Re: [PATCH] misc: ibmasm: Fix out-of-bounds MMIO access during module load

Next message: Vincent Guittot: "Re: [PATCH v5 2/6] sched/fair: Also gate overloaded status update for SD_ASYM_CPUCAPACITY"
Previous message: Ajay Kumar Nandam: "[PATCH v6 0/3] ASoC: qcom: lpass: Switch VA/WSA macros to PM clock framework"
In reply to: w15303746062: "[PATCH] misc: ibmasm: Fix out-of-bounds MMIO access during module load"
Next in thread: w15303746062: "[PATCH v2] misc: ibmasm: Fix static and dynamic out-of-bounds MMIO accesses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg KH

Date: Tue Jun 23 2026 - 03:17:42 EST

On Tue, Jun 23, 2026 at 03:09:09PM +0800, w15303746062@xxxxxxx wrote:
> From: Mingyu Wang <25181214217@xxxxxxxxxxxxxxxxx>
>
> The ibmasm driver maps PCI BAR 0 without verifying if the hardware-provided
> resource length is sufficient. The driver statically accesses the
> INTR_CONTROL_REGISTER at offset 0x13A4.

The kernel trusts the hardware to not do foolish things like this :)

> When evaluating the driver against emulated hardware or during virtual
> device fuzzing, a malformed device may expose a significantly undersized
> BAR 0 (e.g., 4KB). In this scenario, the readl() in enable_sp_interrupts()
> crosses the mapped page boundary into unmapped memory, causing a page fault
> during probe.

Are you sure this is the only code path for this type of issue for this
device/driver? Why just worry about this one?

thanks,

greg k-h