lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <3e265b9e-c0f4-452d-b1da-3c708517e30a@app.fastmail.com>
Date: Fri, 07 Nov 2025 14:08:15 +0100
From: "Arnd Bergmann" <arnd@...db.de>
To: "A. Sverdlin" <alexander.sverdlin@...mens.com>,
 "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
 "Christophe Leroy" <christophe.leroy@...roup.eu>
Cc: "Hui Wang" <hui.wang@...onical.com>, "Michael Walle" <mwalle@...nel.org>,
 "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
 "florent.trinh-thai@...soprasteria.com" <florent.trinh-thai@...soprasteria.com>
Subject: Re: [PATCH] eeprom: at25: convert to spi-mem API

On Fri, Nov 7, 2025, at 12:49, Sverdlin, Alexander wrote:

> Christophe, while I'm trying to get my hands on a PPC32 HW similar to 
> yours, would
> you be able to test with CONFIG_DMA_API_DEBUG=y? The fact the KASAN 
> doesn't detect
> anything after the fix to spi-fsl-cpm you've mentioned makes me think 
> the corruption
> is external to CPU core? Will you post you fix to fsl-cpm code?

I had a look over the patch and don't didn't see anything extra
suspicious, but I wonder if this is possibly a problem with a DMA
to stack, as Christophe mentioned this showing up on a system with
VMAP_STACK=y.

If for some reason the original driver used to bounce the data while
the current version attempts a DMA, that may lead to arbitrary
data corruption from the invalid virt_to_phys(vmalloc_pointer)
conversion.

The opposite might be true as well: if the 'val' pointer passed
into the read/write functions was previously detected as
needing a bounce buffer down the stack (spi core or spi
master driver) but now the added 'bounce' allocation gets
passed directly into a dma engine, that may also fail if the
GFP_KERNEL allocation is not sufficient for the range or
alignment requirements of the DMA master.

Christophe, do you know the CPM DMA has any restrictions
there, e.g. needing a GFP_DMA allocation?

     Arnd

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