From nobody Sun Jun 14 09:58:36 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38CDE31F9BD; Thu, 2 Apr 2026 05:40:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775108426; cv=none; b=N0mOK1vYZejAan36PGaQsHzJbuEFS34Js7bZVRGszsut0Jdp7hCIvTY4aIg6LUkr4S3YAh7cdOzd/WygTSnz0+n80wZpOAEP+gAfIpQ9seCXmgeyWW2pwuaVqhYbhGpDEeSGOly7A+TcOb7LFNsaNKj3+4Mj5f8NFhQmlGY3rvA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775108426; c=relaxed/simple; bh=1Iwvy48/RbM9QRATKSbaUJ5lMy2jZeyas1apvJIHrmw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=o4VbYSvoUpEszzCXIug97Hu5Z7pW1Ryf20t8/xSRqWWKPIlZ++m8ASaQFvmXCLAd2uOIiA3JI7XPfJWliCVRNU57/b89fvGEXKeamnbJUEIDw8pQTErrH+p+kW81mv/XaF/BDNGx8ENXcMy4MByjNVNKXMdwJ4ysH20c/2oP6tw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from localhost.localdomain (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowADHbGhAAc5pT_bxCw--.8160S2; Thu, 02 Apr 2026 13:40:17 +0800 (CST) From: Pengpeng Hou To: Ayush Singh , Johan Hovold Cc: Alex Elder , Greg Kroah-Hartman , greybus-dev@lists.linaro.org, linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn, stable@vger.kernel.org Subject: [PATCH] greybus: gb-beagleplay: bound bootloader receive buffering Date: Thu, 2 Apr 2026 13:40:16 +0800 Message-ID: <20260402054016.38587-1-pengpeng@iscas.ac.cn> X-Mailer: git-send-email 2.50.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qwCowADHbGhAAc5pT_bxCw--.8160S2 X-Coremail-Antispam: 1UD129KBjvJXoW7KryDtw17Kry3tF4kAFW8WFg_yoW8GrWfpF 9xKFy8trn5J3WfJan3X3W3uFyFyaykZFWakFW8Awn7ZFs8XFn2934DGFWYqa95Jr1xJry2 qF4jgF92kF4DJF7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkG14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j 6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwVC2z280aVCY1x0267AKxVW0oV Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0 I7IYx2IY67AKxVWUGVWUXwAv7VC2z280aVAFwI0_Gr0_Cr1lOx8S6xCaFVCjc4AY6r1j6r 4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCY1x0262kKe7AKxVWU AVWUtwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14 v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkG c2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI 0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r4j6F4U MIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUvXd8UUU UU= X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Content-Type: text/plain; charset="utf-8" cc1352_bootloader_rx() appends each serdev chunk into the fixed rx_buffer before parsing bootloader packets. The helper can keep leftover bytes between callbacks and may receive multiple packets in one callback, so a single count value is not constrained by one packet length. Check that the incoming chunk fits in the remaining receive buffer space before memcpy(). If it does not, drop the staged data and consume the bytes instead of overflowing rx_buffer. Fixes: 0cf7befa3ea2 ("greybus: gb-beagleplay: Add firmware upload API") Cc: stable@vger.kernel.org Signed-off-by: Pengpeng Hou --- drivers/greybus/gb-beagleplay.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beaglepla= y.c index 87186f891a6a..e70787146c4f 100644 --- a/drivers/greybus/gb-beagleplay.c +++ b/drivers/greybus/gb-beagleplay.c @@ -535,6 +535,13 @@ static size_t cc1352_bootloader_rx(struct gb_beaglepla= y *bg, const u8 *data, int ret; size_t off =3D 0; =20 + if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) { + dev_warn(&bg->sd->dev, + "dropping oversized bootloader receive chunk"); + bg->rx_buffer_len =3D 0; + return count; + } + memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count); bg->rx_buffer_len +=3D count; =20 --=20 2.50.1 (Apple Git-155)