From nobody Sun Jun 14 03:05:59 2026 Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A263D370D69 for ; Fri, 12 Jun 2026 19:07:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781291279; cv=none; b=DpKsFvoPTjUwhfm6vVpzXry46Va26v64ji003ZspcE3/q2I66oCgBxz0ws94UdfsenqgtbOx30SCQ77owwC2lORXIL4DkwG5VnU8q4VTlPwjDryc5NUaIE0OTIhPoS19m+DLGqaWhsbDSSCdE0nLObX5BSKCvozST6GrStGNYUw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781291279; c=relaxed/simple; bh=PZspnF4rv+mQ+37X7tsOKHxRSFAFBUvdCHtCbApEfQs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=oJSlJ6niU7g2VUB/sVXWpsp4ZyRgttLJ1hY+jmuATtuUswCUfJ4cNEmiVGeFBG8984nDKMtufUTueV7q/yU3+NGg47oaTIepY75RVtM8ljHInfa6q4HjrE2XDvCbwTNifxiuzJJXvBRXQdkq5UuMafVGkTDxICttlSL07ICkrp4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=apCJP6X3; arc=none smtp.client-ip=209.85.216.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="apCJP6X3" Received: by mail-pj1-f43.google.com with SMTP id 98e67ed59e1d1-36bdda53d99so574957a91.0 for ; Fri, 12 Jun 2026 12:07:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781291278; x=1781896078; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UwTEg4XBjlq2gqrpSaNYbmX8jrkzkowNm264wvHp61I=; b=apCJP6X3IVEwpHQEWQC44x7bZzeR3GHFTOxj6fqypBd0THk01lo3/SkDhy/2K52Bjx Rt+49R4i1mCh1xKFrvAJOmJa78GC1dW6PKhchJR20mv+Pcl8uVPJmGqe+jpiz1wwh3n+ zvIQjHokhjUZK44l/pAFHFBkytZo/3vmqyl+Tv/hlsJ2SZHxjtTIFlC+fpG7e4w3lmfk 6QN9fln720dgIQQ6ic+BCWs5QncgpQgusLHybd+BWKKJRlpiGbKvPETHN04VfX3V330p TASUn79hz5vA5cR3ldWNN7meAlDgp1oBC2/0oF0xn/50ctDJHH4n+WAtlHkJzD3Sei3A cfHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781291278; x=1781896078; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=UwTEg4XBjlq2gqrpSaNYbmX8jrkzkowNm264wvHp61I=; b=ChLDgFLVoAMLlXFJuqEwHo6fmVoi/vlMl+OvD4RXpaT4tx10JdKDmyXHK6w+tUN5B+ SyqqQsAWnN+QNKDsOZcd1GEXMaUicRJ91wGm9i/0jTq9ne4UPtX1bXrG3WwPUUzXh/pS PNMg1j475CekzhWeJFvfukB9805xn7CzXSs2Jo5cSZxZrIYmrfvgmfuDqJ3U5lb3w8yU kF5uCnkwSkxfZ5cOL4AsWTa750rYJKULbN3K97aMgofoCMmk6i+7ACLweF/wqmgmW/5h 4Ts0q2WNIiBvfD8l+1L/oP7Pf2fYeeTmzpwTXsFTOqwGfxSjKgQj/CH5nMaiYp1Cgq/X KNIg== X-Forwarded-Encrypted: i=1; AFNElJ/Ig/IJYPAnfLKIJAScaskme+A7XROz2X+zNgE8DlfkbkOlvOk7DLbvUMWSqp6HJblltdk/spIaoonWiFs=@vger.kernel.org X-Gm-Message-State: AOJu0YwSjKB8rNiWf86WOigG1k5nEjBX8wtUzhy6Y0suTwE+kHjIwu0J kwldtqmfCwHQD+qzTvaQw9ewHypw34kQtFqaXQTmQHxkoVKXDJC3KFcN X-Gm-Gg: Acq92OG2zTY1buayTuaUWZt7p+AuLbY4XcKCF7op7IzIaFGyPPZmhB5jcYwQjUEpQGn 1DVHTcQFc5NwAhPg1uvIs/hUgYZFesdTHg4yrgtgrv6/TVKWdsG/R42pEhLjf7zTZveiHBlavyx uEFhW0Jlanlb3+lndXICyl/3D3Humu0QxviSUTfLA4YDrLD0rqv8QHdHM5BVBNniGyQCU/NNsMK KqghCuSM51W70CNyus9kqZAeNjJavZVY6Qbingd8xRR6nUsUJLqLCfRXAYcwxlBHiTwGYkZulKZ l9UvVUILAjlueDCiCi1Tkg/Duu7LlcjIETQ1DBpa6VB2dsll3KLj0rA+Q5u+yXKdGTz0myUuvUz x+3WlPLw/qTnhWTtHIssXl9nTkuR+sc179Nmn8Lm3p1GcVNCW+ZS07OWBzzEofzDcKneMdPHEi3 cWt08zjSYlcDt/lzLWVwKGaoCrIs3cU9Kdq6E2QpoG6GnGD29VNsU97g== X-Received: by 2002:a17:90b:28cd:b0:36a:95c:7613 with SMTP id 98e67ed59e1d1-37a0202ece8mr4596847a91.10.1781291277427; Fri, 12 Jun 2026 12:07:57 -0700 (PDT) Received: from LAPTOP-97G9G880.localdomain ([106.206.15.12]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-37a1eba8e9asm2748485a91.2.2026.06.12.12.07.