Re: [PATCH v3 3/5] remoteproc: mark wc-ioremap carveouts as iomem

Linux kernel and device drivers for NXP i.MX platforms
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Ben Levinsky" <ben.levinsky@amd.com>
Cc: Frank.Li@kernel.org, imx@lists.linux.dev,
	wsa+renesas@sang-engineering.com
Subject: Re: [PATCH v3 3/5] remoteproc: mark wc-ioremap carveouts as iomem
Date: Fri, 29 May 2026 04:16:00 +0000	[thread overview]
Message-ID: <20260529041600.D5A891F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260529021637.2077602-4-ben.levinsky@amd.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:

Pre-existing issues:
- [Critical] An integer overflow in `rproc_da_to_va()` allows a bounds-check bypass, leading to potential out-of-bounds reads and writes.
- [High] The `rproc->crash_handler` work item is not properly cancelled during remoteproc teardown, leading to a Use-After-Free if a crash is reported concurrently with device removal.
- [High] The debugfs interfaces for carveout memories and resource tables lack proper locking, allowing them to race with device shutdown and access freed memory.
--

commit b14fc453ddda30168961d2bedbde273d3521e254
Author: Ben Levinsky <ben.levinsky@amd.com>

remoteproc: mark wc-ioremap carveouts as iomem

Carveouts registered through the shared wc-ioremap helper are backed by
I/O memory, but rproc_da_to_va() only reports that to its callers when
mem->is_iomem is set on the carveout. This patch marks shared wc-ioremap
carveouts as iomem so the framework uses the proper I/O memory accessors.

> diff --git a/drivers/remoteproc/remoteproc_internal.h b/drivers/remoteproc/remoteproc_internal.h
> index 46080c1c030e8..9afda697271de 100644
> --- a/drivers/remoteproc/remoteproc_internal.h
> +++ b/drivers/remoteproc/remoteproc_internal.h
> @@ -136,6 +136,7 @@ static inline int rproc_mem_entry_ioremap_wc(struct rproc *rproc,
>  	}
>  
>  	mem->va = (__force void *)va;
> +	mem->is_iomem = true;
>  
>  	return 0;
>  }

While reviewing this, I noticed a few pre-existing issues in the remoteproc
core.

drivers/remoteproc/remoteproc_core.c:rproc_alloc() {
...
	INIT_WORK(&rproc->crash_handler, rproc_crash_handler_work);
...
}

[Severity: High]
This is a pre-existing issue, but is there a missing cancellation for the
crash_handler work item during teardown?

During device removal, rproc_del() and rproc_free() are called, ultimately
triggering rproc_type_release() to free the rproc object via kfree(rproc).

The framework does not appear to call cancel_work_sync(&rproc->crash_handler)
during this teardown sequence.

If a hardware interrupt reports a crash right before or during device
unbinding, could the pending work item execute rproc_crash_handler_work()
after the rproc struct has been freed, resulting in a use-after-free?

drivers/remoteproc/remoteproc_debugfs.c:rproc_carveouts_show() {
	struct rproc *rproc = seq->private;
	struct rproc_mem_entry *carveout;

	list_for_each_entry(carveout, &rproc->carveouts, node) {
		seq_puts(seq, "Carveout memory entry:\n");
...
}

[Severity: High]
This isn't a bug introduced by this patch, but does this list traversal lack
proper locking?

The rproc_carveouts_show() function traverses the rproc->carveouts list
without holding rproc->lock or using RCU primitives.

Concurrently, rproc_shutdown() can be triggered (e.g., via a sysfs write
to the state file), which executes rproc_resource_cleanup(). This removes
entries from the rproc->carveouts list and calls kfree() on them.

If a user reads the debugfs file while a shutdown is in progress, could the
concurrent list mutation cause the debugfs read to dereference a freed
pointer, leading to a use-after-free?

drivers/remoteproc/remoteproc_core.c:rproc_da_to_va() {
...
	list_for_each_entry(carveout, &rproc->carveouts, node) {
		int offset = da - carveout->da;
...
		/* try next carveout if da is too large */
		if (offset + len > carveout->len)
			continue;
...
}

[Severity: Critical]
This is a pre-existing issue, but does this bounds check protect against
integer overflow?

Since offset is an int and len is a size_t, could an extremely large len
(e.g., SIZE_MAX) provided by malformed firmware cause offset + len to
overflow the size_t type and wrap around to a small value?

This could cause the bounds check to evaluate to false, bypassing the
protection and returning a valid pointer inside the carveout.

When rproc_elf_load_segments() uses this returned pointer, could it execute
memcpy() or memset() with massively overflowed lengths, resulting in an
out-of-bounds write?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260529021637.2077602-1-ben.levinsky@amd.com?part=3

next prev parent reply	other threads:[~2026-05-29  4:16 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-29  2:16 [PATCH v3 0/5] remoteproc: cleanup shared carveout and resource-table helpers Ben Levinsky
2026-05-29  2:16 ` [PATCH v3 1/5] remoteproc: add common wc-ioremap carveout callbacks Ben Levinsky
2026-05-29  2:51   ` sashiko-bot
2026-05-29  2:16 ` [PATCH v3 2/5] remoteproc: switch exact-match drivers to wc-ioremap callbacks Ben Levinsky
2026-05-29  3:34   ` sashiko-bot
2026-05-29  2:16 ` [PATCH v3 3/5] remoteproc: mark wc-ioremap carveouts as iomem Ben Levinsky
2026-05-29  4:16   ` sashiko-bot [this message]
2026-05-29  2:16 ` [PATCH v3 4/5] remoteproc: add helper for optional ELF resource tables Ben Levinsky
2026-05-29  4:31   ` sashiko-bot
2026-05-29  2:16 ` [PATCH v3 5/5] remoteproc: switch drivers to optional resource-table helper Ben Levinsky
2026-05-29  4:42   ` sashiko-bot
2026-05-29  8:42 ` [PATCH v3 0/5] remoteproc: cleanup shared carveout and resource-table helpers Wolfram Sang
2026-06-01 14:42 ` Mathieu Poirier
2026-06-06  3:43   ` Peng Fan
2026-06-07 14:57   ` Wolfram Sang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260529041600.D5A891F00893@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=Frank.Li@kernel.org \
    --cc=ben.levinsky@amd.com \
    --cc=imx@lists.linux.dev \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=wsa+renesas@sang-engineering.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox