From nobody Mon Jun  8 17:39:47 2026
Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com
 [209.85.214.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D123C45348A
	for <linux-kernel@vger.kernel.org>; Wed, 27 May 2026 17:59:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.169
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779904793; cv=none;
 b=tKT6cTdD7ChEqxQkPaQrnGgqgy3prLw4X/kQw1hZWXTdmhCdJSZYywZ2kCq8Jnc3RJHil++Yr1V3Z5O/+53m9AZBoU/mzivdC9w361bXXmLhZRaLIiBbrfipcu97Rga5JdoFDkT7agHbycWR3dvgEfrXJiLTTINBmWbzZiJOXFY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779904793; c=relaxed/simple;
	bh=/iLXk1NTpAxOluUfTjJSa68terq0yc7XiDTbUTDHgT4=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=krCu23k5KJHkdbHxsg6y6fhvAaiqg/hDDVdB9esC5B85Iix/uPgd6mCZRuByBkhqbfVnwijvj8EfQ1m7aN5iPVhk0ESO8sYgGLlS/MOfMKbKwD4MNc+oE7aAnvkLkZ2WSSUU4GYXKzfTLbVAwnmy2d7/qUIF4J8iV6V1PJmIa6E=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=S3xryBTX; arc=none smtp.client-ip=209.85.214.169
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="S3xryBTX"
Received: by mail-pl1-f169.google.com with SMTP id
 d9443c01a7336-2bd80b3aa13so80897075ad.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 27 May 2026 10:59:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779904789; x=1780509589;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=erbsC0Vg9mtqhwjoL7B+eBOB5DX7r/gCOj4pQxWk2VI=;
        b=S3xryBTXlCq0lBZdEqV6QJAPlgE1jd5lVCQGCrwhgfdgceHQpXbvItDyW9Qiwc6TH/
         WpVUw+Il4PkOYYp71acSI6R1ujC0PwNPU+pCJF2/ISBbrKZkVHDByLXC3+GR/g89u0aR
         A5+k/9vwDTZX+pL+zEzVJPYG1ygcNgi0/JMtRsX+sOjH5cchsoZ3L0zi6qcLg+fOogp9
         cboacMb/iXYl/P8/6gPR59gZ9ZvAW5K+TwJYGNFEgmgEEbxPeVVy8+g12LFCZ71uB5bn
         04cCLcWa77SQo4kJh06zRLxNGJBubKWQaNSdA26azJLyf+FjCm6SLv4UelHTlAAL9x4t
         m7bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779904789; x=1780509589;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=erbsC0Vg9mtqhwjoL7B+eBOB5DX7r/gCOj4pQxWk2VI=;
        b=F0iYqvpWSYMpMvHswkMBynFYvHmO2aSIbSf0cebs7GaUZsy3qGtjgckGfkKMWBDq+F
         8y6fRTY3pvNXE50E5OKziX3f4Xp/iTeBdnjTShvo/TnPasYmMJ70EoRYVW1+ipz82TtH
         I9i8yXOt2Kxp51R7MmsZc22+ZgguNnIuVHsdAZzUl0PeTsu0BtoxjYKlLBPAdcsGEfby
         dp3QkolCYNRQ8KTWZ3870R9lCV/ppYctCKiOOCzFPJBaKJ8v2/uaoDRv8/iYzQVoIpr+
         8axAkIUHSAwVqnkek9TvDZQ75tpMb6aIrzmkW3oeDmsLsTqaqmaZ38KAkhPUoffntq0V
         mpsw==
X-Forwarded-Encrypted: i=1;
 AFNElJ+MQcpULt84CyhLNZu7ZJe3WfxnIDCGjJalTIaHRgD4YUZbQ2bwysEJhM9M3UjVyqWu2Ncg0gXxLxin8xI=@vger.kernel.org
X-Gm-Message-State: AOJu0YwAM/lORB8wPIbWzJRS40evB5yUSO1GNJY8NJ48IgID+FI+ZEpY
	SMrgw8leJ/HaDHaKUbZEMQdzxB/yHGzJ81lWMA8QaHKYYuR1lfVkHRf4
X-Gm-Gg: Acq92OGGivquARvBMDrAXZuTgzrI+LyQ+2wNP3+eNP1wXV6sV+mZAsXTGmKhKCtxXoB
	4kxFr2PjCgf/kC223IAAFje/OzP/xHIJnRp3X4viKNXBRXb6aXSckM1UmH1cL3UKLS7PsyawYKz
	jXnWgh4grUU5LwuYpV6XG3qfrOpv4gm52dZ8VHummzGjOUudEK1ScGVIaCCdqCIEwDAdjzdxcaf
	cWYGpOBbS+DIcmv90Dtn5+oSK47sRwtOucSw317D1gLAzI2letrOKEpc2rE/IQjHjRblO67OmvY
	1Rmw6Szh0bBbfQfU4oPxUFHg7oQo8sVG6LibhMghpZlGq1ofbiP9rqr+hvXE7AX/EJu8gVrBpkA
	VJsnE9HRbNq5X5lk9MHr3ZJLmlyMZdBB9C9HwolWJY5GzOOm6EQ8P/O7tuAvGxvjGSWKN+WYJuM
	j8IsRHIgS273yAo5/SjIbATnz25yltmqc3HGsJzJAasgkym/DZT9BMfi8=
X-Received: by 2002:a17:903:46c8:b0:2be:fe68:a1c with SMTP id
 d9443c01a7336-2befe680ebamr8852645ad.39.1779904788724;
        Wed, 27 May 2026 10:59:48 -0700 (PDT)
Received: from LAPTOP-97G9G880.domain.name ([106.222.201.80])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2beb5695f05sm204648005ad.6.2026.05.27.10.59.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 May 2026 10:59:48 -0700 (PDT)
From: Karthikeyan KS <karthiproffesional@gmail.com>
To: andrew@codeconstruct.com.au
Cc: joel@jms.id.au,
	andrew@aj.id.au,
	linux-arm-kernel@lists.infradead.org,
	linux-aspeed@lists.ozlabs.org,
	linux-kernel@vger.kernel.org,
	Karthikeyan KS <karthiproffesional@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH v3] soc: aspeed: lpc-snoop: Fix usercopy overflow in
 snoop_file_read
Date: Wed, 27 May 2026 17:59:38 +0000
Message-ID: <20260527175939.2939714-1-karthiproffesional@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
 <53952f011f2c57ad28d6f864317054a2a34922e5.camel@codeconstruct.com.au>
References: 
 <53952f011f2c57ad28d6f864317054a2a34922e5.camel@codeconstruct.com.au>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

put_fifo_with_discard() acts as both producer and consumer on the kfifo:
it calls kfifo_skip() (advances out) and kfifo_put() (advances in) from
the IRQ handler without synchronizing with snoop_file_read(), which also
consumes via kfifo_to_user(). On SMP systems this concurrent access can
leave (in - out) larger than the ring buffer, so __kfifo_to_user()'s clamp
to (in - out) is ineffective and kfifo_copy_to_user() can attempt a
copy_to_user() past the kmalloc-2k backing store:

  usercopy: Kernel memory exposure attempt detected from SLUB object
  'kmalloc-2k' (offset 0, size 2049)!
  kernel BUG at mm/usercopy.c:99!
  Call trace:
   usercopy_abort
   __check_heap_object
   __check_object_size
   kfifo_copy_to_user
   __kfifo_to_user
   snoop_file_read
   vfs_read

Reproduced on ast2600-evb (dual-core ARM Cortex-A7) when the host floods
POST codes while userspace reads /dev/aspeed-lpc-snoop0.

Serialize kfifo access with a per-channel spinlock: use spin_lock()/
spin_unlock() in put_fifo_with_discard() (hardirq only) and
spin_lock_irq()/spin_unlock_irq() around kfifo_to_user() in
snoop_file_read().

Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc char=
dev")
Cc: stable@vger.kernel.org
Signed-off-by: Karthikeyan KS <karthiproffesional@gmail.com>
---
Andrew,

Thanks for the review.

> The AST2500 has a (single-core) ARM1176JZS

Corrected in v3.

> Don't double-account for the bug

Agreed =E2=80=94 the spinlock eliminates the unsynchronized window that
produces the inconsistent pointer state. Clamp removed.

> _irqsave isn't wrong

Changed to spin_lock_irq =E2=80=94 fops callbacks always enter with
interrupts enabled.

> Can you provide more details? The 2500 is single-core

The issue was observed on physical AST2600 (dual-core Cortex-A7)
in production under heavy POST code traffic during concurrent
userspace reads. Since the x86 host does not model ARM weak memory
ordering, the race cannot be reproduced naturally in QEMU. The test
module adjusts kfifo pointers to reproduce the post-race state for
deterministic validation.

> AST2600 has a dual-core Cortex-A7, so your bug makes more sense there

Yes, the issue is intermittently observed on production AST2600.

Changes since v2:
- Dropped count clamp
- spin_lock_irqsave -> spin_lock_irq in snoop_file_read
- Fixed platform: AST2600 (dual-core Cortex-A7)
- Trimmed backtrace
- Added Fixes tag

 drivers/soc/aspeed/aspeed-lpc-snoop.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/asp=
eed-lpc-snoop.c
index eceeaf8df..ef6697a42 100644
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -60,6 +60,7 @@ struct aspeed_lpc_snoop_model_data {
=20
 struct aspeed_lpc_snoop_channel {
 	struct kfifo		fifo;
+	spinlock_t		lock;
 	wait_queue_head_t	wq;
 	struct miscdevice	miscdev;
 };
@@ -93,7 +94,11 @@ static ssize_t snoop_file_read(struct file *file, char _=
_user *buffer,
 		if (ret =3D=3D -ERESTARTSYS)
 			return -EINTR;
 	}
+
+	spin_lock_irq(&chan->lock);
 	ret =3D kfifo_to_user(&chan->fifo, buffer, count, &copied);
+	spin_unlock_irq(&chan->lock);
+
 	if (ret)
 		return ret;
=20
@@ -121,9 +126,11 @@ static void put_fifo_with_discard(struct aspeed_lpc_sn=
oop_channel *chan, u8 val)
 {
 	if (!kfifo_initialized(&chan->fifo))
 		return;
+	spin_lock(&chan->lock);
 	if (kfifo_is_full(&chan->fifo))
 		kfifo_skip(&chan->fifo);
 	kfifo_put(&chan->fifo, val);
+	spin_unlock(&chan->lock);
 	wake_up_interruptible(&chan->wq);
 }
=20
@@ -192,6 +199,7 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_sn=
oop *lpc_snoop,
 		of_device_get_match_data(dev);
=20
 	init_waitqueue_head(&lpc_snoop->chan[channel].wq);
+	spin_lock_init(&lpc_snoop->chan[channel].lock);
 	/* Create FIFO datastructure */
 	rc =3D kfifo_alloc(&lpc_snoop->chan[channel].fifo,
 			 SNOOP_FIFO_SIZE, GFP_KERNEL);
--=20
2.43.0