* [PATCH v1] firmware: thead: Fix buffer overflow and use standard endian macros [not found] <CGME20250403131056eucas1p16076c6e4dce1f1217dc327250c419e37@eucas1p1.samsung.com> @ 2025-04-03 13:10 ` Michal Wilczynski 2026-03-26 8:42 ` Dan Carpenter 2026-03-26 19:14 ` Drew Fustini 0 siblings, 2 replies; 4+ messages in thread From: Michal Wilczynski @ 2025-04-03 13:10 UTC (permalink / raw) To: drew, guoren, wefu, ulf.hansson Cc: linux-kernel, linux-riscv, Michal Wilczynski, Dan Carpenter Addresses two issues in the TH1520 AON firmware protocol driver: 1. Fix a potential buffer overflow where the code used unsafe pointer arithmetic to access the 'mode' field through the 'resource' pointer with an offset. This was flagged by Smatch static checker as: "buffer overflow 'data' 2 <= 3" 2. Replace custom RPC_SET_BE* and RPC_GET_BE* macros with standard kernel endianness conversion macros (cpu_to_be16, etc.) for better portability and maintainability. The functionality was re-tested with the GPU power-up sequence, confirming the GPU powers up correctly and the driver probes successfully. [ 12.702370] powervr ffef400000.gpu: [drm] loaded firmware powervr/rogue_36.52.104.182_v1.fw [ 12.711043] powervr ffef400000.gpu: [drm] FW version v1.0 (build 6645434 OS) [ 12.719787] [drm] Initialized powervr 1.0.0 for ffef400000.gpu on minor 0 Fixes: e4b3cbd840e5 ("firmware: thead: Add AON firmware protocol driver") Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/all/17a0ccce-060b-4b9d-a3c4-8d5d5823b1c9@stanley.mountain/ Signed-off-by: Michal Wilczynski <m.wilczynski@samsung.com> --- drivers/firmware/thead,th1520-aon.c | 7 +- .../linux/firmware/thead/thead,th1520-aon.h | 74 ------------------- 2 files changed, 3 insertions(+), 78 deletions(-) diff --git a/drivers/firmware/thead,th1520-aon.c b/drivers/firmware/thead,th1520-aon.c index 38f812ac9920..b87d4e8235b1 100644 --- a/drivers/firmware/thead,th1520-aon.c +++ b/drivers/firmware/thead,th1520-aon.c @@ -170,10 +170,9 @@ int th1520_aon_power_update(struct th1520_aon_chan *aon_chan, u16 rsrc, hdr->func = TH1520_AON_PM_FUNC_SET_RESOURCE_POWER_MODE; hdr->size = TH1520_AON_RPC_MSG_NUM; - RPC_SET_BE16(&msg.resource, 0, rsrc); - RPC_SET_BE16(&msg.resource, 2, - (power_on ? TH1520_AON_PM_PW_MODE_ON : - TH1520_AON_PM_PW_MODE_OFF)); + msg.resource = cpu_to_be16(rsrc); + msg.mode = cpu_to_be16(power_on ? TH1520_AON_PM_PW_MODE_ON : + TH1520_AON_PM_PW_MODE_OFF); ret = th1520_aon_call_rpc(aon_chan, &msg); if (ret) diff --git a/include/linux/firmware/thead/thead,th1520-aon.h b/include/linux/firmware/thead/thead,th1520-aon.h index dae132b66873..d81f5f6f5b90 100644 --- a/include/linux/firmware/thead/thead,th1520-aon.h +++ b/include/linux/firmware/thead/thead,th1520-aon.h @@ -97,80 +97,6 @@ struct th1520_aon_rpc_ack_common { #define RPC_GET_SVC_FLAG_ACK_TYPE(MESG) (((MESG)->svc & 0x40) >> 6) #define RPC_SET_SVC_FLAG_ACK_TYPE(MESG, ACK) ((MESG)->svc |= (ACK) << 6) -#define RPC_SET_BE64(MESG, OFFSET, SET_DATA) \ - do { \ - u8 *data = (u8 *)(MESG); \ - u64 _offset = (OFFSET); \ - u64 _set_data = (SET_DATA); \ - data[_offset + 7] = _set_data & 0xFF; \ - data[_offset + 6] = (_set_data & 0xFF00) >> 8; \ - data[_offset + 5] = (_set_data & 0xFF0000) >> 16; \ - data[_offset + 4] = (_set_data & 0xFF000000) >> 24; \ - data[_offset + 3] = (_set_data & 0xFF00000000) >> 32; \ - data[_offset + 2] = (_set_data & 0xFF0000000000) >> 40; \ - data[_offset + 1] = (_set_data & 0xFF000000000000) >> 48; \ - data[_offset + 0] = (_set_data & 0xFF00000000000000) >> 56; \ - } while (0) - -#define RPC_SET_BE32(MESG, OFFSET, SET_DATA) \ - do { \ - u8 *data = (u8 *)(MESG); \ - u64 _offset = (OFFSET); \ - u64 _set_data = (SET_DATA); \ - data[_offset + 3] = (_set_data) & 0xFF; \ - data[_offset + 2] = (_set_data & 0xFF00) >> 8; \ - data[_offset + 1] = (_set_data & 0xFF0000) >> 16; \ - data[_offset + 0] = (_set_data & 0xFF000000) >> 24; \ - } while (0) - -#define RPC_SET_BE16(MESG, OFFSET, SET_DATA) \ - do { \ - u8 *data = (u8 *)(MESG); \ - u64 _offset = (OFFSET); \ - u64 _set_data = (SET_DATA); \ - data[_offset + 1] = (_set_data) & 0xFF; \ - data[_offset + 0] = (_set_data & 0xFF00) >> 8; \ - } while (0) - -#define RPC_SET_U8(MESG, OFFSET, SET_DATA) \ - do { \ - u8 *data = (u8 *)(MESG); \ - data[OFFSET] = (SET_DATA) & 0xFF; \ - } while (0) - -#define RPC_GET_BE64(MESG, OFFSET, PTR) \ - do { \ - u8 *data = (u8 *)(MESG); \ - u64 _offset = (OFFSET); \ - *(u32 *)(PTR) = \ - (data[_offset + 7] | data[_offset + 6] << 8 | \ - data[_offset + 5] << 16 | data[_offset + 4] << 24 | \ - data[_offset + 3] << 32 | data[_offset + 2] << 40 | \ - data[_offset + 1] << 48 | data[_offset + 0] << 56); \ - } while (0) - -#define RPC_GET_BE32(MESG, OFFSET, PTR) \ - do { \ - u8 *data = (u8 *)(MESG); \ - u64 _offset = (OFFSET); \ - *(u32 *)(PTR) = \ - (data[_offset + 3] | data[_offset + 2] << 8 | \ - data[_offset + 1] << 16 | data[_offset + 0] << 24); \ - } while (0) - -#define RPC_GET_BE16(MESG, OFFSET, PTR) \ - do { \ - u8 *data = (u8 *)(MESG); \ - u64 _offset = (OFFSET); \ - *(u16 *)(PTR) = (data[_offset + 1] | data[_offset + 0] << 8); \ - } while (0) - -#define RPC_GET_U8(MESG, OFFSET, PTR) \ - do { \ - u8 *data = (u8 *)(MESG); \ - *(u8 *)(PTR) = (data[OFFSET]); \ - } while (0) - /* * Defines for SC PM Power Mode */ -- 2.34.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v1] firmware: thead: Fix buffer overflow and use standard endian macros 2025-04-03 13:10 ` [PATCH v1] firmware: thead: Fix buffer overflow and use standard endian macros Michal Wilczynski @ 2026-03-26 8:42 ` Dan Carpenter 2026-03-26 19:14 ` Drew Fustini 1 sibling, 0 replies; 4+ messages in thread From: Dan Carpenter @ 2026-03-26 8:42 UTC (permalink / raw) To: Michal Wilczynski Cc: drew, guoren, wefu, ulf.hansson, linux-kernel, linux-riscv On Thu, Apr 03, 2025 at 03:10:51PM +0200, Michal Wilczynski wrote: > Addresses two issues in the TH1520 AON firmware protocol driver: > > 1. Fix a potential buffer overflow where the code used unsafe pointer > arithmetic to access the 'mode' field through the 'resource' pointer > with an offset. This was flagged by Smatch static checker as: > "buffer overflow 'data' 2 <= 3" > > 2. Replace custom RPC_SET_BE* and RPC_GET_BE* macros with standard > kernel endianness conversion macros (cpu_to_be16, etc.) for better > portability and maintainability. > > The functionality was re-tested with the GPU power-up sequence, > confirming the GPU powers up correctly and the driver probes > successfully. > > [ 12.702370] powervr ffef400000.gpu: [drm] loaded firmware > powervr/rogue_36.52.104.182_v1.fw > [ 12.711043] powervr ffef400000.gpu: [drm] FW version v1.0 (build > 6645434 OS) > [ 12.719787] [drm] Initialized powervr 1.0.0 for ffef400000.gpu on > minor 0 > > Fixes: e4b3cbd840e5 ("firmware: thead: Add AON firmware protocol driver") > Reported-by: Dan Carpenter <dan.carpenter@linaro.org> > Closes: https://lore.kernel.org/all/17a0ccce-060b-4b9d-a3c4-8d5d5823b1c9@stanley.mountain/ > Signed-off-by: Michal Wilczynski <m.wilczynski@samsung.com> > --- This is nice. Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org> regards, dan carpenter ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1] firmware: thead: Fix buffer overflow and use standard endian macros 2025-04-03 13:10 ` [PATCH v1] firmware: thead: Fix buffer overflow and use standard endian macros Michal Wilczynski 2026-03-26 8:42 ` Dan Carpenter @ 2026-03-26 19:14 ` Drew Fustini 2026-03-27 12:15 ` Michal Wilczynski 1 sibling, 1 reply; 4+ messages in thread From: Drew Fustini @ 2026-03-26 19:14 UTC (permalink / raw) To: Michal Wilczynski Cc: drew, guoren, wefu, ulf.hansson, linux-kernel, linux-riscv, Dan Carpenter On Thu, Apr 03, 2025 at 03:10:51PM +0200, Michal Wilczynski wrote: > Addresses two issues in the TH1520 AON firmware protocol driver: > > 1. Fix a potential buffer overflow where the code used unsafe pointer > arithmetic to access the 'mode' field through the 'resource' pointer > with an offset. This was flagged by Smatch static checker as: > "buffer overflow 'data' 2 <= 3" > > 2. Replace custom RPC_SET_BE* and RPC_GET_BE* macros with standard > kernel endianness conversion macros (cpu_to_be16, etc.) for better > portability and maintainability. > > The functionality was re-tested with the GPU power-up sequence, > confirming the GPU powers up correctly and the driver probes > successfully. > > [ 12.702370] powervr ffef400000.gpu: [drm] loaded firmware > powervr/rogue_36.52.104.182_v1.fw > [ 12.711043] powervr ffef400000.gpu: [drm] FW version v1.0 (build > 6645434 OS) > [ 12.719787] [drm] Initialized powervr 1.0.0 for ffef400000.gpu on > minor 0 > > Fixes: e4b3cbd840e5 ("firmware: thead: Add AON firmware protocol driver") > Reported-by: Dan Carpenter <dan.carpenter@linaro.org> > Closes: https://lore.kernel.org/all/17a0ccce-060b-4b9d-a3c4-8d5d5823b1c9@stanley.mountain/ > Signed-off-by: Michal Wilczynski <m.wilczynski@samsung.com> Acked-by: Drew Fustini <fustini@kernel.org> Is Ulf the person that would take this fix? Thanks, Drew ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v1] firmware: thead: Fix buffer overflow and use standard endian macros 2026-03-26 19:14 ` Drew Fustini @ 2026-03-27 12:15 ` Michal Wilczynski 0 siblings, 0 replies; 4+ messages in thread From: Michal Wilczynski @ 2026-03-27 12:15 UTC (permalink / raw) To: Drew Fustini, Ulf Hansson Cc: drew, guoren, wefu, linux-kernel, linux-riscv, Dan Carpenter On 3/26/26 20:14, Drew Fustini wrote: > On Thu, Apr 03, 2025 at 03:10:51PM +0200, Michal Wilczynski wrote: >> Addresses two issues in the TH1520 AON firmware protocol driver: >> >> 1. Fix a potential buffer overflow where the code used unsafe pointer >> arithmetic to access the 'mode' field through the 'resource' pointer >> with an offset. This was flagged by Smatch static checker as: >> "buffer overflow 'data' 2 <= 3" >> >> 2. Replace custom RPC_SET_BE* and RPC_GET_BE* macros with standard >> kernel endianness conversion macros (cpu_to_be16, etc.) for better >> portability and maintainability. >> >> The functionality was re-tested with the GPU power-up sequence, >> confirming the GPU powers up correctly and the driver probes >> successfully. >> >> [ 12.702370] powervr ffef400000.gpu: [drm] loaded firmware >> powervr/rogue_36.52.104.182_v1.fw >> [ 12.711043] powervr ffef400000.gpu: [drm] FW version v1.0 (build >> 6645434 OS) >> [ 12.719787] [drm] Initialized powervr 1.0.0 for ffef400000.gpu on >> minor 0 >> >> Fixes: e4b3cbd840e5 ("firmware: thead: Add AON firmware protocol driver") >> Reported-by: Dan Carpenter <dan.carpenter@linaro.org> >> Closes: https://lore.kernel.org/all/17a0ccce-060b-4b9d-a3c4-8d5d5823b1c9@stanley.mountain/ >> Signed-off-by: Michal Wilczynski <m.wilczynski@samsung.com> > > Acked-by: Drew Fustini <fustini@kernel.org> > > Is Ulf the person that would take this fix? > > Thanks, > Drew > Hi, I think it would be great if Ulf could take the patch. Best regards, -- Michal Wilczynski <m.wilczynski@samsung.com> ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-27 12:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CGME20250403131056eucas1p16076c6e4dce1f1217dc327250c419e37@eucas1p1.samsung.com>
2025-04-03 13:10 ` [PATCH v1] firmware: thead: Fix buffer overflow and use standard endian macros Michal Wilczynski
2026-03-26 8:42 ` Dan Carpenter
2026-03-26 19:14 ` Drew Fustini
2026-03-27 12:15 ` Michal Wilczynski
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox