From: Dan Carpenter <error27@gmail.com>
To: Pankaj Gupta <pankaj.gupta@nxp.com>
Cc: imx@lists.linux.dev
Subject: [bug report] firmware: drivers: imx: adds miscdev
Date: Thu, 7 May 2026 10:07:00 +0300 [thread overview]
Message-ID: <afw6FIcFDCUEv53L@stanley.mountain> (raw)
Hello Pankaj Gupta,
Commit 4de71839142b ("firmware: drivers: imx: adds miscdev") from Jan
22, 2026 (linux-next), leads to the following Smatch static checker
warning:
drivers/firmware/imx/se_ctrl.c:826 se_if_fops_read()
warn: userbuf overflow? is 'priv->cmd_receiver_clbk_hdl.rx_msg_sz' <= 'size'
drivers/firmware/imx/se_ctrl.c
789 static ssize_t se_if_fops_read(struct file *fp, char __user *buf, size_t size,
^^^^^^^^^^^
This function copies memory to the user but it doesn't take into
consideration this size variable which is the size of the buffer
in user space.
790 loff_t *ppos)
791 {
792 struct se_if_device_ctx *dev_ctx = fp->private_data;
793 struct se_if_priv *priv = dev_ctx->priv;
794 int err;
795
796 dev_dbg(priv->dev, "%s: read to buf %p(%zu), ppos=%lld.", dev_ctx->devname,
797 buf, size, ((ppos) ? *ppos : 0));
798
799 scoped_cond_guard(mutex_intr, return -EBUSY, &dev_ctx->fops_lock) {
800 if (dev_ctx != priv->cmd_receiver_clbk_hdl.dev_ctx) {
801 err = -EINVAL;
802 goto exit;
803 }
804
805 err = ele_msg_rcv(dev_ctx, &priv->cmd_receiver_clbk_hdl);
806 if (err < 0) {
807 dev_err(priv->dev,
808 "%s: Er[0x%x]: Signal Interrupted. Current act-dev-ctx count: %d.",
809 dev_ctx->devname, err, dev_ctx->priv->active_devctx_count);
810 goto exit;
811 }
812
813 /* We may need to copy the output data to user before
814 * delivering the completion message.
815 */
816 err = se_dev_ctx_cpy_out_data(dev_ctx);
817 if (err < 0)
818 goto exit;
819
820 /* Copy data from the buffer */
821 print_hex_dump_debug("to user ", DUMP_PREFIX_OFFSET, 4, 4,
822 priv->cmd_receiver_clbk_hdl.rx_msg,
823 priv->cmd_receiver_clbk_hdl.rx_msg_sz,
824 false);
825
--> 826 if (copy_to_user(buf, priv->cmd_receiver_clbk_hdl.rx_msg,
827 priv->cmd_receiver_clbk_hdl.rx_msg_sz)) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We should only copy size bytes at most.
828 dev_err(priv->dev, "%s: Failed to copy to user.",
829 dev_ctx->devname);
Don't print an error message if copy_to/from_user fails. Returning
-EFAULT and crashing the program is communication enough. No need
to fill /var/log/messages with spam.
830 err = -EFAULT;
831 } else {
832 err = priv->cmd_receiver_clbk_hdl.rx_msg_sz;
833 }
834 exit:
835 priv->cmd_receiver_clbk_hdl.rx_msg_sz = 0;
836
837 se_dev_ctx_shared_mem_cleanup(dev_ctx);
838
839 return err;
840 }
841 }
This email is a free service from the Smatch-CI project [smatch.sf.net].
regards,
dan carpenter
next reply other threads:[~2026-05-07 7:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 7:07 Dan Carpenter [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-05-07 6:59 [bug report] firmware: drivers: imx: adds miscdev Dan Carpenter
2026-05-07 6:35 Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afw6FIcFDCUEv53L@stanley.mountain \
--to=error27@gmail.com \
--cc=imx@lists.linux.dev \
--cc=pankaj.gupta@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.