Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Loic Poulain" <loic.poulain@oss.qualcomm.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v6 1/9] block: partitions: of: Skip child nodes without reg property
Date: Tue, 30 Jun 2026 08:56:01 +0000	[thread overview]
Message-ID: <20260630085602.39F9A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629-block-as-nvmem-v6-1-f02513dcd46d@oss.qualcomm.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Signed integer overflow in parsing `#address-cells` and `#size-cells` leads to a massive out-of-bounds read in `of_read_number()`.
--

commit 60f98cd1d6a199dbbed8e4468a146aeef677518d
Author: Loic Poulain <loic.poulain@oss.qualcomm.com>

block: partitions: of: Skip child nodes without reg property

Child nodes of a fixed-partitions node are not necessarily partition entries.
This patch modifies validate_of_partition() to skip nodes without a reg
property, and guards add_of_partition() with a reg property check.

> diff --git a/block/partitions/of.c b/block/partitions/of.c
> index 53664ea06b654..60aa3d6906ca1 100644
> --- a/block/partitions/of.c
> +++ b/block/partitions/of.c
> @@ -15,6 +15,10 @@ static int validate_of_partition(struct device_node *np, int slot)
>  	int a_cells = of_n_addr_cells(np);
>  	int s_cells = of_n_size_cells(np);
>  
> +	/* Skip nodes without a reg property (e.g. nvmem-layout) */
> +	if (!reg)
> +		return 1;
> +
>  	/* Make sure reg len match the expected addr and size cells */
>  	if (len / sizeof(*reg) != a_cells + s_cells)
>  		return -EINVAL;

[Severity: High]
This is a pre-existing issue, but can the addition of a_cells and s_cells
overflow and bypass this length validation?

If #address-cells and #size-cells are set to values that overflow when added
as signed integers (for example, 0xffffffff and 1 via a dynamically loaded
DT overlay), and the reg property is empty, this check would evaluate to
0 != 0 and pass.

This would then pass a negative size to of_read_number() when evaluating
the offset just below this check:

block/partitions/of.c:validate_of_partition() {
	...
	/* Validate offset conversion from bytes to sectors */
	offset = of_read_number(reg, a_cells);
	...
}

include/linux/of.h:of_read_number() {
	u64 r = 0;
	while (size--)
		r = (r << 32) | be32_to_cpu(*(cell++));
	return r;
}

Since the while (size--) loop operates on signed integers without bounds
checking, a negative size wraps around, which could lead to a massive
out-of-bounds read and cause a kernel panic.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629-block-as-nvmem-v6-0-f02513dcd46d@oss.qualcomm.com?part=1

  reply	other threads:[~2026-06-30  8:56 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29  8:55 [PATCH v6 0/9] Support for block device NVMEM providers Loic Poulain
2026-06-29  8:55 ` [PATCH v6 1/9] block: partitions: of: Skip child nodes without reg property Loic Poulain
2026-06-30  8:56   ` sashiko-bot [this message]
2026-06-30 18:02   ` Rob Herring
2026-06-30 19:59     ` Loic Poulain
2026-06-30 21:45       ` Rob Herring
2026-07-01 13:35         ` Loic Poulain
2026-06-29  8:55 ` [PATCH v6 2/9] dt-bindings: mmc: Document support for nvmem-layout Loic Poulain
2026-06-29  8:55 ` [PATCH v6 3/9] dt-bindings: net: wireless: qcom,ath10k: Document NVMEM cells Loic Poulain
2026-06-29  8:55 ` [PATCH v6 4/9] dt-bindings: bluetooth: qcom: Add NVMEM BD address cell Loic Poulain
2026-06-29  8:55 ` [PATCH v6 5/9] block: implement NVMEM provider Loic Poulain
2026-06-30  7:59   ` Bartosz Golaszewski
2026-06-29  8:55 ` [PATCH v6 6/9] net: of_net: Add of_get_nvmem_eui48() helper for EUI-48 lookup Loic Poulain
2026-06-30  8:56   ` sashiko-bot
2026-06-29  8:55 ` [PATCH v6 7/9] Bluetooth: hci_sync: Add NVMEM-backed BD address retrieval Loic Poulain
2026-06-29  9:23   ` Kwapulinski, Piotr
2026-06-29  8:55 ` [PATCH v6 8/9] Bluetooth: qca: Set NVMEM BD address quirks when address is invalid Loic Poulain
2026-06-29  8:55 ` [PATCH v6 9/9] arm64: dts: qcom: arduino-imola: Describe NVMEM layout for WiFi/BT addresses Loic Poulain

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260630085602.39F9A1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=loic.poulain@oss.qualcomm.com \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox