* [PATCH 1/3] remoteproc: fix coding style issues in remoteproc.h
@ 2026-06-11 18:05 Mukesh Ojha
2026-06-11 18:05 ` [PATCH 2/3] remoteproc: add SPDX-License-Identifier tag to remoteproc.h Mukesh Ojha
2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
0 siblings, 2 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-11 18:05 UTC (permalink / raw)
To: Bjorn Andersson, Mathieu Poirier
Cc: linux-remoteproc, linux-kernel, Mukesh Ojha
The function pointer declarations for find_loaded_rsc_table() and
get_loaded_rsc_table() had their opening parenthesis at the end of
the line. Move the first argument onto the same line as the opening
parenthesis to fix the checkpatch warning.
Also remove a spurious blank line after the opening brace in
struct rproc_vdev.
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
include/linux/remoteproc.h | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/include/linux/remoteproc.h b/include/linux/remoteproc.h
index 7c1546d48008..e0e212328acf 100644
--- a/include/linux/remoteproc.h
+++ b/include/linux/remoteproc.h
@@ -127,10 +127,10 @@ struct rproc_ops {
int (*parse_fw)(struct rproc *rproc, const struct firmware *fw);
int (*handle_rsc)(struct rproc *rproc, u32 rsc_type, void *rsc,
int offset, int avail);
- struct resource_table *(*find_loaded_rsc_table)(
- struct rproc *rproc, const struct firmware *fw);
- struct resource_table *(*get_loaded_rsc_table)(
- struct rproc *rproc, size_t *size);
+ struct resource_table *(*find_loaded_rsc_table)(struct rproc *rproc,
+ const struct firmware *fw);
+ struct resource_table *(*get_loaded_rsc_table)(struct rproc *rproc,
+ size_t *size);
int (*load)(struct rproc *rproc, const struct firmware *fw);
int (*sanity_check)(struct rproc *rproc, const struct firmware *fw);
u64 (*get_boot_addr)(struct rproc *rproc, const struct firmware *fw);
@@ -375,7 +375,6 @@ struct rproc_vring {
* @index: vdev position versus other vdev declared in resource table
*/
struct rproc_vdev {
-
struct rproc_subdev subdev;
struct platform_device *pdev;
--
2.53.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/3] remoteproc: add SPDX-License-Identifier tag to remoteproc.h
2026-06-11 18:05 [PATCH 1/3] remoteproc: fix coding style issues in remoteproc.h Mukesh Ojha
@ 2026-06-11 18:05 ` Mukesh Ojha
2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
1 sibling, 0 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-11 18:05 UTC (permalink / raw)
To: Bjorn Andersson, Mathieu Poirier
Cc: linux-remoteproc, linux-kernel, Mukesh Ojha
Add the missing SPDX-License-Identifier tag consistent with the
BSD-3-Clause license text already present in the file.
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
include/linux/remoteproc.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/remoteproc.h b/include/linux/remoteproc.h
index e0e212328acf..6a8c694551c7 100644
--- a/include/linux/remoteproc.h
+++ b/include/linux/remoteproc.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
/*
* Remote Processor Framework
*
--
2.53.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
2026-06-11 18:05 [PATCH 1/3] remoteproc: fix coding style issues in remoteproc.h Mukesh Ojha
2026-06-11 18:05 ` [PATCH 2/3] remoteproc: add SPDX-License-Identifier tag to remoteproc.h Mukesh Ojha
@ 2026-06-11 18:05 ` Mukesh Ojha
2026-06-21 0:57 ` XIAO WU
2026-06-30 7:50 ` Mukesh Ojha
1 sibling, 2 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-11 18:05 UTC (permalink / raw)
To: Bjorn Andersson, Mathieu Poirier
Cc: linux-remoteproc, linux-kernel, Mukesh Ojha
Add the missing SPDX-License-Identifier tag consistent with the
BSD-3-Clause license text already present in the file.
Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
include/linux/rsc_table.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/rsc_table.h b/include/linux/rsc_table.h
index c6d6d553d8f1..b78c4760d83e 100644
--- a/include/linux/rsc_table.h
+++ b/include/linux/rsc_table.h
@@ -1,3 +1,4 @@
+/* SPDX-License-Identifier: BSD-3-Clause */
/*
* Resource table and its types data structure
*
--
2.53.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
@ 2026-06-21 0:57 ` XIAO WU
2026-06-22 18:27 ` Mukesh Ojha
2026-06-30 7:50 ` Mukesh Ojha
1 sibling, 1 reply; 7+ messages in thread
From: XIAO WU @ 2026-06-21 0:57 UTC (permalink / raw)
To: Mukesh Ojha, Bjorn Andersson, Mathieu Poirier
Cc: linux-remoteproc, linux-kernel
i Mukesh,
I came across a Sashiko AI code review [1] that flagged a pre-existing
integer signedness bug in `rsc_table_for_each_entry()` in
include/linux/rsc_table.h. The `offset` variable is declared as `int`,
allowing a large unsigned offset value (e.g., 0xFFFFFFF0) to become
negative, bypass the `avail < 0` truncation check due to size_t
promotion, and read from before the resource table buffer.
I was able to reproduce this in QEMU with KASAN by crafting an ELF
firmware image with a malicious resource table offset.
On Wed, Jun 11, 2026 at 11:35:50PM +0530, Mukesh Ojha wrote:
> remoteproc: fix coding style issues in remoteproc.h
...
The bug is in the `rsc_table_for_each_entry()` macro further down in
rsc_table.h:
```c
for (i = 0; i < table->num; i++) {
int offset = table->offset[i]; // signed — attacker-controlled
struct fw_rsc_hdr *hdr = (void *)table + offset;
int avail = table_sz - offset - sizeof(*hdr);
...
if (avail < 0) { ... } // bypassed via size_t promotion
```
If `table->offset[i]` is 0xFFFFFFF0, `offset` becomes -16 (signed).
When `avail = table_sz - (-16) - sizeof(*hdr)` is computed, the
negative `offset` is promoted to a large unsigned size_t, making
`avail` overflow to a small positive value. The `avail < 0` check
passes, and `hdr` points 16 bytes *before* the table buffer.
[Reproduction]
I compiled a fake ELF firmware with phnum=1 and a resource table whose
first offset entry is 0xFFFFFFF0. Writing "boot" to the remoteproc
sysfs state file triggers the resource parsing path:
state_store → rproc_boot → rproc_fw_boot → rproc_parse_fw
→ rproc_handle_resources → rsc_table_for_each_entry
[KASAN report — kernel 7.1.0-rc6+, CONFIG_KASAN=y]
==================================================================
BUG: KASAN: slab-out-of-bounds in
rproc_handle_resources.constprop.0+0x49b/0x510
Read of size 4 at addr ffff888031283790 by task poc/9573
The buggy address belongs to the object at ffff8880312837a0
which belongs to the cache kmalloc-32 of size 32
The buggy address is located 16 bytes to the left of
allocated 20-byte region [ffff8880312837a0, ffff8880312837b4)
Call Trace:
<TASK>
dump_stack_lvl+0x116/0x1f0
print_report+0xcd/0x630
kasan_report+0xe0/0x110
rproc_handle_resources.constprop.0+0x49b/0x510
rproc_boot+0x.../...
state_store+0x.../...
dev_attr_store+0x.../...
sysfs_kf_write+0x.../...
kernfs_fop_write_iter+0x.../...
vfs_write+0x.../...
ksys_write+0x.../...
do_syscall_64+0xcd/0xf80
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The crash reads 4 bytes (the hdr->type field) from 16 bytes before the
kmemdup'd resource table buffer. The value read is 0xCCCCCCCC
(uninitialized kmalloc poison), confirming the negative offset bypassed
all bounds checks.
[1]
https://sashiko.dev/#/patchset/20260611180550.2442641-3-mukesh.ojha%40oss.qualcomm.com
(Sashiko AI code review — "Out-of-Bounds Access", Severity: Critical)
Thanks,
XIAOWU
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
2026-06-21 0:57 ` XIAO WU
@ 2026-06-22 18:27 ` Mukesh Ojha
2026-06-30 6:44 ` Mukesh Ojha
0 siblings, 1 reply; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-22 18:27 UTC (permalink / raw)
To: XIAO WU; +Cc: Bjorn Andersson, Mathieu Poirier, linux-remoteproc, linux-kernel
On Sun, Jun 21, 2026 at 08:57:44AM +0800, XIAO WU wrote:
> i Mukesh,
>
> I came across a Sashiko AI code review [1] that flagged a pre-existing
> integer signedness bug in `rsc_table_for_each_entry()` in
> include/linux/rsc_table.h. The `offset` variable is declared as `int`,
> allowing a large unsigned offset value (e.g., 0xFFFFFFF0) to become
> negative, bypass the `avail < 0` truncation check due to size_t
> promotion, and read from before the resource table buffer.
>
> I was able to reproduce this in QEMU with KASAN by crafting an ELF
> firmware image with a malicious resource table offset.
>
> On Wed, Jun 11, 2026 at 11:35:50PM +0530, Mukesh Ojha wrote:
> > remoteproc: fix coding style issues in remoteproc.h
> ...
>
> The bug is in the `rsc_table_for_each_entry()` macro further down in
> rsc_table.h:
>
> ```c
> for (i = 0; i < table->num; i++) {
> int offset = table->offset[i]; // signed — attacker-controlled
> struct fw_rsc_hdr *hdr = (void *)table + offset;
> int avail = table_sz - offset - sizeof(*hdr);
> ...
> if (avail < 0) { ... } // bypassed via size_t promotion
> ```
>
> If `table->offset[i]` is 0xFFFFFFF0, `offset` becomes -16 (signed).
> When `avail = table_sz - (-16) - sizeof(*hdr)` is computed, the
> negative `offset` is promoted to a large unsigned size_t, making
> `avail` overflow to a small positive value. The `avail < 0` check
> passes, and `hdr` points 16 bytes *before* the table buffer.
>
> [Reproduction]
>
> I compiled a fake ELF firmware with phnum=1 and a resource table whose
> first offset entry is 0xFFFFFFF0. Writing "boot" to the remoteproc
> sysfs state file triggers the resource parsing path:
>
> state_store → rproc_boot → rproc_fw_boot → rproc_parse_fw
> → rproc_handle_resources → rsc_table_for_each_entry
>
> [KASAN report — kernel 7.1.0-rc6+, CONFIG_KASAN=y]
>
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in
> rproc_handle_resources.constprop.0+0x49b/0x510
> Read of size 4 at addr ffff888031283790 by task poc/9573
>
> The buggy address belongs to the object at ffff8880312837a0
> which belongs to the cache kmalloc-32 of size 32
> The buggy address is located 16 bytes to the left of
> allocated 20-byte region [ffff8880312837a0, ffff8880312837b4)
>
> Call Trace:
> <TASK>
> dump_stack_lvl+0x116/0x1f0
> print_report+0xcd/0x630
> kasan_report+0xe0/0x110
> rproc_handle_resources.constprop.0+0x49b/0x510
> rproc_boot+0x.../...
> state_store+0x.../...
> dev_attr_store+0x.../...
> sysfs_kf_write+0x.../...
> kernfs_fop_write_iter+0x.../...
> vfs_write+0x.../...
> ksys_write+0x.../...
> do_syscall_64+0xcd/0xf80
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> The crash reads 4 bytes (the hdr->type field) from 16 bytes before the
> kmemdup'd resource table buffer. The value read is 0xCCCCCCCC
> (uninitialized kmalloc poison), confirming the negative offset bypassed
> all bounds checks.
>
> [1] https://sashiko.dev/#/patchset/20260611180550.2442641-3-mukesh.ojha%40oss.qualcomm.com
> (Sashiko AI code review — "Out-of-Bounds Access", Severity: Critical)
>
Let me check and get back on this.., this looks to be existing bug.
Thanks for reporting this.
-Mukesh
>
>
--
-Mukesh Ojha
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
2026-06-22 18:27 ` Mukesh Ojha
@ 2026-06-30 6:44 ` Mukesh Ojha
0 siblings, 0 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-30 6:44 UTC (permalink / raw)
To: XIAO WU; +Cc: Bjorn Andersson, Mathieu Poirier, linux-remoteproc, linux-kernel
On Mon, Jun 22, 2026 at 11:57:44PM +0530, Mukesh Ojha wrote:
> On Sun, Jun 21, 2026 at 08:57:44AM +0800, XIAO WU wrote:
> > i Mukesh,
> >
> > I came across a Sashiko AI code review [1] that flagged a pre-existing
> > integer signedness bug in `rsc_table_for_each_entry()` in
> > include/linux/rsc_table.h. The `offset` variable is declared as `int`,
> > allowing a large unsigned offset value (e.g., 0xFFFFFFF0) to become
> > negative, bypass the `avail < 0` truncation check due to size_t
> > promotion, and read from before the resource table buffer.
> >
> > I was able to reproduce this in QEMU with KASAN by crafting an ELF
> > firmware image with a malicious resource table offset.
> >
> > On Wed, Jun 11, 2026 at 11:35:50PM +0530, Mukesh Ojha wrote:
> > > remoteproc: fix coding style issues in remoteproc.h
> > ...
> >
> > The bug is in the `rsc_table_for_each_entry()` macro further down in
> > rsc_table.h:
> >
> > ```c
> > for (i = 0; i < table->num; i++) {
> > int offset = table->offset[i]; // signed — attacker-controlled
> > struct fw_rsc_hdr *hdr = (void *)table + offset;
> > int avail = table_sz - offset - sizeof(*hdr);
> > ...
> > if (avail < 0) { ... } // bypassed via size_t promotion
> > ```
> >
> > If `table->offset[i]` is 0xFFFFFFF0, `offset` becomes -16 (signed).
> > When `avail = table_sz - (-16) - sizeof(*hdr)` is computed, the
> > negative `offset` is promoted to a large unsigned size_t, making
> > `avail` overflow to a small positive value. The `avail < 0` check
> > passes, and `hdr` points 16 bytes *before* the table buffer.
> >
> > [Reproduction]
> >
> > I compiled a fake ELF firmware with phnum=1 and a resource table whose
> > first offset entry is 0xFFFFFFF0. Writing "boot" to the remoteproc
> > sysfs state file triggers the resource parsing path:
> >
> > state_store → rproc_boot → rproc_fw_boot → rproc_parse_fw
> > → rproc_handle_resources → rsc_table_for_each_entry
> >
> > [KASAN report — kernel 7.1.0-rc6+, CONFIG_KASAN=y]
> >
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in
> > rproc_handle_resources.constprop.0+0x49b/0x510
> > Read of size 4 at addr ffff888031283790 by task poc/9573
> >
> > The buggy address belongs to the object at ffff8880312837a0
> > which belongs to the cache kmalloc-32 of size 32
> > The buggy address is located 16 bytes to the left of
> > allocated 20-byte region [ffff8880312837a0, ffff8880312837b4)
> >
> > Call Trace:
> > <TASK>
> > dump_stack_lvl+0x116/0x1f0
> > print_report+0xcd/0x630
> > kasan_report+0xe0/0x110
> > rproc_handle_resources.constprop.0+0x49b/0x510
> > rproc_boot+0x.../...
> > state_store+0x.../...
> > dev_attr_store+0x.../...
> > sysfs_kf_write+0x.../...
> > kernfs_fop_write_iter+0x.../...
> > vfs_write+0x.../...
> > ksys_write+0x.../...
> > do_syscall_64+0xcd/0xf80
> > entry_SYSCALL_64_after_hwframe+0x77/0x7f
> >
> > The crash reads 4 bytes (the hdr->type field) from 16 bytes before the
> > kmemdup'd resource table buffer. The value read is 0xCCCCCCCC
> > (uninitialized kmalloc poison), confirming the negative offset bypassed
> > all bounds checks.
> >
> > [1] https://sashiko.dev/#/patchset/20260611180550.2442641-3-mukesh.ojha%40oss.qualcomm.com
> > (Sashiko AI code review — "Out-of-Bounds Access", Severity: Critical)
> >
>
> Let me check and get back on this.., this looks to be existing bug.
> Thanks for reporting this.
This should fix this existing issue
https://lore.kernel.org/lkml/20260629165033.1144530-1-mukesh.ojha@oss.qualcomm.com/
>
> -Mukesh
> >
> >
>
> --
> -Mukesh Ojha
--
-Mukesh Ojha
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h
2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
2026-06-21 0:57 ` XIAO WU
@ 2026-06-30 7:50 ` Mukesh Ojha
1 sibling, 0 replies; 7+ messages in thread
From: Mukesh Ojha @ 2026-06-30 7:50 UTC (permalink / raw)
To: Bjorn Andersson, Mathieu Poirier; +Cc: linux-remoteproc, linux-kernel
On Thu, Jun 11, 2026 at 11:35:50PM +0530, Mukesh Ojha wrote:
> Add the missing SPDX-License-Identifier tag consistent with the
> BSD-3-Clause license text already present in the file.
>
> Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
> ---
> include/linux/rsc_table.h | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/include/linux/rsc_table.h b/include/linux/rsc_table.h
> index c6d6d553d8f1..b78c4760d83e 100644
> --- a/include/linux/rsc_table.h
> +++ b/include/linux/rsc_table.h
> @@ -1,3 +1,4 @@
> +/* SPDX-License-Identifier: BSD-3-Clause */
> /*
> * Resource table and its types data structure
> *
> --
> 2.53.0
>
Can this series be picked along with
https://lore.kernel.org/lkml/20260506050107.1985033-6-mukesh.ojha@oss.qualcomm.com/
as without the above change, the remoteproc mailing list and
maintainers are not being CCed for this file change.
e.g.,
https://lore.kernel.org/lkml/20260629165033.1144530-1-mukesh.ojha@oss.qualcomm.com/
--
-Mukesh Ojha
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2026-06-30 7:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-11 18:05 [PATCH 1/3] remoteproc: fix coding style issues in remoteproc.h Mukesh Ojha
2026-06-11 18:05 ` [PATCH 2/3] remoteproc: add SPDX-License-Identifier tag to remoteproc.h Mukesh Ojha
2026-06-11 18:05 ` [PATCH 3/3] remoteproc: add SPDX-License-Identifier tag to rsc_table.h Mukesh Ojha
2026-06-21 0:57 ` XIAO WU
2026-06-22 18:27 ` Mukesh Ojha
2026-06-30 6:44 ` Mukesh Ojha
2026-06-30 7:50 ` Mukesh Ojha
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox