From nobody Sat Apr 4 01:34:06 2026 Received: from cstnet.cn (smtp25.cstnet.cn [159.226.251.25]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A30B037DEAE for ; Sun, 22 Mar 2026 03:19:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.25 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774149579; cv=none; b=Ik+Mrv69GGDfdrE8YdK7bJJ485Z48ShKXqUetY3PmI8oWg1BTdOy+rjmBtg+sKHobsGiTJeQuxjKsH2zudsd2BdaAdw5bbgJfQnHfvZYBZC2Kz4Mi/asz+5COiZA11u37aCAEwLFvezewBIn+S32G+vd0BjHo2yNcB3TndONdhI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774149579; c=relaxed/simple; bh=PLR+7TqyAsRvx4Kf6Vyz1jhNycTfR4QskkXU95NposE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ZCa4LV+2Pu9jHdUx0Qb03i6oTB18lXQSlEnT4/nTtl04ATxPZ9wfu4XCCZi+baWjRJeb5Le4/jtB6ESZp8gIASE6aYMMC2jxI8MyI+Gh1eZUQo+n/T7UajzeKs4CeLIaDU+SdxchxYR7C98YLQ4pWsZw12saqGP1zD0mh1vfW50= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.25 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.197]) by APP-05 (Coremail) with SMTP id zQCowADnfBC7X79p0U8eCw--.33787S2; Sun, 22 Mar 2026 11:19:23 +0800 (CST) From: Pengpeng Hou To: greybus-dev@lists.linaro.org Cc: pengpeng@iscas.ac.cn, Ayush Singh , Johan Hovold , Alex Elder , Greg Kroah-Hartman , linux-kernel@vger.kernel.org Subject: [PATCH] greybus: beagleplay: bound bootloader RX buffer copy Date: Sun, 22 Mar 2026 11:19:23 +0800 Message-ID: <20260322031923.58013-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: zQCowADnfBC7X79p0U8eCw--.33787S2 X-Coremail-Antispam: 1UD129KBjvJXoW7Ww4rZr4fXr17JrWruF43GFg_yoW8Jw1UpF ZxKFy8tr1vyanxJanxZ3W3WFyFyas5ZFW5uFW8Zw13ZFs8Xrn2v34DGFW5tayfXr4xJ343 tFW5KFy8CF4kXr7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkC14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26r4j6ryUM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j 6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwVC2z280aVCY1x0267AKxVWxJr 0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_Jrv_JF1lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7CjxVAaw2AFwI0_ JF0_Jw1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67 AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r126r1DMIIY rxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14 v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8 JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUOgAwDU UUU X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" When `flashing_mode` is set, `gb_tty_receive()` routes incoming bytes to `cc1352_bootloader_rx()`. That helper appends the new bytes to the shared `rx_buffer` with `memcpy()` but does not check that the chunk fits in the remaining space first. The normal HDLC receive path already enforces `MAX_RX_HDLC`, so do the same here before appending bootloader data. If a packet would overflow the receive buffer, drop it and reset the bootloader receive state instead of copying past the end of `rx_buffer`. Signed-off-by: Pengpeng Hou --- drivers/greybus/gb-beagleplay.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beaglepla= y.c index 87186f891a6a..bca3132adacd 100644 --- a/drivers/greybus/gb-beagleplay.c +++ b/drivers/greybus/gb-beagleplay.c @@ -535,6 +535,12 @@ static size_t cc1352_bootloader_rx(struct gb_beaglepla= y *bg, const u8 *data, int ret; size_t off =3D 0; =20 + if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) { + dev_err_ratelimited(&bg->sd->dev, "Bootloader RX buffer overflow"); + bg->rx_buffer_len =3D 0; + return count; + } + memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count); bg->rx_buffer_len +=3D count; =20 --=20 2.50.1 (Apple Git-155)