* [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing
@ 2026-06-24 8:55 Binbin Zhou
2026-06-24 14:36 ` Huacai Chen
2026-07-02 15:57 ` Lee Jones
0 siblings, 2 replies; 4+ messages in thread
From: Binbin Zhou @ 2026-06-24 8:55 UTC (permalink / raw)
To: Binbin Zhou, Huacai Chen, Lee Jones, Corey Minyard, Chong Qiao
Cc: Huacai Chen, Xuerui Wang, loongarch, linux-kernel, jeffbai,
kexybiscuit, zhuyunfei, Binbin Zhou, kernel test robot
Use pointers annotated with the __iomem marker for all iomem map calls,
and creates a local copy of the mapped IO memory for future access in
the code. memcpy_fromio() and memcpy_toio() are used to read/write data
from/to mapped IO memory
Fixes: 0d64f6d1ffe9 ("mfd: ls2kbmc: Introduce Loongson-2K BMC core driver")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202603021730.Yy3QXYTw-lkp@intel.com/
Closes: https://lore.kernel.org/oe-kbuild-all/202606120639.WG6eb8VU-lkp@intel.com/
Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
---
V2:
- Add the missing memcpy_fromio();
- Drop the unnecessary `buf` variable.
Link to V1:
https://lore.kernel.org/all/20260616115530.4012675-1-zhoubinbin@loongson.cn/
drivers/mfd/ls2k-bmc-core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/mfd/ls2k-bmc-core.c b/drivers/mfd/ls2k-bmc-core.c
index 408056bfb2fe..1312812860c0 100644
--- a/drivers/mfd/ls2k-bmc-core.c
+++ b/drivers/mfd/ls2k-bmc-core.c
@@ -427,14 +427,20 @@ static int ls2k_bmc_init(struct ls2k_bmc_ddata *ddata)
*/
static int ls2k_bmc_parse_mode(struct pci_dev *pdev, struct simplefb_platform_data *pd)
{
- char *mode;
+ char *mode __free(kfree) = NULL;
+ void __iomem *base;
int depth, ret;
/* The last 16M of PCI BAR0 is used to store the resolution string. */
- mode = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
+ base = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M);
+ if (!base)
+ return -ENOMEM;
+
+ mode = kmalloc(SZ_16M, GFP_KERNEL);
if (!mode)
return -ENOMEM;
+ memcpy_fromio(mode, base, SZ_16M);
/* The resolution field starts with the flag "video=". */
if (!strncmp(mode, "video=", 6))
mode = mode + 6;
base-commit: c454531af72e0df811600601413bb8d3d039ed08
--
2.52.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing 2026-06-24 8:55 [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing Binbin Zhou @ 2026-06-24 14:36 ` Huacai Chen 2026-07-02 15:57 ` Lee Jones 1 sibling, 0 replies; 4+ messages in thread From: Huacai Chen @ 2026-06-24 14:36 UTC (permalink / raw) To: Binbin Zhou Cc: Binbin Zhou, Huacai Chen, Lee Jones, Corey Minyard, Chong Qiao, Xuerui Wang, loongarch, linux-kernel, jeffbai, kexybiscuit, zhuyunfei, kernel test robot Reviewed-by: Huacai Chen <chenhuacai@loongson.cn> On Wed, Jun 24, 2026 at 4:56 PM Binbin Zhou <zhoubinbin@loongson.cn> wrote: > > Use pointers annotated with the __iomem marker for all iomem map calls, > and creates a local copy of the mapped IO memory for future access in > the code. memcpy_fromio() and memcpy_toio() are used to read/write data > from/to mapped IO memory > > Fixes: 0d64f6d1ffe9 ("mfd: ls2kbmc: Introduce Loongson-2K BMC core driver") > Reported-by: kernel test robot <lkp@intel.com> > Closes: https://lore.kernel.org/oe-kbuild-all/202603021730.Yy3QXYTw-lkp@intel.com/ > Closes: https://lore.kernel.org/oe-kbuild-all/202606120639.WG6eb8VU-lkp@intel.com/ > Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn> > --- > V2: > - Add the missing memcpy_fromio(); > - Drop the unnecessary `buf` variable. > > Link to V1: > https://lore.kernel.org/all/20260616115530.4012675-1-zhoubinbin@loongson.cn/ > > drivers/mfd/ls2k-bmc-core.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/drivers/mfd/ls2k-bmc-core.c b/drivers/mfd/ls2k-bmc-core.c > index 408056bfb2fe..1312812860c0 100644 > --- a/drivers/mfd/ls2k-bmc-core.c > +++ b/drivers/mfd/ls2k-bmc-core.c > @@ -427,14 +427,20 @@ static int ls2k_bmc_init(struct ls2k_bmc_ddata *ddata) > */ > static int ls2k_bmc_parse_mode(struct pci_dev *pdev, struct simplefb_platform_data *pd) > { > - char *mode; > + char *mode __free(kfree) = NULL; > + void __iomem *base; > int depth, ret; > > /* The last 16M of PCI BAR0 is used to store the resolution string. */ > - mode = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M); > + base = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M); > + if (!base) > + return -ENOMEM; > + > + mode = kmalloc(SZ_16M, GFP_KERNEL); > if (!mode) > return -ENOMEM; > > + memcpy_fromio(mode, base, SZ_16M); > /* The resolution field starts with the flag "video=". */ > if (!strncmp(mode, "video=", 6)) > mode = mode + 6; > > base-commit: c454531af72e0df811600601413bb8d3d039ed08 > -- > 2.52.0 > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing 2026-06-24 8:55 [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing Binbin Zhou 2026-06-24 14:36 ` Huacai Chen @ 2026-07-02 15:57 ` Lee Jones 2026-07-03 9:44 ` Binbin Zhou 1 sibling, 1 reply; 4+ messages in thread From: Lee Jones @ 2026-07-02 15:57 UTC (permalink / raw) To: Binbin Zhou Cc: Binbin Zhou, Huacai Chen, Corey Minyard, Chong Qiao, Huacai Chen, Xuerui Wang, loongarch, linux-kernel, jeffbai, kexybiscuit, zhuyunfei, kernel test robot Please consider these: /* Sashiko Automation: Issues Found (4 Findings) */ On Wed, 24 Jun 2026, Binbin Zhou wrote: > Use pointers annotated with the __iomem marker for all iomem map calls, > and creates a local copy of the mapped IO memory for future access in > the code. memcpy_fromio() and memcpy_toio() are used to read/write data > from/to mapped IO memory > > Fixes: 0d64f6d1ffe9 ("mfd: ls2kbmc: Introduce Loongson-2K BMC core driver") > Reported-by: kernel test robot <lkp@intel.com> > Closes: https://lore.kernel.org/oe-kbuild-all/202603021730.Yy3QXYTw-lkp@intel.com/ > Closes: https://lore.kernel.org/oe-kbuild-all/202606120639.WG6eb8VU-lkp@intel.com/ > Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn> > --- > V2: > - Add the missing memcpy_fromio(); > - Drop the unnecessary `buf` variable. > > Link to V1: > https://lore.kernel.org/all/20260616115530.4012675-1-zhoubinbin@loongson.cn/ > > drivers/mfd/ls2k-bmc-core.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/drivers/mfd/ls2k-bmc-core.c b/drivers/mfd/ls2k-bmc-core.c > index 408056bfb2fe..1312812860c0 100644 > --- a/drivers/mfd/ls2k-bmc-core.c > +++ b/drivers/mfd/ls2k-bmc-core.c > @@ -427,14 +427,20 @@ static int ls2k_bmc_init(struct ls2k_bmc_ddata *ddata) > */ > static int ls2k_bmc_parse_mode(struct pci_dev *pdev, struct simplefb_platform_data *pd) > { > - char *mode; > + char *mode __free(kfree) = NULL; > + void __iomem *base; > int depth, ret; > > /* The last 16M of PCI BAR0 is used to store the resolution string. */ > - mode = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M); > + base = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M); > + if (!base) > + return -ENOMEM; > + > + mode = kmalloc(SZ_16M, GFP_KERNEL); [Severity: High] Will this 16MB allocation unconditionally fail on systems where KMALLOC_MAX_SIZE is smaller, such as 4MB with 4K pages? Even if successful, is it necessary to synchronously copy 16MB of device I/O memory just to read a short resolution string? > if (!mode) > return -ENOMEM; > > + memcpy_fromio(mode, base, SZ_16M); [Severity: High] This is a pre-existing issue, but since the buffer is now allocated on the heap via kmalloc() and copied directly from device memory, will string functions like strncmp() and strsep() read out-of-bounds if the 16MB region lacks a null terminator byte? > /* The resolution field starts with the flag "video=". */ > if (!strncmp(mode, "video=", 6)) > mode = mode + 6; [Severity: High] Since mode was declared with __free(kfree), will advancing the pointer here cause kfree() to be called with a mid-buffer pointer and crash the allocator when ls2k_bmc_parse_mode() returns? > > base-commit: c454531af72e0df811600601413bb8d3d039ed08 > -- > 2.52.0 > -- Lee Jones ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing 2026-07-02 15:57 ` Lee Jones @ 2026-07-03 9:44 ` Binbin Zhou 0 siblings, 0 replies; 4+ messages in thread From: Binbin Zhou @ 2026-07-03 9:44 UTC (permalink / raw) To: Lee Jones Cc: Binbin Zhou, Huacai Chen, Corey Minyard, Chong Qiao, Huacai Chen, Xuerui Wang, loongarch, linux-kernel, jeffbai, kexybiscuit, zhuyunfei, kernel test robot Hi Lee: On Thu, Jul 2, 2026 at 11:57 PM Lee Jones <lee@kernel.org> wrote: > > Please consider these: > > /* Sashiko Automation: Issues Found (4 Findings) */ > > On Wed, 24 Jun 2026, Binbin Zhou wrote: > > > Use pointers annotated with the __iomem marker for all iomem map calls, > > and creates a local copy of the mapped IO memory for future access in > > the code. memcpy_fromio() and memcpy_toio() are used to read/write data > > from/to mapped IO memory > > > > Fixes: 0d64f6d1ffe9 ("mfd: ls2kbmc: Introduce Loongson-2K BMC core driver") > > Reported-by: kernel test robot <lkp@intel.com> > > Closes: https://lore.kernel.org/oe-kbuild-all/202603021730.Yy3QXYTw-lkp@intel.com/ > > Closes: https://lore.kernel.org/oe-kbuild-all/202606120639.WG6eb8VU-lkp@intel.com/ > > Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn> > > --- > > V2: > > - Add the missing memcpy_fromio(); > > - Drop the unnecessary `buf` variable. > > > > Link to V1: > > https://lore.kernel.org/all/20260616115530.4012675-1-zhoubinbin@loongson.cn/ > > > > drivers/mfd/ls2k-bmc-core.c | 10 ++++++++-- > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/mfd/ls2k-bmc-core.c b/drivers/mfd/ls2k-bmc-core.c > > index 408056bfb2fe..1312812860c0 100644 > > --- a/drivers/mfd/ls2k-bmc-core.c > > +++ b/drivers/mfd/ls2k-bmc-core.c > > @@ -427,14 +427,20 @@ static int ls2k_bmc_init(struct ls2k_bmc_ddata *ddata) > > */ > > static int ls2k_bmc_parse_mode(struct pci_dev *pdev, struct simplefb_platform_data *pd) > > { > > - char *mode; > > + char *mode __free(kfree) = NULL; > > + void __iomem *base; > > int depth, ret; > > > > /* The last 16M of PCI BAR0 is used to store the resolution string. */ > > - mode = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M); > > + base = devm_ioremap(&pdev->dev, pci_resource_start(pdev, 0) + SZ_16M, SZ_16M); > > + if (!base) > > + return -ENOMEM; > > + > > + mode = kmalloc(SZ_16M, GFP_KERNEL); > > [Severity: High] > Will this 16MB allocation unconditionally fail on systems where > KMALLOC_MAX_SIZE is smaller, such as 4MB with 4K pages? > > Even if successful, is it necessary to synchronously copy 16MB of device > I/O memory just to read a short resolution string? Emm, indeed, `SZ_64` should be enough. I will also define the following macro: /* The LS2K BMC display resolution string length store in PCI BAR0 */ #define LS2K_RESOLUTION_STR_LEN SZ_64 > > > > if (!mode) > > return -ENOMEM; > > > > + memcpy_fromio(mode, base, SZ_16M); > > [Severity: High] > This is a pre-existing issue, but since the buffer is now allocated on the > heap via kmalloc() and copied directly from device memory, will string > functions like strncmp() and strsep() read out-of-bounds if the 16MB > region lacks a null terminator byte? > > > > /* The resolution field starts with the flag "video=". */ > > if (!strncmp(mode, "video=", 6)) > > mode = mode + 6; > > [Severity: High] > Since mode was declared with __free(kfree), will advancing the pointer > here cause kfree() to be called with a mid-buffer pointer and crash the > allocator when ls2k_bmc_parse_mode() returns? Yes, I'll add a new variable `pos` and check the return value of `strncmp()`, as follows: /* The resolution field starts with the flag "video=". */ if (strncmp(mode, "video=", 6)) { dev_err(&pdev->dev, "Simpledrm resolution missing or corrupt!\n"); return -EINVAL; } pos = mode + 6; ret = kstrtoint(strsep(&pos, "x"), 10, &pd->width); ........ > > > > > > base-commit: c454531af72e0df811600601413bb8d3d039ed08 > > -- > > 2.52.0 > > > > -- > Lee Jones -- Thanks. Binbin ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-07-03 9:44 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-24 8:55 [PATCH v2] mfd: ls2kbmc: mfd: ls2kbmc: Fix iomem pointer handling in video mode parsing Binbin Zhou 2026-06-24 14:36 ` Huacai Chen 2026-07-02 15:57 ` Lee Jones 2026-07-03 9:44 ` Binbin Zhou
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox