From: Karthikeyan KS <karthiproffesional@gmail•com>
To: andrew@codeconstruct•com.au
Cc: joel@jms•id.au, andrew@aj•id.au,
linux-arm-kernel@lists•infradead.org,
linux-aspeed@lists•ozlabs.org, linux-kernel@vger•kernel.org,
Karthikeyan KS <karthiproffesional@gmail•com>,
stable@vger•kernel.org
Subject: [PATCH v4] soc: aspeed: lpc-snoop: Fix usercopy overflow in snoop_file_read
Date: Mon, 1 Jun 2026 12:52:13 +0000 [thread overview]
Message-ID: <20260601125214.2071019-1-karthiproffesional@gmail.com> (raw)
In-Reply-To: <1e2b77c7916259e3e269d19f637c29427c175350.camel@codeconstruct.com.au>
put_fifo_with_discard() acts as both producer and consumer on the kfifo:
it calls kfifo_skip() (advances out) and kfifo_put() (advances in) from
the IRQ handler without synchronizing with snoop_file_read(), which also
consumes via kfifo_to_user(). On SMP systems this concurrent access can
leave (in - out) larger than the ring buffer, so __kfifo_to_user()'s clamp
to (in - out) is ineffective and kfifo_copy_to_user() can attempt a
copy_to_user() past the kmalloc-2k backing store:
usercopy: Kernel memory exposure attempt detected from SLUB object
'kmalloc-2k' (offset 0, size 2049)!
kernel BUG at mm/usercopy.c!
Call trace:
usercopy_abort
__check_heap_object
__check_object_size
kfifo_copy_to_user
__kfifo_to_user
snoop_file_read
vfs_read
Serialize kfifo access with a per-channel spinlock. copy_to_user()
runs after dropping the lock, since it may sleep on a page fault.
Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
Cc: stable@vger•kernel.org
Signed-off-by: Karthikeyan KS <karthiproffesional@gmail•com>
---
Andrew,
Thanks for the review.
> This seems inappropriate and I expect is flagged if you compile with
> CONFIG_PROVE_LOCKING=y or CONFIG_DEBUG_ATOMIC_SLEEP=y
v4 drains the kfifo into a kernel buffer via kfifo_out() under
the lock, then performs copy_to_user() after dropping it.
(cf. drivers/gpio/gpiolib-cdev.c, which drains under its event lock
and copies outside it.)
> ensure you develop, build and test on recent releases
Tested on both v7.1-rc5 and v7.1-rc6 with PROVE_LOCKING,
DEBUG_ATOMIC_SLEEP and HARDENED_USERCOPY enabled: read path
round-trips correctly, no lockdep splats, no atomic-sleep
warnings, no usercopy aborts.
Changes since v3:
- Replaced kfifo_to_user() with kfifo_out() + copy_to_user()
to avoid sleeping under spinlock
- Rebased onto v7.1-rc6
drivers/soc/aspeed/aspeed-lpc-snoop.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
index b03310c0830d..0fe463020e25 100644
--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
+++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
@@ -74,6 +74,7 @@ struct aspeed_lpc_snoop_channel_cfg {
struct aspeed_lpc_snoop_channel {
const struct aspeed_lpc_snoop_channel_cfg *cfg;
bool enabled;
+ spinlock_t lock;
struct kfifo fifo;
wait_queue_head_t wq;
struct miscdevice miscdev;
@@ -115,6 +116,7 @@ static ssize_t snoop_file_read(struct file *file, char __user *buffer,
{
struct aspeed_lpc_snoop_channel *chan = snoop_file_to_chan(file);
unsigned int copied;
+ u8 *buf;
int ret = 0;
if (kfifo_is_empty(&chan->fifo)) {
@@ -125,11 +127,22 @@ static ssize_t snoop_file_read(struct file *file, char __user *buffer,
if (ret == -ERESTARTSYS)
return -EINTR;
}
- ret = kfifo_to_user(&chan->fifo, buffer, count, &copied);
- if (ret)
- return ret;
- return copied;
+ buf = kmalloc(SNOOP_FIFO_SIZE, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ spin_lock_irq(&chan->lock);
+ copied = kfifo_out(&chan->fifo, buf,
+ min_t(size_t, count, SNOOP_FIFO_SIZE));
+ spin_unlock_irq(&chan->lock);
+
+ ret = copied;
+ if (copied && copy_to_user(buffer, buf, copied))
+ ret = -EFAULT;
+
+ kfree(buf);
+ return ret;
}
static __poll_t snoop_file_poll(struct file *file,
@@ -153,9 +166,11 @@ static void put_fifo_with_discard(struct aspeed_lpc_snoop_channel *chan, u8 val)
{
if (!kfifo_initialized(&chan->fifo))
return;
+ spin_lock(&chan->lock);
if (kfifo_is_full(&chan->fifo))
kfifo_skip(&chan->fifo);
kfifo_put(&chan->fifo, val);
+ spin_unlock(&chan->lock);
wake_up_interruptible(&chan->wq);
}
@@ -228,6 +243,7 @@ static int aspeed_lpc_enable_snoop(struct device *dev,
return -EBUSY;
init_waitqueue_head(&channel->wq);
+ spin_lock_init(&channel->lock);
channel->cfg = cfg;
channel->miscdev.minor = MISC_DYNAMIC_MINOR;
--
2.43.0
prev parent reply other threads:[~2026-06-01 12:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <c3d474a1ec807e686c0b7ac70cc75f86898aee99.camel@codeconstruct.com.au>
2026-05-23 17:35 ` [PATCH v2] soc: aspeed: lpc-snoop: Fix usercopy overflow in snoop_file_read Karthikeyan KS
2026-05-27 3:53 ` Andrew Jeffery
2026-05-27 17:59 ` [PATCH v3] " Karthikeyan KS
2026-05-28 2:39 ` Andrew Jeffery
2026-06-01 12:52 ` Karthikeyan KS [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260601125214.2071019-1-karthiproffesional@gmail.com \
--to=karthiproffesional@gmail$(echo .)com \
--cc=andrew@aj$(echo .)id.au \
--cc=andrew@codeconstruct$(echo .)com.au \
--cc=joel@jms$(echo .)id.au \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-aspeed@lists$(echo .)ozlabs.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=stable@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox