From: Dan Carpenter <error27@gmail.com>
To: Pankaj Gupta <pankaj.gupta@nxp.com>
Cc: imx@lists.linux.dev
Subject: [bug report] firmware: drivers: imx: adds miscdev
Date: Thu, 7 May 2026 10:07:00 +0300 [thread overview]
Message-ID: <afw6FIcFDCUEv53L@stanley.mountain> (raw)
Hello Pankaj Gupta,
Commit 4de71839142b ("firmware: drivers: imx: adds miscdev") from Jan
22, 2026 (linux-next), leads to the following Smatch static checker
warning:
drivers/firmware/imx/se_ctrl.c:826 se_if_fops_read()
warn: userbuf overflow? is 'priv->cmd_receiver_clbk_hdl.rx_msg_sz' <= 'size'
drivers/firmware/imx/se_ctrl.c
789 static ssize_t se_if_fops_read(struct file *fp, char __user *buf, size_t size,
^^^^^^^^^^^
This function copies memory to the user but it doesn't take into
consideration this size variable which is the size of the buffer
in user space.
790 loff_t *ppos)
791 {
792 struct se_if_device_ctx *dev_ctx = fp->private_data;
793 struct se_if_priv *priv = dev_ctx->priv;
794 int err;
795
796 dev_dbg(priv->dev, "%s: read to buf %p(%zu), ppos=%lld.", dev_ctx->devname,
797 buf, size, ((ppos) ? *ppos : 0));
798
799 scoped_cond_guard(mutex_intr, return -EBUSY, &dev_ctx->fops_lock) {
800 if (dev_ctx != priv->cmd_receiver_clbk_hdl.dev_ctx) {
801 err = -EINVAL;
802 goto exit;
803 }
804
805 err = ele_msg_rcv(dev_ctx, &priv->cmd_receiver_clbk_hdl);
806 if (err < 0) {
807 dev_err(priv->dev,
808 "%s: Er[0x%x]: Signal Interrupted. Current act-dev-ctx count: %d.",
809 dev_ctx->devname, err, dev_ctx->priv->active_devctx_count);
810 goto exit;
811 }
812
813 /* We may need to copy the output data to user before
814 * delivering the completion message.
815 */
816 err = se_dev_ctx_cpy_out_data(dev_ctx);
817 if (err < 0)
818 goto exit;
819
820 /* Copy data from the buffer */
821 print_hex_dump_debug("to user ", DUMP_PREFIX_OFFSET, 4, 4,
822 priv->cmd_receiver_clbk_hdl.rx_msg,
823 priv->cmd_receiver_clbk_hdl.rx_msg_sz,
824 false);
825
--> 826 if (copy_to_user(buf, priv->cmd_receiver_clbk_hdl.rx_msg,
827 priv->cmd_receiver_clbk_hdl.rx_msg_sz)) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We should only copy size bytes at most.
828 dev_err(priv->dev, "%s: Failed to copy to user.",
829 dev_ctx->devname);
Don't print an error message if copy_to/from_user fails. Returning
-EFAULT and crashing the program is communication enough. No need
to fill /var/log/messages with spam.
830 err = -EFAULT;
831 } else {
832 err = priv->cmd_receiver_clbk_hdl.rx_msg_sz;
833 }
834 exit:
835 priv->cmd_receiver_clbk_hdl.rx_msg_sz = 0;
836
837 se_dev_ctx_shared_mem_cleanup(dev_ctx);
838
839 return err;
840 }
841 }
This email is a free service from the Smatch-CI project [smatch.sf.net].
regards,
dan carpenter
next reply other threads:[~2026-05-07 7:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-07 7:07 Dan Carpenter [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-05-07 6:59 [bug report] firmware: drivers: imx: adds miscdev Dan Carpenter
2026-05-07 6:35 Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afw6FIcFDCUEv53L@stanley.mountain \
--to=error27@gmail.com \
--cc=imx@lists.linux.dev \
--cc=pankaj.gupta@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox