To: Bjorn Andersson, Mathieu Poirier
  Cc: linux-remoteproc, linux-kernel, Mukesh Ojha

Add the missing SPDX-License-Identifier tag consistent with the
BSD-3-Clause license text already present in the file.

Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
 include/linux/remoteproc.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/linux/remoteproc.h b/include/linux/remoteproc.h
index e0e212328acf..6a8c694551c7 100644
--- a/include/linux/remoteproc.h
+++ b/include/linux/remoteproc.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
 /*
  * Remote Processor Framework
  *
-- 
2.53.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
  2026-06-11 18:05 [PATCH 1/3] remoteproc: fix coding style issues in remoteproc.h Mukesh Ojha
  2026-06-11 18:05 ` [PATCH 2/3] remoteproc: add SPDX-License-Identifier tag to remoteproc.h Mukesh Ojha
@ 2026-06-11 18:05 ` Mukesh Ojha
  2026-06-21  0:57   ` XIAO WU
  2026-06-30  7:50   ` Mukesh Ojha
  1 sibling, 2 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-11 18:05 UTC (permalink / raw)
  To: Bjorn Andersson, Mathieu Poirier
  Cc: linux-remoteproc, linux-kernel, Mukesh Ojha

Add the missing SPDX-License-Identifier tag consistent with the
BSD-3-Clause license text already present in the file.

Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
 include/linux/rsc_table.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/include/linux/rsc_table.h b/include/linux/rsc_table.h
index c6d6d553d8f1..b78c4760d83e 100644
--- a/include/linux/rsc_table.h
+++ b/include/linux/rsc_table.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
 /*
  * Resource table and its types data structure
  *
-- 
2.53.0


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
  2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
@ 2026-06-21  0:57   ` XIAO WU
  2026-06-22 18:27     ` Mukesh Ojha
  2026-06-30  7:50   ` Mukesh Ojha
  1 sibling, 1 reply; 7+ messages in thread
From: XIAO WU @ 2026-06-21  0:57 UTC (permalink / raw)
  To: Mukesh Ojha, Bjorn Andersson, Mathieu Poirier
  Cc: linux-remoteproc, linux-kernel

i Mukesh,

I came across a Sashiko AI code review [1] that flagged a pre-existing
integer signedness bug in `rsc_table_for_each_entry()` in
include/linux/rsc_table.h.  The `offset` variable is declared as `int`,
allowing a large unsigned offset value (e.g., 0xFFFFFFF0) to become
negative, bypass the `avail < 0` truncation check due to size_t
promotion, and read from before the resource table buffer.

I was able to reproduce this in QEMU with KASAN by crafting an ELF
firmware image with a malicious resource table offset.

On Wed, Jun 11, 2026 at 11:35:50PM +0530, Mukesh Ojha wrote:
 > remoteproc: fix coding style issues in remoteproc.h
...

The bug is in the `rsc_table_for_each_entry()` macro further down in
rsc_table.h:

```c
for (i = 0; i < table->num; i++) {
     int offset = table->offset[i];       // signed — attacker-controlled
     struct fw_rsc_hdr *hdr = (void *)table + offset;
     int avail = table_sz - offset - sizeof(*hdr);
     ...
     if (avail < 0) { ... }              // bypassed via size_t promotion
```

If `table->offset[i]` is 0xFFFFFFF0, `offset` becomes -16 (signed).
When `avail = table_sz - (-16) - sizeof(*hdr)` is computed, the
negative `offset` is promoted to a large unsigned size_t, making
`avail` overflow to a small positive value.  The `avail < 0` check
passes, and `hdr` points 16 bytes *before* the table buffer.