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 12:07:56 -0700 (PDT) From: Karthikeyan KS To: andrew@codeconstruct.com.au Cc: joel@jms.id.au, andrew@aj.id.au, Kees Cook , linux-arm-kernel@lists.infradead.org, linux-aspeed@lists.ozlabs.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Karthikeyan KS Subject: [PATCH v6] soc: aspeed: lpc-snoop: Fix usercopy overflow in snoop_file_read Date: Fri, 12 Jun 2026 19:07:43 +0000 Message-ID: <20260612190744.172638-1-karthiproffesional@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <033f2657ae6a94ad13d22f717a2900afb75d892d.camel@codeconstruct.com.au> References: <033f2657ae6a94ad13d22f717a2900afb75d892d.camel@codeconstruct.com.au> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable put_fifo_with_discard() acts as both producer and consumer on the kfifo: it calls kfifo_skip() (advances out) and kfifo_put() (advances in) from the IRQ handler without synchronizing with snoop_file_read(), which also consumes via kfifo_to_user(). On SMP systems this concurrent access can leave (in - out) larger than the ring buffer, so __kfifo_to_user()'s clamp to (in - out) is ineffective and kfifo_copy_to_user() can attempt a copy_to_user() past the kmalloc-2k backing store: usercopy: Kernel memory exposure attempt detected from SLUB object 'kmalloc-2k' (offset 0, size 2049)! kernel BUG at mm/usercopy.c! Call trace: usercopy_abort __check_heap_object __check_object_size kfifo_copy_to_user __kfifo_to_user snoop_file_read vfs_read Serialize kfifo access with a per-channel spinlock shared between the IRQ handler (producer) and the file reader (consumer). Annotate @fifo with __guarded_by(&lock) and opt the driver into context analysis so the compiler enforces that all fifo access holds the lock. Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc char= dev") Signed-off-by: Karthikeyan KS --- drivers/soc/aspeed/Makefile | 1 + drivers/soc/aspeed/aspeed-lpc-snoop.c | 38 ++++++++++++++++++--------- 2 files changed, 27 insertions(+), 12 deletions(-) Andrew, Thanks for the review. Changes since v5: - Annotate @fifo with __guarded_by(&lock) instead of a comment - Move kfifo_initialized() check inside scoped_guard(spinlock, &chan->lock) in put_fifo_with_discard() - Replace spin_lock_init() with scoped_guard(spinlock_init, &channel->lock) around kfifo_alloc() in aspeed_lpc_enable_snoop() - Enable CONTEXT_ANALYSIS for this driver in drivers/soc/aspeed/Makefile Dropped Cc: stable =E2=80=94 the fix uses cleanup.h/context-analysis idioms= absent from LTS; I'll send adapted backports to stable@ once this is in mainline. Tested on ast2600-evb (QEMU): clang-22 with CONFIG_WARN_CONTEXT_ANALYSIS=3Dy shows no context-analysis warnings; PROVE_LOCKING, DEBUG_ATOMIC_SLEEP and HARDENED_USERCOPY show no splats. Overflow reproduced via a fault-injection module forcing the post-race (in - out) state (QEMU doesn't model the ARM ordering that triggers it in the field): unpatched panics, patched returns cleanly. Thanks, Karthikeyan diff --git a/drivers/soc/aspeed/Makefile b/drivers/soc/aspeed/Makefile index b35d74592964..b5188dcde37a 100644 --- a/drivers/soc/aspeed/Makefile +++ b/drivers/soc/aspeed/Makefile @@ -4,3 +4,4 @@ obj-$(CONFIG_ASPEED_LPC_SNOOP) +=3D aspeed-lpc-snoop.o obj-$(CONFIG_ASPEED_UART_ROUTING) +=3D aspeed-uart-routing.o obj-$(CONFIG_ASPEED_P2A_CTRL) +=3D aspeed-p2a-ctrl.o obj-$(CONFIG_ASPEED_SOCINFO) +=3D aspeed-socinfo.o +CONTEXT_ANALYSIS_aspeed-lpc-snoop.o :=3D y diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/asp= eed-lpc-snoop.c index b03310c0830d..7fa1a345acac 100644 --- a/drivers/soc/aspeed/aspeed-lpc-snoop.c +++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c @@ -11,6 +11,7 @@ */ =20 #include +#include #include #include #include @@ -74,7 +75,8 @@ struct aspeed_lpc_snoop_channel_cfg { struct aspeed_lpc_snoop_channel { const struct aspeed_lpc_snoop_channel_cfg *cfg; bool enabled; - struct kfifo fifo; + spinlock_t lock; + struct kfifo fifo __guarded_by(&lock); wait_queue_head_t wq; struct miscdevice miscdev; }; @@ -114,6 +116,7 @@ static ssize_t snoop_file_read(struct file *file, char = __user *buffer, size_t count, loff_t *ppos) { struct aspeed_lpc_snoop_channel *chan =3D snoop_file_to_chan(file); + u8 *buf __free(kfree) =3D NULL; unsigned int copied; int ret =3D 0; =20 @@ -125,9 +128,16 @@ static ssize_t snoop_file_read(struct file *file, char= __user *buffer, if (ret =3D=3D -ERESTARTSYS) return -EINTR; } - ret =3D kfifo_to_user(&chan->fifo, buffer, count, &copied); - if (ret) - return ret; + + count =3D min_t(size_t, count, SNOOP_FIFO_SIZE); + + buf =3D kmalloc(count, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + copied =3D kfifo_out_spinlocked(&chan->fifo, buf, count, &chan->lock); + if (copied && copy_to_user(buffer, buf, copied)) + return -EFAULT; =20 return copied; } @@ -151,11 +161,13 @@ static const struct file_operations snoop_fops =3D { /* Save a byte to a FIFO and discard the oldest byte if FIFO is full */ static void put_fifo_with_discard(struct aspeed_lpc_snoop_channel *chan, u= 8 val) { - if (!kfifo_initialized(&chan->fifo)) - return; - if (kfifo_is_full(&chan->fifo)) - kfifo_skip(&chan->fifo); - kfifo_put(&chan->fifo, val); + scoped_guard(spinlock, &chan->lock) { + if (!kfifo_initialized(&chan->fifo)) + return; + if (kfifo_is_full(&chan->fifo)) + kfifo_skip(&chan->fifo); + kfifo_put(&chan->fifo, val); + } wake_up_interruptible(&chan->wq); } =20 @@ -239,9 +251,11 @@ static int aspeed_lpc_enable_snoop(struct device *dev, if (!channel->miscdev.name) return -ENOMEM; =20 - rc =3D kfifo_alloc(&channel->fifo, SNOOP_FIFO_SIZE, GFP_KERNEL); - if (rc) - return rc; + scoped_guard(spinlock_init, &channel->lock) { + rc =3D kfifo_alloc(&channel->fifo, SNOOP_FIFO_SIZE, GFP_KERNEL); + if (rc) + return rc; + } =20 rc =3D misc_register(&channel->miscdev); if (rc) -- 2.43.0