Re: [PATCH v2 1/4] iio: proximity: hx9023s: fix out-of-bounds access when copying firmware

Next message: Ben Horgan: "Re: [RFC PATCH 13/19] x86/resctrl: Add PLZA state tracking and context switch handling"
Previous message: Srinivas Neeli: "[PATCH 6/7] dt-bindings: dmaengine: xilinx_dma: Add &quot;xlnx,include-stscntrl-strm&quot; property"
In reply to: Krzysztof Kozlowski: "Re: [PATCH v2 1/4] iio: proximity: hx9023s: fix out-of-bounds access when copying firmware"
Next in thread: Krzysztof Kozlowski: "Re: [PATCH v2 1/4] iio: proximity: hx9023s: fix out-of-bounds access when copying firmware"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Thu Feb 12 2026 - 08:54:58 EST

On Thu, Feb 12, 2026 at 12:25:54PM +0100, Krzysztof Kozlowski wrote:
> On Thu, Feb 12, 2026 at 02:26:52PM +0800, Yasin Lee wrote:
> > Initialize fw_size before copying firmware data into the flexible
> > array member to match the __counted_by() annotation. This fixes a
> > potential out-of-bounds access that could lead to a kernel crash.
>
> I don't think so. Code is equivalent and this was just false positive
> because compiler could not deduce that in this case counted_by can be by
> fw->size.

In accordance with [1]:

When finding the element count assignment, it must be reordered
to before any accesses of the PTR->ARRAY itself, otherwise runtime
checking will trigger (i.e. the index of ARRAY will be checked against
COUNTER before COUNTER has been assigned the correct COUNT value).

[1]: https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci#L3

--
With Best Regards,
Andy Shevchenko