From: sashiko-bot@kernel.org
To: "Yu-Che Hsieh via B4 Relay" <devnull+yc_hsieh.aspeedtech.com@kernel.org>
Cc: robh@kernel.org, devicetree@vger.kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH 4/4] ipmi: bt-bmc: Read LPC address and SerIRQ from device tree
Date: Mon, 29 Jun 2026 07:16:52 +0000 [thread overview]
Message-ID: <20260629071702.5B7431F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629-aspeed-bt-bmc-multichannel-v1-4-fc23ee337f7a@aspeedtech.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
Pre-existing issues:
- [High] Use-After-Free of `bt_bmc` structure on driver unbind due to `devm` lifetime mismatch.
- [High] Integer underflow in `bt_bmc_read` when `count` is 0 leads to copying up to 256 bytes of kernel buffer into user space, potentially corrupting user memory.
--
commit 8f320638f39284e640c5ee9882a67005b5620ea1
Author: Yu-Che Hsieh <yc_hsieh@aspeedtech.com>
ipmi: bt-bmc: Read LPC address and SerIRQ from device tree
This commit updates the driver to allow the host interface parameters, such
as the LPC IO address and SerIRQ number, to be described by firmware via the
device tree. It falls back to default values for these properties when they
are not present.
> diff --git a/drivers/char/ipmi/bt-bmc.c b/drivers/char/ipmi/bt-bmc.c
> index 486ecc0b68159..6e1f941e63db8 100644
> --- a/drivers/char/ipmi/bt-bmc.c
> +++ b/drivers/char/ipmi/bt-bmc.c
> @@ -65,6 +65,12 @@ struct bt_bmc {
> struct timer_list poll_timer;
> struct mutex mutex;
> atomic_t open_count;
> + u32 io_addr;
> +
> + struct {
> + u32 id;
> + u32 type;
> + } sirq;
> };
[Severity: High]
This isn't a bug introduced by this patch, but does bt_bmc_read() have an
integer underflow when the read count is 0?
If a user space process calls read() with a count of 0, the size calculation
might underflow:
drivers/char/ipmi/bt-bmc.c:bt_bmc_read() {
...
if (len + 1 > count)
len = count - 1;
...
}
If count is 0, could len = count - 1 underflow and become 255 when cast to
u8, causing the subsequent code to perform a 256-byte out-of-bounds copy to
user space?
[ ... ]
> @@ -429,6 +435,33 @@ static int bt_bmc_probe(struct platform_device *pdev)
> mutex_init(&bt_bmc->mutex);
> init_waitqueue_head(&bt_bmc->queue);
[Severity: High]
This is a pre-existing issue, but could there be a use-after-free of the
bt_bmc structure on driver unbind?
The structure is allocated using devm_kzalloc() in bt_bmc_probe(), tying
its lifetime to the device instead of the file descriptor's lifetime.
When the driver is unbound, bt_bmc_remove() unregisters the misc device but
does not revoke existing file descriptors or wake up waitqueues before
returning:
drivers/char/ipmi/bt-bmc.c:bt_bmc_remove() {
struct bt_bmc *bt_bmc = dev_get_drvdata(&pdev->dev);
misc_deregister(&bt_bmc->miscdev);
...
}
After bt_bmc_remove() returns, the devres framework frees the bt_bmc
structure. If a reader is blocked in bt_bmc_read():
drivers/char/ipmi/bt-bmc.c:bt_bmc_read() {
...
if (wait_event_interruptible(bt_bmc->queue,
bt_inb(bt_bmc, BT_CTRL) & BT_CTRL_H2B_ATN))
...
}
Will this blocked reader wake up and access the freed waitqueue and bt_bmc
structure?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629-aspeed-bt-bmc-multichannel-v1-0-fc23ee337f7a@aspeedtech.com?part=4
prev parent reply other threads:[~2026-06-29 7:17 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 6:48 [PATCH 0/4] ipmi: bt-bmc: Add configurable LPC host interface Yu-Che Hsieh via B4 Relay
2026-06-29 6:48 ` [PATCH 1/4] ipmi: bt-bmc: Use bitfield helpers for register definitions Yu-Che Hsieh via B4 Relay
2026-06-29 6:48 ` [PATCH 2/4] ipmi: bt-bmc: Track open state per device Yu-Che Hsieh via B4 Relay
2026-06-29 7:04 ` sashiko-bot
2026-06-29 6:49 ` [PATCH 3/4] dt-bindings: ipmi: Add optional LPC properties to ASPEED BT devices Yu-Che Hsieh via B4 Relay
2026-06-29 15:26 ` Conor Dooley
2026-06-30 2:24 ` YC Hsieh
2026-06-30 17:15 ` Conor Dooley
2026-06-30 6:11 ` Krzysztof Kozlowski
2026-06-30 17:51 ` Rob Herring
2026-06-29 6:49 ` [PATCH 4/4] ipmi: bt-bmc: Read LPC address and SerIRQ from device tree Yu-Che Hsieh via B4 Relay
2026-06-29 7:16 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629071702.5B7431F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=devnull+yc_hsieh.aspeedtech.com@kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox