The Linux Kernel Mailing List
 help / color / mirror / Atom feed
* [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing
@ 2026-06-24  8:55 Binbin Zhou
  2026-06-24 14:36 ` Huacai Chen
  2026-07-02 15:57 ` Lee Jones
  0 siblings, 2 replies; 4+ messages in thread
From: Binbin Zhou @ 2026-06-24  8:55 UTC (permalink / raw)
  To: Binbin Zhou, Huacai Chen, Lee Jones, Corey Minyard, Chong Qiao
  Cc: Huacai Chen, Xuerui Wang, loongarch, linux-kernel, jeffbai,
	kexybiscuit, zhuyunfei, Binbin Zhou, kernel test robot

Use pointers annotated with the __iomem marker for all iomem map calls,
and creates a local copy of the mapped IO memory for future access in
the code. memcpy_fromio() and memcpy_toio() are used to read/write data
from/to mapped IO memory

Fixes: 0d64f6d1ffe9 ("mfd: ls2kbmc: Introduce Loongson-2K BMC core driver")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202603021730.Yy3QXYTw-lkp@intel.com/
Closes: https://lore.kernel.org/oe-kbuild-all/202606120639.WG6eb8VU-lkp@intel.com/
Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
---
V2:
 - Add the missing memcpy_fromio();
 - Drop the unnecessary `buf` variable.

Link to V1:
https://lore.kernel.org/all/20260616115530.4012675-1-zhoubinbin@loongson.cn/

 drivers/mfd/ls2k-bmc-core.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/mfd/ls2k-bmc-core.c b/drivers/mfd/ls2k-bmc-core.c
index 408056bfb2fe..1312812860c0 100644
--- a/drivers/mfd/ls2k-bmc-core.c
+++ b/drivers/mfd/ls2k-bmc-core.c
@@ -427,14 +427,20 @@ static int ls2k_bmc_init(struct ls2k_bmc_ddata *ddata)
  */
 static int ls2k_bmc_parse_mode(struct pci_dev *pdev, struct simplefb_platform_data *pd)
 {
-	char *mode;
+	char *mode __free(kfree) = NULL;
+	void __iomem *base;
 	int depth, ret;
 
 	/* The last 16M of PCI BAR0 is used to store the resolution string. */
-	mode = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
+	base = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
+	if (!base)
+		return -ENOMEM;
+
+	mode = kmalloc(SZ_16M, GFP_KERNEL);
 	if (!mode)
 		return -ENOMEM;
 
+	memcpy_fromio(mode, base, SZ_16M);
 	/* The resolution field starts with the flag "video=". */
 	if (!strncmp(mode, "video=", 6))
 		mode = mode + 6;

base-commit: c454531af72e0df811600601413bb8d3d039ed08
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing
  2026-06-24  8:55 [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing Binbin Zhou
@ 2026-06-24 14:36 ` Huacai Chen
  2026-07-02 15:57 ` Lee Jones
  1 sibling, 0 replies; 4+ messages in thread
From: Huacai Chen @ 2026-06-24 14:36 UTC (permalink / raw)
  To: Binbin Zhou
  Cc: Binbin Zhou, Huacai Chen, Lee Jones, Corey Minyard, Chong Qiao,
	Xuerui Wang, loongarch, linux-kernel, jeffbai, kexybiscuit,
	zhuyunfei, kernel test robot

Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>

On Wed, Jun 24, 2026 at 4:56 PM Binbin Zhou <zhoubinbin@loongson.cn> wrote:
>
> Use pointers annotated with the __iomem marker for all iomem map calls,
> and creates a local copy of the mapped IO memory for future access in
> the code. memcpy_fromio() and memcpy_toio() are used to read/write data
> from/to mapped IO memory
>
> Fixes: 0d64f6d1ffe9 ("mfd: ls2kbmc: Introduce Loongson-2K BMC core driver")
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202603021730.Yy3QXYTw-lkp@intel.com/
> Closes: https://lore.kernel.org/oe-kbuild-all/202606120639.WG6eb8VU-lkp@intel.com/
> Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
> ---
> V2:
>  - Add the missing memcpy_fromio();
>  - Drop the unnecessary `buf` variable.
>
> Link to V1:
> https://lore.kernel.org/all/20260616115530.4012675-1-zhoubinbin@loongson.cn/
>
>  drivers/mfd/ls2k-bmc-core.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/mfd/ls2k-bmc-core.c b/drivers/mfd/ls2k-bmc-core.c
> index 408056bfb2fe..1312812860c0 100644
> --- a/drivers/mfd/ls2k-bmc-core.c
> +++ b/drivers/mfd/ls2k-bmc-core.c
> @@ -427,14 +427,20 @@ static int ls2k_bmc_init(struct ls2k_bmc_ddata *ddata)
>   */
>  static int ls2k_bmc_parse_mode(struct pci_dev *pdev, struct simplefb_platform_data *pd)
>  {
> -       char *mode;
> +       char *mode __free(kfree) = NULL;
> +       void __iomem *base;
>         int depth, ret;
>
>         /* The last 16M of PCI BAR0 is used to store the resolution string. */
> -       mode = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
> +       base = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
> +       if (!base)
> +               return -ENOMEM;
> +
> +       mode = kmalloc(SZ_16M, GFP_KERNEL);
>         if (!mode)
>                 return -ENOMEM;
>
> +       memcpy_fromio(mode, base, SZ_16M);
>         /* The resolution field starts with the flag "video=". */
>         if (!strncmp(mode, "video=", 6))
>                 mode = mode + 6;
>
> base-commit: c454531af72e0df811600601413bb8d3d039ed08
> --
> 2.52.0
>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing
  2026-06-24  8:55 [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing Binbin Zhou
  2026-06-24 14:36 ` Huacai Chen
@ 2026-07-02 15:57 ` Lee Jones
  2026-07-03  9:44   ` Binbin Zhou
  1 sibling, 1 reply; 4+ messages in thread
From: Lee Jones @ 2026-07-02 15:57 UTC (permalink / raw)
  To: Binbin Zhou
  Cc: Binbin Zhou, Huacai Chen, Corey Minyard, Chong Qiao, Huacai Chen,
	Xuerui Wang, loongarch, linux-kernel, jeffbai, kexybiscuit,
	zhuyunfei, kernel test robot

Please consider these:

/* Sashiko Automation: Issues Found (4 Findings) */

On Wed, 24 Jun 2026, Binbin Zhou wrote:

> Use pointers annotated with the __iomem marker for all iomem map calls,
> and creates a local copy of the mapped IO memory for future access in
> the code. memcpy_fromio() and memcpy_toio() are used to read/write data
> from/to mapped IO memory
> 
> Fixes: 0d64f6d1ffe9 ("mfd: ls2kbmc: Introduce Loongson-2K BMC core driver")
> Reported-by: kernel test robot <lkp@intel.com>
> Closes: https://lore.kernel.org/oe-kbuild-all/202603021730.Yy3QXYTw-lkp@intel.com/
> Closes: https://lore.kernel.org/oe-kbuild-all/202606120639.WG6eb8VU-lkp@intel.com/
> Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
> ---
> V2:
>  - Add the missing memcpy_fromio();
>  - Drop the unnecessary `buf` variable.
> 
> Link to V1:
> https://lore.kernel.org/all/20260616115530.4012675-1-zhoubinbin@loongson.cn/
> 
>  drivers/mfd/ls2k-bmc-core.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/mfd/ls2k-bmc-core.c b/drivers/mfd/ls2k-bmc-core.c
> index 408056bfb2fe..1312812860c0 100644
> --- a/drivers/mfd/ls2k-bmc-core.c
> +++ b/drivers/mfd/ls2k-bmc-core.c
> @@ -427,14 +427,20 @@ static int ls2k_bmc_init(struct ls2k_bmc_ddata *ddata)
>   */
>  static int ls2k_bmc_parse_mode(struct pci_dev *pdev, struct simplefb_platform_data *pd)
>  {
> -	char *mode;
> +	char *mode __free(kfree) = NULL;
> +	void __iomem *base;
>  	int depth, ret;
>  
>  	/* The last 16M of PCI BAR0 is used to store the resolution string. */
> -	mode = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
> +	base = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
> +	if (!base)
> +		return -ENOMEM;
> +
> +	mode = kmalloc(SZ_16M, GFP_KERNEL);

[Severity: High]
Will this 16MB allocation unconditionally fail on systems where
KMALLOC_MAX_SIZE is smaller, such as 4MB with 4K pages?

Even if successful, is it necessary to synchronously copy 16MB of device
I/O memory just to read a short resolution string?


>  	if (!mode)
>  		return -ENOMEM;
>  
> +	memcpy_fromio(mode, base, SZ_16M);

[Severity: High]
This is a pre-existing issue, but since the buffer is now allocated on the
heap via kmalloc() and copied directly from device memory, will string
functions like strncmp() and strsep() read out-of-bounds if the 16MB
region lacks a null terminator byte?


>  	/* The resolution field starts with the flag "video=". */
>  	if (!strncmp(mode, "video=", 6))
>  		mode = mode + 6;

[Severity: High]
Since mode was declared with __free(kfree), will advancing the pointer
here cause kfree() to be called with a mid-buffer pointer and crash the
allocator when ls2k_bmc_parse_mode() returns?