[Reproduction]

I compiled a fake ELF firmware with phnum=1 and a resource table whose
first offset entry is 0xFFFFFFF0.  Writing "boot" to the remoteproc
sysfs state file triggers the resource parsing path:

   state_store → rproc_boot → rproc_fw_boot → rproc_parse_fw
     → rproc_handle_resources → rsc_table_for_each_entry

[KASAN report — kernel 7.1.0-rc6+, CONFIG_KASAN=y]

   ==================================================================
   BUG: KASAN: slab-out-of-bounds in 
rproc_handle_resources.constprop.0+0x49b/0x510
   Read of size 4 at addr ffff888031283790 by task poc/9573

   The buggy address belongs to the object at ffff8880312837a0
    which belongs to the cache kmalloc-32 of size 32
   The buggy address is located 16 bytes to the left of
    allocated 20-byte region [ffff8880312837a0, ffff8880312837b4)

   Call Trace:
    <TASK>
    dump_stack_lvl+0x116/0x1f0
    print_report+0xcd/0x630
    kasan_report+0xe0/0x110
    rproc_handle_resources.constprop.0+0x49b/0x510
    rproc_boot+0x.../...
    state_store+0x.../...
    dev_attr_store+0x.../...
    sysfs_kf_write+0x.../...
    kernfs_fop_write_iter+0x.../...
    vfs_write+0x.../...
    ksys_write+0x.../...
    do_syscall_64+0xcd/0xf80
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

The crash reads 4 bytes (the hdr->type field) from 16 bytes before the
kmemdup'd resource table buffer.  The value read is 0xCCCCCCCC
(uninitialized kmalloc poison), confirming the negative offset bypassed
all bounds checks.

[1] 
https://sashiko.dev/#/patchset/20260611180550.2442641-3-mukesh.ojha%40oss.qualcomm.com
     (Sashiko AI code review — "Out-of-Bounds Access", Severity: Critical)

Thanks,
XIAOWU



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
  2026-06-21  0:57   ` XIAO WU
@ 2026-06-22 18:27     ` Mukesh Ojha
  2026-06-30  6:44       ` Mukesh Ojha
  0 siblings, 1 reply; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-22 18:27 UTC (permalink / raw)
  To: XIAO WU; +Cc: Bjorn Andersson, Mathieu Poirier, linux-remoteproc, linux-kernel

On Sun, Jun 21, 2026 at 08:57:44AM +0800, XIAO WU wrote:
> i Mukesh,
> 
> I came across a Sashiko AI code review [1] that flagged a pre-existing
> integer signedness bug in `rsc_table_for_each_entry()` in
> include/linux/rsc_table.h.  The `offset` variable is declared as `int`,
> allowing a large unsigned offset value (e.g., 0xFFFFFFF0) to become
> negative, bypass the `avail < 0` truncation check due to size_t
> promotion, and read from before the resource table buffer.
> 
> I was able to reproduce this in QEMU with KASAN by crafting an ELF
> firmware image with a malicious resource table offset.
> 
> On Wed, Jun 11, 2026 at 11:35:50PM +0530, Mukesh Ojha wrote:
> > remoteproc: fix coding style issues in remoteproc.h
> ...
> 
> The bug is in the `rsc_table_for_each_entry()` macro further down in
> rsc_table.h:
> 
> ```c
> for (i = 0; i < table->num; i++) {
>     int offset = table->offset[i];       // signed — attacker-controlled
>     struct fw_rsc_hdr *hdr = (void *)table + offset;
>     int avail = table_sz - offset - sizeof(*hdr);
>     ...
>     if (avail < 0) { ... }              // bypassed via size_t promotion
> ```
> 
> If `table->offset[i]` is 0xFFFFFFF0, `offset` becomes -16 (signed).
> When `avail = table_sz - (-16) - sizeof(*hdr)` is computed, the
> negative `offset` is promoted to a large unsigned size_t, making
> `avail` overflow to a small positive value.  The `avail < 0` check
> passes, and `hdr` points 16 bytes *before* the table buffer.
> 
> [Reproduction]
> 
> I compiled a fake ELF firmware with phnum=1 and a resource table whose
> first offset entry is 0xFFFFFFF0.  Writing "boot" to the remoteproc
> sysfs state file triggers the resource parsing path:
> 
>   state_store → rproc_boot → rproc_fw_boot → rproc_parse_fw
>     → rproc_handle_resources → rsc_table_for_each_entry
> 
> [KASAN report — kernel 7.1.0-rc6+, CONFIG_KASAN=y]
> 
>   ==================================================================
>   BUG: KASAN: slab-out-of-bounds in
> rproc_handle_resources.constprop.0+0x49b/0x510
>   Read of size 4 at addr ffff888031283790 by task poc/9573
> 
>   The buggy address belongs to the object at ffff8880312837a0
>    which belongs to the cache kmalloc-32 of size 32
>   The buggy address is located 16 bytes to the left of
>    allocated 20-byte region [ffff8880312837a0, ffff8880312837b4)
> 
>   Call Trace:
>    <TASK>
>    dump_stack_lvl+0x116/0x1f0
>    print_report+0xcd/0x630
>    kasan_report+0xe0/0x110
>    rproc_handle_resources.constprop.0+0x49b/0x510
>    rproc_boot+0x.../...
>    state_store+0x.../...
>    dev_attr_store+0x.../...
>    sysfs_kf_write+0x.../...
>    kernfs_fop_write_iter+0x.../...
>    vfs_write+0x.../...
>    ksys_write+0x.../...
>    do_syscall_64+0xcd/0xf80
>    entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
> The crash reads 4 bytes (the hdr->type field) from 16 bytes before the
> kmemdup'd resource table buffer.  The value read is 0xCCCCCCCC
> (uninitialized kmalloc poison), confirming the negative offset bypassed
> all bounds checks.
> 
> [1] https://sashiko.dev/#/patchset/20260611180550.2442641-3-mukesh.ojha%40oss.qualcomm.com
>     (Sashiko AI code review — "Out-of-Bounds Access", Severity: Critical)
> 

Let me check and get back on this.., this looks to be existing bug.
Thanks for reporting this.

-Mukesh
> 
> 

-- 
-Mukesh Ojha

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
  2026-06-22 18:27     ` Mukesh Ojha
@ 2026-06-30  6:44       ` Mukesh Ojha
  0 siblings, 0 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-30  6:44 UTC (permalink / raw)
  To: XIAO WU; +Cc: Bjorn Andersson, Mathieu Poirier, linux-remoteproc, linux-kernel

On Mon, Jun 22, 2026 at 11:57:44PM +0530, Mukesh Ojha wrote:
> On Sun, Jun 21, 2026 at 08:57:44AM +0800, XIAO WU wrote:
> > i Mukesh,
> > 
> > I came across a Sashiko AI code review [1] that flagged a pre-existing
> > integer signedness bug in `rsc_table_for_each_entry()` in
> > include/linux/rsc_table.h.  The `offset` variable is declared as `int`,
> > allowing a large unsigned offset value (e.g., 0xFFFFFFF0) to become
> > negative, bypass the `avail < 0` truncation check due to size_t
> > promotion, and read from before the resource table buffer.
> > 
> > I was able to reproduce this in QEMU with KASAN by crafting an ELF
> > firmware image with a malicious resource table offset.
> > 
> > On Wed, Jun 11, 2026 at 11:35:50PM +0530, Mukesh Ojha wrote:
> > > remoteproc: fix coding style issues in remoteproc.h
> > ...
> > 
> > The bug is in the `rsc_table_for_each_entry()` macro further down in
> > rsc_table.h:
> > 
> > ```c
> > for (i = 0; i < table->num; i++) {
> >     int offset = table->offset[i];       // signed — attacker-controlled
> >     struct fw_rsc_hdr *hdr = (void *)table + offset;
> >     int avail = table_sz - offset - sizeof(*hdr);
> >     ...
> >     if (avail < 0) { ... }              // bypassed via size_t promotion
> > ```
> > 
> > If `table->offset[i]` is 0xFFFFFFF0, `offset` becomes -16 (signed).
> > When `avail = table_sz - (-16) - sizeof(*hdr)` is computed, the
> > negative `offset` is promoted to a large unsigned size_t, making
> > `avail` overflow to a small positive value.  The `avail < 0` check
> > passes, and `hdr` points 16 bytes *before* the table buffer.
> > 
> > [Reproduction]
> > 
> > I compiled a fake ELF firmware with phnum=1 and a resource table whose
> > first offset entry is 0xFFFFFFF0.  Writing "boot" to the remoteproc
> > sysfs state file triggers the resource parsing path:
> > 
> >   state_store → rproc_boot → rproc_fw_boot → rproc_parse_fw
> >     → rproc_handle_resources → rsc_table_for_each_entry
> > 
> > [KASAN report — kernel 7.1.0-rc6+, CONFIG_KASAN=y]
> > 
> >   ==================================================================
> >   BUG: KASAN: slab-out-of-bounds in
> > rproc_handle_resources.constprop.0+0x49b/0x510
> >   Read of size 4 at addr ffff888031283790 by task poc/9573
> > 
> >   The buggy address belongs to the object at ffff8880312837a0
> >    which belongs to the cache kmalloc-32 of size 32
> >   The buggy address is located 16 bytes to the left of
> >    allocated 20-byte region [ffff8880312837a0, ffff8880312837b4)
> > 
> >   Call Trace:
> >    <TASK>
> >    dump_stack_lvl+0x116/0x1f0
> >    print_report+0xcd/0x630
> >    kasan_report+0xe0/0x110
> >    rproc_handle_resources.constprop.0+0x49b/0x510
> >    rproc_boot+0x.../...
> >    state_store+0x.../...
> >    dev_attr_store+0x.../...
> >    sysfs_kf_write+0x.../...
> >    kernfs_fop_write_iter+0x.../...
> >    vfs_write+0x.../...
> >    ksys_write+0x.../...
> >    do_syscall_64+0xcd/0xf80
> >    entry_SYSCALL_64_after_hwframe+0x77/0x7f
> > 
> > The crash reads 4 bytes (the hdr->type field) from 16 bytes before the
> > kmemdup'd resource table buffer.  The value read is 0xCCCCCCCC
> > (uninitialized kmalloc poison), confirming the negative offset bypassed
> > all bounds checks.
> > 
> > [1] https://sashiko.dev/#/patchset/20260611180550.2442641-3-mukesh.ojha%40oss.qualcomm.com
> >     (Sashiko AI code review — "Out-of-Bounds Access", Severity: Critical)
> > 
> 
> Let me check and get back on this.., this looks to be existing bug.
> Thanks for reporting this.

