Linux kernel and device drivers for NXP i.MX platforms
 help / color / mirror / Atom feed
From: Dan Carpenter <error27@gmail.com>
To: Pankaj Gupta <pankaj.gupta@nxp.com>
Cc: imx@lists.linux.dev
Subject: [bug report] firmware: drivers: imx: adds miscdev
Date: Thu, 7 May 2026 09:59:56 +0300	[thread overview]
Message-ID: <afw4bE8pzcHA1Mzd@stanley.mountain> (raw)

Hello Pankaj Gupta,

Commit 4de71839142b ("firmware: drivers: imx: adds miscdev") from Jan
22, 2026 (linux-next), leads to the following Smatch static checker
warning:

	drivers/firmware/imx/se_ctrl.c:681 se_ioctl_setup_iobuf_handler()
	warn: integer overflow "io.length + 7"

drivers/firmware/imx/se_ctrl.c
    644 static int se_ioctl_setup_iobuf_handler(struct se_if_device_ctx *dev_ctx,
    645                                         void __user *uarg)
    646 {
    647         struct se_shared_mem *shared_mem = NULL;
    648         struct se_ioctl_setup_iobuf io = {0};
    649         int err = 0;
    650         u32 pos;
    651 
    652         if (copy_from_user(&io, uarg, sizeof(io))) {
    653                 dev_err(dev_ctx->priv->dev, "%s: Failed copy iobuf config from user.",
    654                         dev_ctx->devname);
    655                 return -EFAULT;
    656         }
    657 
    658         dev_dbg(dev_ctx->priv->dev, "%s: io [buf: %p(%d) flag: %x].", dev_ctx->devname,
    659                 io.user_buf, io.length, io.flags);
    660 
    661         if (io.length == 0 || !io.user_buf) {
    662                 /*
    663                  * Accept NULL pointers since some buffers are optional
    664                  * in FW commands. In this case we should return 0 as
    665                  * pointer to be embedded into the message.
    666                  * Skip all data copy part of code below.
    667                  */
    668                 io.ele_addr = 0;
    669                 goto copy;
    670         }
    671 
    672         /* No specific requirement for this buffer. */
    673         shared_mem = &dev_ctx->se_shared_mem_mgmt.non_secure_mem;
    674 
    675         /* Check there is enough space in the shared memory. */
    676         dev_dbg(dev_ctx->priv->dev, "%s: req_size = %d, max_size= %d, curr_pos = %d",
    677                 dev_ctx->devname, round_up(io.length, 8u), shared_mem->size,
    678                 shared_mem->pos);
    679 
    680         if (shared_mem->size < shared_mem->pos ||
--> 681             round_up(io.length, 8u) > (shared_mem->size - shared_mem->pos)) {

If io.length is >= U32_MAX - 7 then round_up() is zero.

    682                 dev_err(dev_ctx->priv->dev, "%s: Not enough space in shared memory.",
    683                         dev_ctx->devname);
    684                 return -ENOMEM;
    685         }
    686 
    687         /* Allocate space in shared memory. 8 bytes aligned. */
    688         pos = shared_mem->pos;
    689         shared_mem->pos += round_up(io.length, 8u);
    690         io.ele_addr = (u64)shared_mem->dma_addr + pos;
    691 
    692         memset(shared_mem->ptr + pos, 0, io.length);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And this memset() will crash.

    693         if ((io.flags & SE_IO_BUF_FLAGS_IS_INPUT) ||
    694             (io.flags & SE_IO_BUF_FLAGS_IS_IN_OUT)) {
    695                 /*
    696                  * buffer is input:
    697                  * copy data from user space to this allocated buffer.
    698                  */
    699                 if (copy_from_user(shared_mem->ptr + pos, io.user_buf, io.length)) {
    700                         dev_err(dev_ctx->priv->dev,
    701                                 "%s: Failed copy data to shared memory.",
    702                                 dev_ctx->devname);
    703                         return -EFAULT;
    704                 }
    705         }
    706 
    707         err = add_b_desc_to_pending_list(shared_mem->ptr + pos, &io, dev_ctx);
    708         if (err < 0)
    709                 dev_err(dev_ctx->priv->dev, "%s: Failed to allocate/link b_desc.",
    710                         dev_ctx->devname);
    711 
    712 copy:
    713         /* Provide the EdgeLock Enclave address to user space only if success.*/
    714         if (copy_to_user(uarg, &io, sizeof(io))) {
    715                 dev_err(dev_ctx->priv->dev, "%s: Failed to copy iobuff setup to user.",
    716                         dev_ctx->devname);
    717                 err = -EFAULT;
    718         }
    719 
    720         return err;
    721 }

This email is a free service from the Smatch-CI project [smatch.sf.net].

regards,
dan carpenter

             reply	other threads:[~2026-05-07  7:00 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-07  6:59 Dan Carpenter [this message]
  -- strict thread matches above, loose matches on Subject: below --
2026-05-07  7:07 [bug report] firmware: drivers: imx: adds miscdev Dan Carpenter
2026-05-07  6:35 Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=afw4bE8pzcHA1Mzd@stanley.mountain \
    --to=error27@gmail.com \
    --cc=imx@lists.linux.dev \
    --cc=pankaj.gupta@nxp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox