From nobody Wed Apr  1 08:15:51 2026
Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
 [205.220.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E8FD731A045
	for <linux-kernel@vger.kernel.org>; Tue, 31 Mar 2026 17:12:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=205.220.180.131
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774977173; cv=none;
 b=UTQzzu0CkLRj35qYdMD2U465BIibRa57y1IUxaXrXgOiyKe8i9M0vVm8u/p2rGo+CeVLgjU33x+Jx8g3S0T7ftH5kXXNzHGiGjQoLcv4AxB7Sr6eHPpYfUi4rRvKPUb/ka7Rtp5sgzB0uqVuhawvWo0M8isw4yTURBmgr7QF9fI=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774977173; c=relaxed/simple;
	bh=E80RH1g6+XmtOt05VuW8EQSwyqUGmVWXM3zADBQrnQ8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=MrsVw0s3RmPvaeQTb3BJ5ccGKn20/k5knw4+VZWxCzCBH6wMcD+dn+Z6Ba+I947tKJoAZL8d2EBNdge3IyXRkq6Zc9C03opjFiTeu3ID/E8JWZd5j8ubG6exCwYeeZ4RRHdFzNuWwd07PHH2TqTN/cklg+XGZp5qltcY8yDdvsY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com;
 spf=pass smtp.mailfrom=oss.qualcomm.com;
 dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b=Q2C81cwd;
 dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b=FEAWNqX1; arc=none smtp.client-ip=205.220.180.131
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=oss.qualcomm.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com
 header.b="Q2C81cwd";
	dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com
 header.b="FEAWNqX1"
Received: from pps.filterd (m0279870.ppops.net [127.0.0.1])
	by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 62VGdeUk453924
	for <linux-kernel@vger.kernel.org>; Tue, 31 Mar 2026 17:12:51 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h=
	cc:content-transfer-encoding:date:from:message-id:mime-version
	:subject:to; s=qcppdkim1; bh=JEf1zqA7HQYkJuYe1UvKDxOfM4VJ0k2jxtE
	W6JLvxpw=; b=Q2C81cwd1QfS97JShr7yx+PFI6uTDkCMTGxY/YhxiU+pFPZVOyf
	Blu9HAIIsNfYnlJiOl6PZSXVZmbvzIoo6yxu+93L81usTrq5JB0tzQvY/jiJqKyV
	Neh5KA37ZFU+2Nh3IEj67nzYfrHIbNfUrPacXimm0b+gvwjeVmSzZseTMnWMFONH
	VXpHdiXqsneWI2+zt0n76mVsZwmTnY+qW9KZcixsaFQe1kHQcNbGWvkJ37MH6eNe
	WyqNhK7u9cSuaD8XrkPs1TZB93CyMY2jW1YGXDmvHawoY7iuTcHhwbJUvH3vg/LX
	ZvKIMYoQM9sJh6as6hQRossdnfaq2WMuZww==
Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com
 [209.85.215.197])
	by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4d80rsmc7r-1
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT)
	for <linux-kernel@vger.kernel.org>; Tue, 31 Mar 2026 17:12:50 +0000 (GMT)
Received: by mail-pg1-f197.google.com with SMTP id
 41be03b00d2f7-c7414516609so3754842a12.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 31 Mar 2026 10:12:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=oss.qualcomm.com; s=google; t=1774977170; x=1775581970;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=JEf1zqA7HQYkJuYe1UvKDxOfM4VJ0k2jxtEW6JLvxpw=;
        b=FEAWNqX1U14QwsWJrz4IQjEt12SEWZlJQ8++QvbHZVofT70Fyr9VXwdy1YAnr8zl4f
         Z/i84sPP4wfk7/oaqKwS/F/Z/AV8xdWQpapKb13mfiVVSPoN1OZ0lLsaxfO36lvjUkLK
         f4BifPG3y2trDQpFSJhv48fpS52ggq/qI6KvQxTj/TX1lw+ovx8xogkopG5/xy+GWGo7
         fZREGF3xNz+pSdT0n5LFteyTSGtCfkeTTAf5KwiRvY084HwQtJBw0OWB75WqRpgi5hxx
         qCFYifL6XVE3XIUrjta2BdPdaaIZVbe47o7WwIDtmeJlzLCB3iiV5Fz9leBDIIJ5mp1v
         3mfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774977170; x=1775581970;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JEf1zqA7HQYkJuYe1UvKDxOfM4VJ0k2jxtEW6JLvxpw=;
        b=WhvTd5N42mFRnYwrVhdU3vK4S1majQ2V1QPRuCaPPccwZipdc8wnJKUt+M+O36ls9z
         U1pqNriDs4j8bwTftaDdr5DTf9b3kHzacyn32Ycn3mm5liVyaE/E6h1HKLajeqmRWa//
         2E2piVs7jt4D/4so4Paz9v1uJCpAk3EWHmMRCPQNZ3nD2DbP550DEQFjcdJghAyXtqFv
         65xpmmsWvevecb4vT/OsBF1istVzsT66caQDoSYtKE6LVBhwF1UZKQbOWp/2Qo1K71QP
         Fw9z4VkyzQKQ836QkPWr9dIj2HbZSYRydDBr18o/bTwYevwGqnj91BfATT7DRyenFUw9
         77yw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVefu9kAO/LnNE78oZJUodZzXbk2ZCzil5RLGhc5KeZmdOGmGmSUiFZnMWYY2XO4f6pHFARhnLCqyRoJCM=@vger.kernel.org
X-Gm-Message-State: AOJu0YxkO9EU+c/tIuQFxfED5WorSQcQxoemPZEUhFULEYkeCRhKMcY9
	/WtKtr4REveCr/GvNlUewfAXSiXpKVDNeOUFHzB/v1eDgQS3VWaH/esn+ywvSIQyQCLtGgnaXTM
	msLiv3cLN4spJrxxFjdM11WFKVefOAfUM93LiTnAFTdgpzSJfInvjLgf03yedGkwXDxQ=
X-Gm-Gg: ATEYQzwhXEcS9KPmpu42TzqnXrXQ7PYz+TQ8dJPOFqUKJ12fc/kQ74yjWNcsaSzwbA6
	xrDoj6MdrLKc3pb2Gtf39UzGIIAGwsz4U0CBrsiI/1RNX2SmP/evHYUu//3vZvNTWsMIAcBESvj
	wDNUk4ipMpOo+hjjRnvgYdUlTAB7N0Xi6CT1LVo65bRHy7qRrv0jJIxwcy2ila8NhhwELSFaoBM
	hFpCIru7b1lTkuqRdQARCKbvF8dQE78d/Wf4MZXz6aM0Y3yc8Kt4MpL6ePvIsGArwgfB2P0/qdG
	njcn5Rr+fbmL4gy85QCR9a41ihQDlKpZVR/ZCnX9mc1Pj2A3ZrCi5SXSVYVAG3/q7LsnphMUefP
	VaU/DuzBHNtd9idh19yfx5x5QajfmrnefPAyvr/Qxfs2Cb3V6
X-Received: by 2002:a05:6a00:230b:b0:82c:9126:31f1 with SMTP id
 d2e1a72fcca58-82ce891032cmr414760b3a.14.1774977169654;
        Tue, 31 Mar 2026 10:12:49 -0700 (PDT)
X-Received: by 2002:a05:6a00:230b:b0:82c:9126:31f1 with SMTP id
 d2e1a72fcca58-82ce891032cmr414722b3a.14.1774977169025;
        Tue, 31 Mar 2026 10:12:49 -0700 (PDT)
Received: from hu-mojha-hyd.qualcomm.com ([202.46.23.25])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-82ca84644d9sm11362062b3a.13.2026.03.31.10.12.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 31 Mar 2026 10:12:48 -0700 (PDT)
From: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
To: Bjorn Andersson <andersson@kernel.org>,
        Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: linux-arm-msm@vger.kernel.org, linux-remoteproc@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
Subject: [PATCH v2] remoteproc: qcom: Fix minidump out-of-bounds access on
 subsystems array
Date: Tue, 31 Mar 2026 22:42:43 +0530
Message-ID: <20260331171243.1962067-1-mukesh.ojha@oss.qualcomm.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-GUID: AxssRQHbVdczw40AG8C1afU4A01Kbcp1
X-Authority-Analysis: v=2.4 cv=VInQXtPX c=1 sm=1 tr=0 ts=69cc0092 cx=c_pps
 a=rz3CxIlbcmazkYymdCej/Q==:117 a=ZePRamnt/+rB5gQjfz0u9A==:17
 a=Yq5XynenixoA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22
 a=u7WPNUs3qKkmUXheDGA7:22 a=gowsoOTTUOVcmtlkKump:22 a=VwQbUJbxAAAA:8
 a=EUspDBNiAAAA:8 a=BG4z5P5NB9rwbtz6RWcA:9 a=bFCP_H2QrGi7Okbo017w:22
X-Proofpoint-ORIG-GUID: AxssRQHbVdczw40AG8C1afU4A01Kbcp1
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzMxMDE2NCBTYWx0ZWRfXyQh8eT8YJyc5
 jEXusw08LgW6/Jgy5+dCfZMhxXI6gIVvbiAnuGMhBud+x6rGjMq/MlAvL5MpTwOwi+QL5AlTi47
 754IR3Cf3L4k8Y7YV/dAHhXz4szcOjPyCuqXS3AXGUS8TcFxeHqeIsAm/hIrfJFQIpCKjxkrRdo
 EdxtxDm6FnsSZ4XR7sMtbNIR01SiMyrqDTmd84sediF8PSVSq9iES5+2p2cUFioCIaiXZugaS6N
 CYFiaT7/xo0ApScK7RKLfDhmgk0786C3wday9NfRvfePJ/xCXVZvxqkgiDxuZW7vpdLeCp6vPXp
 rZt95+kWJ3rEEyKIv0Gc1eShatw7TKOjo5DaPaA7UAHMqQ6iDCYoZokyUEOqS+Fakzam9W+iMUf
 GCK0OIjVTY0wmk+cEwEU3yD7BfGMLp3EKm8T9Mf6tiZjpXDPDGQcaQOXLt5qCqo+cQAHUQz+KjE
 /ugRQ1nqI2RipX1KThg==
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49
 definitions=2026-03-31_03,2026-03-31_02,2025-10-01_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 adultscore=0 malwarescore=0 clxscore=1015 priorityscore=1501 spamscore=0
 impostorscore=0 lowpriorityscore=0 phishscore=0 bulkscore=0 suspectscore=0
 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0
 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2603310164
Content-Type: text/plain; charset="utf-8"

MAX_NUM_OF_SS was hardcoded to 10 in the minidump_global_toc struct,
which is a direct overlay on an SMEM item allocated by the firmware.
Newer Qualcomm SoC firmware allocates space for more subsystems, while
older firmware only allocates space for 10. Bumping the constant would
cause Linux to read/write beyond the SMEM item boundary on older
platforms.

Fix this by converting subsystems[] to a flexible array member and
deriving the actual number of subsystems at runtime from the size
returned by qcom_smem_get(). Add a bounds check on minidump_id against
the derived count before indexing into the array.

Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
---
Changes in v2: https://lore.kernel.org/lkml/20250808164417.4105659-1-mukesh=
.ojha@oss.qualcomm.com/
 - Converted subsystems as flexible array and derived the no of
   subsystem entries from the size returned from qcom_smem_get() to check t=
he
   validity of minidump index.

 drivers/remoteproc/qcom_common.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/drivers/remoteproc/qcom_common.c b/drivers/remoteproc/qcom_com=
mon.c
index 6c31140268ac..fd2b6824ad26 100644
--- a/drivers/remoteproc/qcom_common.c
+++ b/drivers/remoteproc/qcom_common.c
@@ -28,7 +28,6 @@
 #define to_ssr_subdev(d) container_of(d, struct qcom_rproc_ssr, subdev)
 #define to_pdm_subdev(d) container_of(d, struct qcom_rproc_pdm, subdev)
=20
-#define MAX_NUM_OF_SS           10
 #define MAX_REGION_NAME_LENGTH  16
 #define SBL_MINIDUMP_SMEM_ID	602
 #define MINIDUMP_REGION_VALID		('V' << 24 | 'A' << 16 | 'L' << 8 | 'I' << =
0)
@@ -80,7 +79,7 @@ struct minidump_global_toc {
 	__le32				status;
 	__le32				md_revision;
 	__le32				enabled;
-	struct minidump_subsystem	subsystems[MAX_NUM_OF_SS];
+	struct minidump_subsystem	subsystems[];
 };
=20
 struct qcom_ssr_subsystem {
@@ -151,9 +150,11 @@ void qcom_minidump(struct rproc *rproc, unsigned int m=
inidump_id,
 	int ret;
 	struct minidump_subsystem *subsystem;
 	struct minidump_global_toc *toc;
+	unsigned int num_ss;
+	size_t toc_size;
=20
 	/* Get Global minidump ToC*/
-	toc =3D qcom_smem_get(QCOM_SMEM_HOST_ANY, SBL_MINIDUMP_SMEM_ID, NULL);
+	toc =3D qcom_smem_get(QCOM_SMEM_HOST_ANY, SBL_MINIDUMP_SMEM_ID, &toc_size=
);
=20
 	/* check if global table pointer exists and init is set */
 	if (IS_ERR(toc) || !toc->status) {
@@ -161,6 +162,16 @@ void qcom_minidump(struct rproc *rproc, unsigned int m=
inidump_id,
 		return;
 	}
=20
+	/* Derive the number of subsystems from the actual SMEM item size */
+	num_ss =3D (toc_size - offsetof(struct minidump_global_toc, subsystems)) /
+		 sizeof(struct minidump_subsystem);
+
+	if (minidump_id >=3D num_ss) {
+		dev_err(&rproc->dev, "Minidump id %d is out of range: %d\n",
+			minidump_id, num_ss);
+		return;
+	}
+
 	/* Get subsystem table of contents using the minidump id */
 	subsystem =3D &toc->subsystems[minidump_id];
=20
--=20
2.53.0