This should fix this existing issue

https://lore.kernel.org/lkml/20260629165033.1144530-1-mukesh.ojha@oss.qualcomm.com/


> 
> -Mukesh
> > 
> > 
> 
> -- 
> -Mukesh Ojha

-- 
-Mukesh Ojha

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
  2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
  2026-06-21  0:57   ` XIAO WU
@ 2026-06-30  7:50   ` Mukesh Ojha
  1 sibling, 0 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-30  7:50 UTC (permalink / raw)
  To: Bjorn Andersson, Mathieu Poirier; +Cc: linux-remoteproc, linux-kernel

On Thu, Jun 11, 2026 at 11:35:50PM +0530, Mukesh Ojha wrote:
> Add the missing SPDX-License-Identifier tag consistent with the
> BSD-3-Clause license text already present in the file.
> 
> Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
> ---
>  include/linux/rsc_table.h | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/include/linux/rsc_table.h b/include/linux/rsc_table.h
> index c6d6d553d8f1..b78c4760d83e 100644
> --- a/include/linux/rsc_table.h
> +++ b/include/linux/rsc_table.h
> @@ -1,3 +1,4 @@
> +/* SPDX-License-Identifier: BSD-3-Clause */
>  /*
>   * Resource table and its types data structure
>   *
> -- 
> 2.53.0
> 

Can this series be picked along with
https://lore.kernel.org/lkml/20260506050107.1985033-6-mukesh.ojha@oss.qualcomm.com/

as without the above change, the remoteproc mailing list and
maintainers are not being CCed for this file change.

e.g.,
https://lore.kernel.org/lkml/20260629165033.1144530-1-mukesh.ojha@oss.qualcomm.com/
-- 
-Mukesh Ojha

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-06-30  7:50 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-11 18:05 [PATCH 1/3] remoteproc: fix coding style issues in remoteproc.h Mukesh Ojha
2026-06-11 18:05 ` [PATCH 2/3] remoteproc: add SPDX-License-Identifier tag to remoteproc.h Mukesh Ojha
2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
2026-06-21  0:57   ` XIAO WU
2026-06-22 18:27     ` Mukesh Ojha
2026-06-30  6:44       ` Mukesh Ojha
2026-06-30  7:50   ` Mukesh Ojha

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox