From: sashiko-bot@kernel.org
To: "Gregor Herburger" <gregor.herburger@linutronix.de>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v5 2/8] nvmem: core: Enforce stride and alignment checks for nvmem_device functions
Date: Wed, 20 May 2026 16:08:11 +0000 [thread overview]
Message-ID: <20260520160811.99AB01F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260520-rpi-otp-driver-v5-2-b26e5908eeac@linutronix.de>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
New issues:
- [High] Unconditionally enforcing `word_size` alignment in `nvmem_device_read` breaks existing in-kernel consumers and backend drivers that safely support unaligned reads.
- [Medium] The `IS_ALIGNED` macro is incorrectly used with `nvmem->stride` and `nvmem->word_size`, which are not guaranteed to be powers of two.
Pre-existing issues:
- [High] Missing bounds checking in `nvmem_device_read` and `nvmem_device_write` against `nvmem->size` exposes the system to out-of-bounds memory accesses.
- [High] Backend drivers perform SLAB out-of-bounds reads when processing writes for bit-offset cells due to mismatched buffer sizes.
--
commit d59bc7c372de847ac014e9a361f8f7bf075ff75c
Author: Gregor Herburger <gregor.herburger@linutronix.de>
nvmem: core: Enforce stride and alignment checks for nvmem_device functions
This commit adds alignment checks for offset and bytes against stride and
word_size to the nvmem_device_read and nvmem_device_write functions.
> diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
> index 311cb2e5a5c02..6b313f63d07ef 100644
> --- a/drivers/nvmem/core.c
> +++ b/drivers/nvmem/core.c
> @@ -2068,6 +2068,12 @@ int nvmem_device_read(struct nvmem_device *nvmem,
> if (!nvmem)
> return -EINVAL;
>
> + if (!IS_ALIGNED(offset, nvmem->stride))
> + return -EINVAL;
> +
> + if (!IS_ALIGNED(bytes, nvmem->word_size))
> + return -EINVAL;
[Severity: Medium]
Is the IS_ALIGNED() macro safe to use here? Looking at include/vdso/align.h,
IS_ALIGNED(x, a) is implemented using bitwise arithmetic:
(((x) & ((typeof(x))(a) - 1)) == 0)
This macro is mathematically valid only when the alignment is a power of two.
Since the nvmem subsystem doesn't enforce power-of-two constraints for stride
or word_size during registration, if a driver defines a non-power-of-two
value, wouldn't this macro evaluate incorrectly and reject valid alignments?
[Severity: High]
Could this unconditional word_size check break existing backend drivers that
safely support unaligned reads?
Historically, nvmem_device_read() permitted unaligned lengths, delegating the
read to the backend's reg_read function. Since the framework lacks separate
read and write constraints, many drivers specify a larger word_size to
enforce constraints strictly on writes, but gracefully handle arbitrary-sized
unaligned reads internally (e.g., using bounce buffers).
Returning -EINVAL here might break legitimate read operations for dynamic
payload lengths.
> rc = nvmem_reg_read(nvmem, offset, buf, bytes);
[Severity: High]
This is a pre-existing issue, but does this function need bounds checking
against nvmem->size?
Currently, nvmem_device_read() passes the unchecked offset directly to backend
callbacks. If an in-kernel caller provides an out-of-bounds offset, many
hardware driver callbacks lack complete internal bounds checking, which might
lead to arbitrary out-of-bounds MMIO accesses or integer underflow issues.
[ ... ]
> @@ -2096,6 +2102,12 @@ int nvmem_device_write(struct nvmem_device *nvmem,
> if (!nvmem)
> return -EINVAL;
>
> + if (!IS_ALIGNED(offset, nvmem->stride))
> + return -EINVAL;
> +
> + if (!IS_ALIGNED(bytes, nvmem->word_size))
> + return -EINVAL;
> +
> rc = nvmem_reg_write(nvmem, offset, buf, bytes);
[Severity: High]
This isn't a bug introduced by this patch, but is it possible for backend
drivers to perform SLAB out-of-bounds reads when processing writes for
bit-offset cells?
While this patch enforces word_size aligned lengths on direct nvmem writes,
__nvmem_cell_entry_write() bypasses these checks and calls nvmem_reg_write()
with a dynamically allocated buffer that is exactly cell->bytes long.
If a bit-offset cell spans 1 byte, but the backend driver assumes all
operations are word_size aligned (e.g., casting buf to a u32 pointer and
writing 4 bytes), could the backend perform a SLAB out-of-bounds read by
dereferencing 4 bytes from a 1-byte heap allocation?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260520-rpi-otp-driver-v5-0-b26e5908eeac@linutronix.de?part=2
next prev parent reply other threads:[~2026-05-20 16:08 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 14:27 [PATCH v5 0/8] nvmem: Add Raspberry Pi OTP nvmem driver Gregor Herburger
2026-05-20 14:27 ` [PATCH v5 1/8] soc: bcm2835: Use IS_REACHABLE for function declaration Gregor Herburger
2026-05-20 14:40 ` sashiko-bot
2026-05-20 14:27 ` [PATCH v5 2/8] nvmem: core: Enforce stride and alignment checks for nvmem_device functions Gregor Herburger
2026-05-20 16:08 ` sashiko-bot [this message]
2026-05-20 14:27 ` [PATCH v5 3/8] dt-bindings: raspberrypi,bcm2835-firmware: Add bcm2712-firmware compatible Gregor Herburger
2026-05-20 14:27 ` [PATCH v5 4/8] nvmem: Add the Raspberry Pi OTP driver Gregor Herburger
2026-05-20 16:50 ` sashiko-bot
2026-05-20 14:27 ` [PATCH v5 5/8] firmware: raspberrypi: register nvmem driver Gregor Herburger
2026-05-20 17:20 ` sashiko-bot
2026-05-20 14:27 ` [PATCH v5 6/8] arm64: dts: broadcom: bcm2712: add raspberrypi,bcm2712-firmware compatible Gregor Herburger
2026-05-20 14:27 ` [PATCH v5 7/8] dt-bindings: raspberrypi,bcm2835-firmware: Drop unnecessary select Gregor Herburger
2026-05-20 14:28 ` [PATCH v5 8/8] arm64: defconfig: Enable the raspberrypi otp driver as module Gregor Herburger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260520160811.99AB01F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=gregor.herburger@linutronix.de \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox