From: sashiko-bot@kernel.org
To: "Loic Poulain" <loic.poulain@oss.qualcomm.com>
Cc: devicetree@vger.kernel.org, robh@kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v3 1/7] dt-bindings: mmc: Document support for nvmem-layout
Date: Tue, 09 Jun 2026 10:51:15 +0000 [thread overview]
Message-ID: <20260609105115.DED0E1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260608-block-as-nvmem-v3-1-82681f50aa35@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Adding `nvmem-layout` as a child of a `fixed-partitions` node triggers a preexisting uninitialized memory bug and potential kernel panic in the block partition parser.
--
commit c354fbea36b7189e3294f56d353e1ba1075bff4d
Author: Loic Poulain <loic.poulain@oss.qualcomm.com>
dt-bindings: mmc: Document support for nvmem-layout
Add support for an nvmem-layout subnode under an eMMC hardware partition.
This allows the partition to be exposed as an NVMEM provider and its
internal layout to be described.
> diff --git a/Documentation/devicetree/bindings/mmc/mmc-card.yaml b/Documentation/devicetree/bindings/mmc/mmc-card.yaml
> index a61d6c96df759..ca907ad730959 100644
> --- a/Documentation/devicetree/bindings/mmc/mmc-card.yaml
> +++ b/Documentation/devicetree/bindings/mmc/mmc-card.yaml
> @@ -40,6 +40,9 @@ patternProperties:
> contains:
> const: fixed-partitions
>
> + nvmem-layout:
> + $ref: /schemas/nvmem/layouts/nvmem-layout.yaml
> +
[Severity: High]
This isn't a bug introduced by this patch, but does adding this node trigger
an uninitialized memory bug during block partition parsing?
When the block layer parses subpartitions, it iterates over all child nodes
of the fixed-partitions node. Since the nvmem-layout child node lacks a reg
property, the block partition parser encounters an issue here in
block/partitions/of.c:validate_of_partition():
int len;
const __be32 *reg = of_get_property(np, "reg", &len);
int a_cells = of_n_addr_cells(np);
int s_cells = of_n_size_cells(np);
/* Make sure reg len match the expected addr and size cells */
if (len / sizeof(*reg) != a_cells + s_cells)
return -EINVAL;
/* Validate offset conversion from bytes to sectors */
offset = of_read_number(reg, a_cells);
Because of_get_property() returns NULL for nodes without a reg property,
len remains uninitialized stack garbage.
If the garbage value happens to satisfy the length check, it will call
of_read_number() with a NULL reg pointer, leading to a kernel panic.
Otherwise, it returns -EINVAL, causing of_partition() to abort and fail to
register any of the device tree partitions for the disk.
Should this block parser bug be addressed before or alongside encouraging
this topology in the device tree bindings?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260608-block-as-nvmem-v3-0-82681f50aa35@oss.qualcomm.com?part=1
next prev parent reply other threads:[~2026-06-09 10:51 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-08 10:50 [PATCH v3 0/7] Support for block device NVMEM providers Loic Poulain
2026-06-08 10:50 ` [PATCH v3 1/7] dt-bindings: mmc: Document support for nvmem-layout Loic Poulain
2026-06-08 11:18 ` Bartosz Golaszewski
2026-06-09 10:51 ` sashiko-bot [this message]
2026-06-08 10:50 ` [PATCH v3 2/7] dt-bindings: net: wireless: qcom,ath10k: Document NVMEM cells Loic Poulain
2026-06-08 11:18 ` Bartosz Golaszewski
2026-06-08 10:50 ` [PATCH v3 3/7] dt-bindings: bluetooth: qcom: Add NVMEM BD address cell Loic Poulain
2026-06-08 11:17 ` Bartosz Golaszewski
2026-06-08 10:50 ` [PATCH v3 4/7] block: implement NVMEM provider Loic Poulain
2026-06-08 11:17 ` Bartosz Golaszewski
2026-06-08 13:00 ` Loic Poulain
2026-06-09 10:51 ` sashiko-bot
2026-06-08 10:50 ` [PATCH v3 5/7] net: of_net: Add of_get_nvmem_eui48() helper for EUI-48 lookup Loic Poulain
2026-06-09 10:51 ` sashiko-bot
2026-06-08 10:50 ` [PATCH v3 6/7] Bluetooth: hci_sync: Add NVMEM-backed BD address retrieval Loic Poulain
2026-06-08 11:19 ` Bartosz Golaszewski
2026-06-08 10:50 ` [PATCH v3 7/7] Bluetooth: qca: Set NVMEM BD address quirks when address is invalid Loic Poulain
2026-06-08 11:29 ` Konrad Dybcio
2026-06-08 11:44 ` Loic Poulain
2026-06-09 10:51 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609105115.DED0E1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=loic.poulain@oss.qualcomm.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox