| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260127-imx-rproc-fix-v2-1-7288fcf74385@nxp.com>
Date: Tue, 27 Jan 2026 14:51:06 +0800
From: "Peng Fan (OSS)" <peng.fan@....nxp.com>
To: Bjorn Andersson <andersson@...nel.org>,
Mathieu Poirier <mathieu.poirier@...aro.org>,
Shawn Guo <shawnguo@...nel.org>, Sascha Hauer <s.hauer@...gutronix.de>,
Pengutronix Kernel Team <kernel@...gutronix.de>,
Fabio Estevam <festevam@...il.com>, Iuliana Prodan <iuliana.prodan@....com>,
Daniel Baluta <daniel.baluta@....com>, Frank Li <frank.li@....com>
Cc: linux-remoteproc@...r.kernel.org, imx@...ts.linux.dev,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
Peng Fan <peng.fan@....com>, stable@...r.kernel.org
Subject: [PATCH v2] remoteproc: imx_rproc: Not report loaded resource table
when none
From: Peng Fan <peng.fan@....com>
priv->rsc_table is not NULL if the DT has a "rsc-table" entry, indicating
that _if_ there is a resource table in memory, that's where it should be.
Function imx_rproc_elf_find_loaded_rsc_table() is buggy so the narrative
about a previously running FW with a valid resource table can be dropped.
In this case rproc->table_ptr is NULL because the current firmware does
not contain a resource table, but the remoteproc core still interprets the
non-NULL return value as a loaded resource table and attempts to memcpy()
from rproc->cached_table, leading to a NULL pointer dereference and kernel
panic.
Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when
there is no cached resource table for the current firmware. This ensures
that a loaded resource table is only reported when a valid table_ptr
exists, which matches the remoteproc core expectations.
This issue can be reproduced by:
1) start a firmware with a resource table
2) stop the remote processor
3) start a firmware without a resource table
With this change, starting a firmware without a resource table no longer
causes kernel dump.
Fixes: e954a1bd1610 ("remoteproc: imx_rproc: Use imx specific hook for find_loaded_rsc_table")
Cc: stable@...r.kernel.org
Signed-off-by: Peng Fan <peng.fan@....com>
---
Changes in v2:
- Per Mathieu, Check rproc->table_ptr, update commit log
- Include R-b from Frank
- Link to v1: https://lore.kernel.org/r/20260122-imx-rproc-fix-v1-1-36cc64369a40@nxp.com
---
drivers/remoteproc/imx_rproc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
index 375de79168a1c8d11b87ac1bd63774a3feac106d..f5f916d6790519360f446f063e09d018c5654953 100644
--- a/drivers/remoteproc/imx_rproc.c
+++ b/drivers/remoteproc/imx_rproc.c
@@ -729,6 +729,10 @@ imx_rproc_elf_find_loaded_rsc_table(struct rproc *rproc, const struct firmware *
{
struct imx_rproc *priv = rproc->priv;
+ /* No resource table in the firmware */
+ if (!rproc->table_ptr)
+ return NULL;
+
if (priv->rsc_table)
return (struct resource_table *)priv->rsc_table;
---
base-commit: e3b32dcb9f23e3c3927ef3eec6a5842a988fb574
change-id: 20260122-imx-rproc-fix-e206f8e6e477
Best regards,
--
Peng Fan <peng.fan@....com>
Powered by blists - more mailing lists