From: sashiko-bot@kernel.org
To: "Loic Poulain" <loic.poulain@oss.qualcomm.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v6 1/9] block: partitions: of: Skip child nodes without reg property
Date: Tue, 30 Jun 2026 08:56:01 +0000 [thread overview]
Message-ID: <20260630085602.39F9A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629-block-as-nvmem-v6-1-f02513dcd46d@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Signed integer overflow in parsing `#address-cells` and `#size-cells` leads to a massive out-of-bounds read in `of_read_number()`.
--
commit 60f98cd1d6a199dbbed8e4468a146aeef677518d
Author: Loic Poulain <loic.poulain@oss.qualcomm.com>
block: partitions: of: Skip child nodes without reg property
Child nodes of a fixed-partitions node are not necessarily partition entries.
This patch modifies validate_of_partition() to skip nodes without a reg
property, and guards add_of_partition() with a reg property check.
> diff --git a/block/partitions/of.c b/block/partitions/of.c
> index 53664ea06b654..60aa3d6906ca1 100644
> --- a/block/partitions/of.c
> +++ b/block/partitions/of.c
> @@ -15,6 +15,10 @@ static int validate_of_partition(struct device_node *np, int slot)
> int a_cells = of_n_addr_cells(np);
> int s_cells = of_n_size_cells(np);
>
> + /* Skip nodes without a reg property (e.g. nvmem-layout) */
> + if (!reg)
> + return 1;
> +
> /* Make sure reg len match the expected addr and size cells */
> if (len / sizeof(*reg) != a_cells + s_cells)
> return -EINVAL;
[Severity: High]
This is a pre-existing issue, but can the addition of a_cells and s_cells
overflow and bypass this length validation?
If #address-cells and #size-cells are set to values that overflow when added
as signed integers (for example, 0xffffffff and 1 via a dynamically loaded
DT overlay), and the reg property is empty, this check would evaluate to
0 != 0 and pass.
This would then pass a negative size to of_read_number() when evaluating
the offset just below this check:
block/partitions/of.c:validate_of_partition() {
...
/* Validate offset conversion from bytes to sectors */
offset = of_read_number(reg, a_cells);
...
}
include/linux/of.h:of_read_number() {
u64 r = 0;
while (size--)
r = (r << 32) | be32_to_cpu(*(cell++));
return r;
}
Since the while (size--) loop operates on signed integers without bounds
checking, a negative size wraps around, which could lead to a massive
out-of-bounds read and cause a kernel panic.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629-block-as-nvmem-v6-0-f02513dcd46d@oss.qualcomm.com?part=1
next prev parent reply other threads:[~2026-06-30 8:56 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 8:55 [PATCH v6 0/9] Support for block device NVMEM providers Loic Poulain
2026-06-29 8:55 ` [PATCH v6 1/9] block: partitions: of: Skip child nodes without reg property Loic Poulain
2026-06-30 8:56 ` sashiko-bot [this message]
2026-06-30 18:02 ` Rob Herring
2026-06-30 19:59 ` Loic Poulain
2026-06-30 21:45 ` Rob Herring
2026-07-01 13:35 ` Loic Poulain
2026-06-29 8:55 ` [PATCH v6 2/9] dt-bindings: mmc: Document support for nvmem-layout Loic Poulain
2026-06-29 8:55 ` [PATCH v6 3/9] dt-bindings: net: wireless: qcom,ath10k: Document NVMEM cells Loic Poulain
2026-06-29 8:55 ` [PATCH v6 4/9] dt-bindings: bluetooth: qcom: Add NVMEM BD address cell Loic Poulain
2026-06-29 8:55 ` [PATCH v6 5/9] block: implement NVMEM provider Loic Poulain
2026-06-30 7:59 ` Bartosz Golaszewski
2026-06-29 8:55 ` [PATCH v6 6/9] net: of_net: Add of_get_nvmem_eui48() helper for EUI-48 lookup Loic Poulain
2026-06-30 8:56 ` sashiko-bot
2026-06-29 8:55 ` [PATCH v6 7/9] Bluetooth: hci_sync: Add NVMEM-backed BD address retrieval Loic Poulain
2026-06-29 9:23 ` Kwapulinski, Piotr
2026-06-29 8:55 ` [PATCH v6 8/9] Bluetooth: qca: Set NVMEM BD address quirks when address is invalid Loic Poulain
2026-06-29 8:55 ` [PATCH v6 9/9] arm64: dts: qcom: arduino-imola: Describe NVMEM layout for WiFi/BT addresses Loic Poulain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630085602.39F9A1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=loic.poulain@oss.qualcomm.com \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox