1. Patchew
  2. linux
  3. View series

[PATCH] lib/test_firmware: allocate the configured into_buf size

Samuel Moelius posted 1 patch 3 days, 6 hours ago 
lib/test_firmware.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] lib/test_firmware: allocate the configured into_buf size
Posted by Samuel Moelius 3 days, 6 hours ago 
The batched into_buf test path allocates TEST_FIRMWARE_BUF_SIZE bytes
unconditionally, but then passes test_fw_config->buf_size to
request_firmware_into_buf() or request_partial_firmware_into_buf().

Userspace can set config_buf_size above TEST_FIRMWARE_BUF_SIZE before
triggering a batched request. If the firmware file is large enough, the
firmware loader writes past the end of the 1 KiB test buffer.

Allocate the buffer with the same size that the test passes to the firmware
API so config_buf_size remains the actual buffer size under test.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 lib/test_firmware.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/test_firmware.c b/lib/test_firmware.c
index b471d720879a..7459bba65444 100644
--- a/lib/test_firmware.c
+++ b/lib/test_firmware.c
@@ -867,7 +867,7 @@ static int test_fw_run_batch_request(void *data)
 	if (test_fw_config->into_buf) {
 		void *test_buf;
 
-		test_buf = kzalloc(TEST_FIRMWARE_BUF_SIZE, GFP_KERNEL);
+		test_buf = kzalloc(test_fw_config->buf_size, GFP_KERNEL);
 		if (!test_buf)
 			return -ENOMEM;
 
-- 
2.43.0
Re: [PATCH] lib/test_firmware: allocate the configured into_buf size
Posted by Andrew Morton 2 days, 4 hours ago 
On Fri,  5 Jun 2026 00:30:37 +0000 Samuel Moelius <sam.moelius@trailofbits.com> wrote:

> The batched into_buf test path allocates TEST_FIRMWARE_BUF_SIZE bytes
> unconditionally, but then passes test_fw_config->buf_size to
> request_firmware_into_buf() or request_partial_firmware_into_buf().
> 
> Userspace can set config_buf_size above TEST_FIRMWARE_BUF_SIZE before
> triggering a batched request. If the firmware file is large enough, the
> firmware loader writes past the end of the 1 KiB test buffer.
> 
> Allocate the buffer with the same size that the test passes to the firmware
> API so config_buf_size remains the actual buffer size under test.

Cool, thanks.

> Assisted-by: Codex:gpt-5.5-cyber-preview

Sashiko evidently looked further:
	https://sashiko.dev/#/patchset/20260605003038.2005840-1-sam.moelius@trailofbits.com

And appears to have found other bugs in test_firmware.c.  Let me cc a
few people who have previously worked on this.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.