From: Andrew Jeffery <andrew@codeconstruct.com.au>
To: Karthikeyan KS <karthiproffesional@gmail.com>
Cc: joel@jms.id.au, andrew@aj.id.au, Kees Cook <kees@kernel.org>,
linux-arm-kernel@lists.infradead.org,
linux-aspeed@lists.ozlabs.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH v6] soc: aspeed: lpc-snoop: Fix usercopy overflow in snoop_file_read
Date: Tue, 16 Jun 2026 09:50:54 +0930 [thread overview]
Message-ID: <133a2533be758b1e95bb0365a90d5907c7b09ddc.camel@codeconstruct.com.au> (raw)
In-Reply-To: <20260612190744.172638-1-karthiproffesional@gmail.com>
On Fri, 2026-06-12 at 19:07 +0000, Karthikeyan KS wrote:
> put_fifo_with_discard() acts as both producer and consumer on the kfifo:
> it calls kfifo_skip() (advances out) and kfifo_put() (advances in) from
> the IRQ handler without synchronizing with snoop_file_read(), which also
> consumes via kfifo_to_user(). On SMP systems this concurrent access can
> leave (in - out) larger than the ring buffer, so __kfifo_to_user()'s clamp
> to (in - out) is ineffective and kfifo_copy_to_user() can attempt a
> copy_to_user() past the kmalloc-2k backing store:
>
> usercopy: Kernel memory exposure attempt detected from SLUB object
> 'kmalloc-2k' (offset 0, size 2049)!
> kernel BUG at mm/usercopy.c!
> Call trace:
> usercopy_abort
> __check_heap_object
> __check_object_size
> kfifo_copy_to_user
> __kfifo_to_user
> snoop_file_read
> vfs_read
>
> Serialize kfifo access with a per-channel spinlock shared between the
> IRQ handler (producer) and the file reader (consumer). Annotate @fifo
> with __guarded_by(&lock) and opt the driver into context analysis so the
> compiler enforces that all fifo access holds the lock.
>
> Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
> Signed-off-by: Karthikeyan KS <karthiproffesional@gmail.com>
> ---
> drivers/soc/aspeed/Makefile | 1 +
> drivers/soc/aspeed/aspeed-lpc-snoop.c | 38 ++++++++++++++++++---------
> 2 files changed, 27 insertions(+), 12 deletions(-)
>
> Andrew,
>
> Thanks for the review.
>
> Changes since v5:
> - Annotate @fifo with __guarded_by(&lock) instead of a comment
> - Move kfifo_initialized() check inside scoped_guard(spinlock, &chan->lock)
> in put_fifo_with_discard()
> - Replace spin_lock_init() with scoped_guard(spinlock_init, &channel->lock)
> around kfifo_alloc() in aspeed_lpc_enable_snoop()
> - Enable CONTEXT_ANALYSIS for this driver in drivers/soc/aspeed/Makefile
>
> Dropped Cc: stable — the fix uses cleanup.h/context-analysis idioms absent
> from LTS; I'll send adapted backports to stable@ once this is in mainline.
>
> Tested on ast2600-evb (QEMU):
>
Can you describe the specific steps you used to test this under qemu?
I'm interested in reproducing your efforts here.
Andrew
next prev parent reply other threads:[~2026-06-16 0:20 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 19:00 [PATCH] soc: aspeed: lpc-snoop: Fix usercopy overflow in snoop_file_read karthikeyan K S
2026-05-18 11:14 ` Andrew Jeffery
2026-05-23 17:35 ` [PATCH v2] " Karthikeyan KS
2026-05-27 3:53 ` Andrew Jeffery
2026-05-27 17:59 ` [PATCH v3] " Karthikeyan KS
2026-05-28 2:39 ` Andrew Jeffery
2026-06-01 12:52 ` [PATCH v4] " Karthikeyan KS
2026-06-10 2:26 ` Andrew Jeffery
2026-06-10 17:23 ` [PATCH v5] " Karthikeyan KS
2026-06-11 2:50 ` Andrew Jeffery
2026-06-11 17:31 ` karthikeyan K S
2026-06-12 0:39 ` Andrew Jeffery
2026-06-11 18:08 ` Karthikeyan KS
2026-06-12 19:07 ` [PATCH v6] " Karthikeyan KS
2026-06-16 0:20 ` Andrew Jeffery [this message]
2026-06-16 7:30 ` Karthikeyan KS
2026-06-17 0:44 ` Andrew Jeffery
2026-06-17 13:10 ` Karthikeyan KS
2026-06-18 0:44 ` Andrew Jeffery
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=133a2533be758b1e95bb0365a90d5907c7b09ddc.camel@codeconstruct.com.au \
--to=andrew@codeconstruct.com.au \
--cc=andrew@aj.id.au \
--cc=joel@jms.id.au \
--cc=karthiproffesional@gmail.com \
--cc=kees@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-aspeed@lists.ozlabs.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox