lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c5867aff-4b9a-9cf4-98ab-2e00df9aa4f4@linux.intel.com>
Date: Fri, 21 Nov 2025 19:27:54 +0200 (EET)
From: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
cc: Qipeng Zha <qipeng.zha@...el.com>, Hans de Goede <hansg@...nel.org>, 
    Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, 
    Darren Hart <dvhart@...ux.intel.com>, platform-driver-x86@...r.kernel.org, 
    LKML <linux-kernel@...r.kernel.org>, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] platform/x86: intel: punit_ipc: fix memory corruption

On Fri, 21 Nov 2025, Dan Carpenter wrote:

> This passes a stack address to the IRQ handler, "&punit_ipcdev" vs

This first part I don't get, why you think &punit_ipcdev is a stack 
address? The punit_ipcdev variable is defined in the global scope:

static IPC_DEV *punit_ipcdev;

> "punit_ipcdev" without the ampersand.  This means that the:
> 
> 	complete(&ipcdev->cmd_complete);
> 
> in intel_punit_ioc() will corrupt the wrong memory.

Can you please also rephrace "will corrupt the wrong memory" as it has
a bit awkward sound in it. My suggestion:

...will write to a wrong memory address corrupting it.

(I'd have done this edit myself but I wanted to ask about the stack 
address claim so better you just send v2.)

The change diff itself looks correct.

> Fixes: fdca4f16f57d ("platform:x86: add Intel P-Unit mailbox IPC driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
> ---
>  drivers/platform/x86/intel/punit_ipc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/platform/x86/intel/punit_ipc.c b/drivers/platform/x86/intel/punit_ipc.c
> index bafac8aa2baf..14513010daad 100644
> --- a/drivers/platform/x86/intel/punit_ipc.c
> +++ b/drivers/platform/x86/intel/punit_ipc.c
> @@ -250,7 +250,7 @@ static int intel_punit_ipc_probe(struct platform_device *pdev)
>  	} else {
>  		ret = devm_request_irq(&pdev->dev, irq, intel_punit_ioc,
>  				       IRQF_NO_SUSPEND, "intel_punit_ipc",
> -				       &punit_ipcdev);
> +				       punit_ipcdev);
>  		if (ret) {
>  			dev_err(&pdev->dev, "Failed to request irq: %d\n", irq);
>  			return ret;
> 

-- 
 i.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