Re: [PATCH v5 2/8] nvmem: core: Enforce stride and alignment checks for nvmem_device functions

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Gregor Herburger" <gregor.herburger@linutronix.de>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v5 2/8] nvmem: core: Enforce stride and alignment checks for nvmem_device functions
Date: Wed, 20 May 2026 16:08:11 +0000	[thread overview]
Message-ID: <20260520160811.99AB01F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260520-rpi-otp-driver-v5-2-b26e5908eeac@linutronix.de>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

New issues:
- [High] Unconditionally enforcing `word_size` alignment in `nvmem_device_read` breaks existing in-kernel consumers and backend drivers that safely support unaligned reads.
- [Medium] The `IS_ALIGNED` macro is incorrectly used with `nvmem->stride` and `nvmem->word_size`, which are not guaranteed to be powers of two.

Pre-existing issues:
- [High] Missing bounds checking in `nvmem_device_read` and `nvmem_device_write` against `nvmem->size` exposes the system to out-of-bounds memory accesses.
- [High] Backend drivers perform SLAB out-of-bounds reads when processing writes for bit-offset cells due to mismatched buffer sizes.
--

commit d59bc7c372de847ac014e9a361f8f7bf075ff75c
Author: Gregor Herburger <gregor.herburger@linutronix.de>

nvmem: core: Enforce stride and alignment checks for nvmem_device functions

This commit adds alignment checks for offset and bytes against stride and
word_size to the nvmem_device_read and nvmem_device_write functions.

> diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
> index 311cb2e5a5c02..6b313f63d07ef 100644
> --- a/drivers/nvmem/core.c
> +++ b/drivers/nvmem/core.c
> @@ -2068,6 +2068,12 @@ int nvmem_device_read(struct nvmem_device *nvmem,
>  	if (!nvmem)
>  		return -EINVAL;
>  
> +	if (!IS_ALIGNED(offset, nvmem->stride))
> +		return -EINVAL;
> +
> +	if (!IS_ALIGNED(bytes, nvmem->word_size))
> +		return -EINVAL;

[Severity: Medium]
Is the IS_ALIGNED() macro safe to use here? Looking at include/vdso/align.h,
IS_ALIGNED(x, a) is implemented using bitwise arithmetic:
(((x) & ((typeof(x))(a) - 1)) == 0)

This macro is mathematically valid only when the alignment is a power of two.
Since the nvmem subsystem doesn't enforce power-of-two constraints for stride
or word_size during registration, if a driver defines a non-power-of-two
value, wouldn't this macro evaluate incorrectly and reject valid alignments?

[Severity: High]
Could this unconditional word_size check break existing backend drivers that
safely support unaligned reads?

Historically, nvmem_device_read() permitted unaligned lengths, delegating the
read to the backend's reg_read function. Since the framework lacks separate
read and write constraints, many drivers specify a larger word_size to
enforce constraints strictly on writes, but gracefully handle arbitrary-sized
unaligned reads internally (e.g., using bounce buffers). 

Returning -EINVAL here might break legitimate read operations for dynamic
payload lengths.

>  	rc = nvmem_reg_read(nvmem, offset, buf, bytes);

[Severity: High]
This is a pre-existing issue, but does this function need bounds checking
against nvmem->size?

Currently, nvmem_device_read() passes the unchecked offset directly to backend
callbacks. If an in-kernel caller provides an out-of-bounds offset, many
hardware driver callbacks lack complete internal bounds checking, which might
lead to arbitrary out-of-bounds MMIO accesses or integer underflow issues.

[ ... ]

> @@ -2096,6 +2102,12 @@ int nvmem_device_write(struct nvmem_device *nvmem,
>  	if (!nvmem)
>  		return -EINVAL;
>  
> +	if (!IS_ALIGNED(offset, nvmem->stride))
> +		return -EINVAL;
> +
> +	if (!IS_ALIGNED(bytes, nvmem->word_size))
> +		return -EINVAL;
> +
>  	rc = nvmem_reg_write(nvmem, offset, buf, bytes);

[Severity: High]
This isn't a bug introduced by this patch, but is it possible for backend
drivers to perform SLAB out-of-bounds reads when processing writes for
bit-offset cells?

While this patch enforces word_size aligned lengths on direct nvmem writes,
__nvmem_cell_entry_write() bypasses these checks and calls nvmem_reg_write()
with a dynamically allocated buffer that is exactly cell->bytes long.

If a bit-offset cell spans 1 byte, but the backend driver assumes all
operations are word_size aligned (e.g., casting buf to a u32 pointer and
writing 4 bytes), could the backend perform a SLAB out-of-bounds read by
dereferencing 4 bytes from a 1-byte heap allocation?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260520-rpi-otp-driver-v5-0-b26e5908eeac@linutronix.de?part=2

next prev parent reply	other threads:[~2026-05-20 16:08 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-20 14:27 [PATCH v5 0/8] nvmem: Add Raspberry Pi OTP nvmem driver Gregor Herburger
2026-05-20 14:27 ` [PATCH v5 1/8] soc: bcm2835: Use IS_REACHABLE for function declaration Gregor Herburger
2026-05-20 14:40   ` sashiko-bot
2026-05-21 14:32   ` Thomas Weißschuh
2026-05-20 14:27 ` [PATCH v5 2/8] nvmem: core: Enforce stride and alignment checks for nvmem_device functions Gregor Herburger
2026-05-20 16:08   ` sashiko-bot [this message]
2026-05-21 14:32   ` Thomas Weißschuh
2026-05-20 14:27 ` [PATCH v5 3/8] dt-bindings: raspberrypi,bcm2835-firmware: Add bcm2712-firmware compatible Gregor Herburger
2026-05-20 14:27 ` [PATCH v5 4/8] nvmem: Add the Raspberry Pi OTP driver Gregor Herburger
2026-05-20 16:50   ` sashiko-bot
2026-05-21 14:34   ` Thomas Weißschuh
2026-05-20 14:27 ` [PATCH v5 5/8] firmware: raspberrypi: register nvmem driver Gregor Herburger
2026-05-20 17:20   ` sashiko-bot
2026-05-21 14:38   ` Thomas Weißschuh
2026-05-20 14:27 ` [PATCH v5 6/8] arm64: dts: broadcom: bcm2712: add raspberrypi,bcm2712-firmware compatible Gregor Herburger
2026-05-20 14:27 ` [PATCH v5 7/8] dt-bindings: raspberrypi,bcm2835-firmware: Drop unnecessary select Gregor Herburger
2026-05-21  7:11   ` Krzysztof Kozlowski
2026-05-20 14:28 ` [PATCH v5 8/8] arm64: defconfig: Enable the raspberrypi otp driver as module Gregor Herburger
2026-05-21  7:09   ` Krzysztof Kozlowski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260520160811.99AB01F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=gregor.herburger@linutronix.de \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.