From nobody Sun Jun 14 12:56:39 2026
Received: from cstnet.cn (smtp81.cstnet.cn [159.226.251.81])
	(using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CE27296BB6
	for <linux-kernel@vger.kernel.org>; Fri,  3 Apr 2026 05:33:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=159.226.251.81
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775194439; cv=none;
 b=OW+KvwXPDfxbJm7cw3KZeJcuBk3KOV6XEYc91QHHvGcjx6aK/F8TcgTYv9jgPalds3QudVxc7Axs9Zxl9A0f/NG+/vctIjOQCFO4Z1OyDqtmETR1DRFeg3dcOd7rI1zql4R+Yvburgeamy53WXSopKXoDn/z+IC1I5kh2CeObvw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775194439; c=relaxed/simple;
	bh=U5O0M0x4/l+0FJtY2ITzXwwx/i9C1JgybbicxBS/10o=;
	h=From:Date:Message-ID:To:Cc:Subject;
 b=kOZgKY4jmppv3xQqV81ti2aYOOlD3/O8XxtFtOihhh5ntqifMcBRahrwkCCOts7iJXXjAIjaTg2k+u/fxdHYStIdfKmUWzC5iiBC5KUhSaLTHm14itej63Wn/pQ69HvETT1hDjKWE4vE6L0CL34h7W27ZwERlff1yWiwkyQYCco=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn;
 spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.81
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=none (p=none dis=none) header.from=iscas.ac.cn
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=iscas.ac.cn
Received: from 0005-arm-at91.resend.eml (unknown [111.196.245.197])
	by APP-03 (Coremail) with SMTP id rQCowAB3ldw+Uc9pm0K7DA--.32785S2;
	Fri, 03 Apr 2026 13:33:50 +0800 (CST)
From: Pengpeng Hou <pengpeng@iscas.ac.cn>
Date: Fri, 3 Apr 2026 10:42:55 +0800
Message-ID: <20260403151505.5-dt-arm-at91-resend-pengpeng@iscas.ac.cn>
To: Nicolas Ferre <nicolas.ferre@microchip.com>,
 Alexandre Belloni <alexandre.belloni@bootlin.com>,
 Claudiu Beznea <claudiu.beznea@tuxon.dev>
Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org,
 pengpeng@iscas.ac.cn
Subject: [PATCH] ARM: at91: validate memory node device_type strings
X-CM-TRANSID: rQCowAB3ldw+Uc9pm0K7DA--.32785S2
X-Coremail-Antispam: 1UD129KBjvJXoW7Gr47Xr4UWF4UGw15XFy8uFg_yoW8JF45pF
	ZxCF1DtFW5ur17Ca9Fvr9ayw409a1DAr4Utry2vryjvw4aqryqv39akw1vy3W8CrWUuayr
	uFW5WrykZwsIkaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUkv14x267AKxVWUJVW8JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
	rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
	1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j
	6r4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV
	Cq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0
	I7IYx2IY67AKxVWUXVWUAwAv7VC2z280aVAFwI0_Gr0_Cr1lOx8S6xCaFVCjc4AY6r1j6r
	4UM4x0Y48IcVAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwCY1x0262kKe7AKxVWUAVWU
	twCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r
	1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_JF0_Jw1lIxkGc2Ij
	64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr
	0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r4j6F4UMIIF
	0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUIfO7UUUUU=
X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

at91_pm_backup_scan_memcs() fetches the raw device_type property and
immediately compares it with strcmp(). Flat DT properties are external
boot input, and this path does not prove that the property is
NUL-terminated within its declared bounds.

Use fdt_stringlist_get() so malformed unterminated device_type
properties are rejected before they are used as C strings.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 arch/arm/mach-at91/pm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c
index 68bb4a86cd94..0767fc9f30ab 100644
--- a/arch/arm/mach-at91/pm.c
+++ b/arch/arm/mach-at91/pm.c
@@ -8,6 +8,7 @@
=20
 #include <linux/genalloc.h>
 #include <linux/io.h>
+#include <linux/libfdt.h>
 #include <linux/of_address.h>
 #include <linux/of.h>
 #include <linux/of_fdt.h>
@@ -1044,7 +1045,8 @@ static int __init at91_pm_backup_scan_memcs(unsigned =
long node,
 	if (*located)
 		return 0;
=20
-	type =3D of_get_flat_dt_prop(node, "device_type", NULL);
+	type =3D fdt_stringlist_get(initial_boot_params, node, "device_type",
+				  0, NULL);
=20
 	/* We are scanning "memory" nodes only. */
 	if (!type || strcmp(type, "memory"))
--=20
2.50.1 (Apple Git-155)