> 
> base-commit: c454531af72e0df811600601413bb8d3d039ed08
> -- 
> 2.52.0
> 

-- 
Lee Jones

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing
  2026-07-02 15:57 ` Lee Jones
@ 2026-07-03  9:44   ` Binbin Zhou
  0 siblings, 0 replies; 4+ messages in thread
From: Binbin Zhou @ 2026-07-03  9:44 UTC (permalink / raw)
  To: Lee Jones
  Cc: Binbin Zhou, Huacai Chen, Corey Minyard, Chong Qiao, Huacai Chen,
	Xuerui Wang, loongarch, linux-kernel, jeffbai, kexybiscuit,
	zhuyunfei, kernel test robot

Hi Lee:

On Thu, Jul 2, 2026 at 11:57 PM Lee Jones <lee@kernel.org> wrote:
>
> Please consider these:
>
> /* Sashiko Automation: Issues Found (4 Findings) */
>
> On Wed, 24 Jun 2026, Binbin Zhou wrote:
>
> > Use pointers annotated with the __iomem marker for all iomem map calls,
> > and creates a local copy of the mapped IO memory for future access in
> > the code. memcpy_fromio() and memcpy_toio() are used to read/write data
> > from/to mapped IO memory
> >
> > Fixes: 0d64f6d1ffe9 ("mfd: ls2kbmc: Introduce Loongson-2K BMC core driver")
> > Reported-by: kernel test robot <lkp@intel.com>
> > Closes: https://lore.kernel.org/oe-kbuild-all/202603021730.Yy3QXYTw-lkp@intel.com/
> > Closes: https://lore.kernel.org/oe-kbuild-all/202606120639.WG6eb8VU-lkp@intel.com/
> > Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
> > ---
> > V2:
> >  - Add the missing memcpy_fromio();
> >  - Drop the unnecessary `buf` variable.
> >
> > Link to V1:
> > https://lore.kernel.org/all/20260616115530.4012675-1-zhoubinbin@loongson.cn/
> >
> >  drivers/mfd/ls2k-bmc-core.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/mfd/ls2k-bmc-core.c b/drivers/mfd/ls2k-bmc-core.c
> > index 408056bfb2fe..1312812860c0 100644
> > --- a/drivers/mfd/ls2k-bmc-core.c
> > +++ b/drivers/mfd/ls2k-bmc-core.c
> > @@ -427,14 +427,20 @@ static int ls2k_bmc_init(struct ls2k_bmc_ddata *ddata)
> >   */
> >  static int ls2k_bmc_parse_mode(struct pci_dev *pdev, struct simplefb_platform_data *pd)
> >  {
> > -     char *mode;
> > +     char *mode __free(kfree) = NULL;
> > +     void __iomem *base;
> >       int depth, ret;
> >
> >       /* The last 16M of PCI BAR0 is used to store the resolution string. */
> > -     mode = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
> > +     base = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
> > +     if (!base)
> > +             return -ENOMEM;
> > +
> > +     mode = kmalloc(SZ_16M, GFP_KERNEL);
>
> [Severity: High]
> Will this 16MB allocation unconditionally fail on systems where
> KMALLOC_MAX_SIZE is smaller, such as 4MB with 4K pages?
>
> Even if successful, is it necessary to synchronously copy 16MB of device
> I/O memory just to read a short resolution string?

Emm,  indeed, `SZ_64` should be enough. I will also define the following macro:

/* The LS2K BMC display resolution string length store in PCI BAR0 */
#define LS2K_RESOLUTION_STR_LEN                SZ_64

>
>
> >       if (!mode)
> >               return -ENOMEM;
> >
> > +     memcpy_fromio(mode, base, SZ_16M);
>
> [Severity: High]
> This is a pre-existing issue, but since the buffer is now allocated on the
> heap via kmalloc() and copied directly from device memory, will string
> functions like strncmp() and strsep() read out-of-bounds if the 16MB
> region lacks a null terminator byte?
>
>
> >       /* The resolution field starts with the flag "video=". */
> >       if (!strncmp(mode, "video=", 6))
> >               mode = mode + 6;
>
> [Severity: High]
> Since mode was declared with __free(kfree), will advancing the pointer
> here cause kfree() to be called with a mid-buffer pointer and crash the
> allocator when ls2k_bmc_parse_mode() returns?

Yes, I'll add a new variable `pos` and check the return value of
`strncmp()`, as follows:

        /* The resolution field starts with the flag "video=". */
        if (strncmp(mode, "video=", 6)) {
                dev_err(&pdev->dev, "Simpledrm resolution missing or
corrupt!\n");
                return -EINVAL;
        }

        pos = mode + 6;
        ret = kstrtoint(strsep(&pos, "x"), 10, &pd->width);
........
>
>
> >
> > base-commit: c454531af72e0df811600601413bb8d3d039ed08
> > --
> > 2.52.0
> >
>
> --
> Lee Jones

--
Thanks.
Binbin

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-03  9:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-24  8:55 [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing Binbin Zhou
2026-06-24 14:36 ` Huacai Chen
2026-07-02 15:57 ` Lee Jones
2026-07-03  9:44   ` Binbin Zhou

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox