[PATCH] riscv: lib: Fix ZBB strnlen reading past count boundary

Feng Jiang jiangfeng at kylinos.cn
Sun Apr 12 20:20:29 PDT 2026 

On 2026/4/13 09:07, Michael Neuling wrote:
> The ZBB-optimized strnlen loop loads one word ahead before checking the
> aligned boundary:
> 
>     REG_L   t1, SZREG(t0)       // load next word
>     addi    t0, t0, SZREG       // advance
>     orc.b   t1, t1
>     bgeu    t0, t4, 4f          // boundary check AFTER load
> 
> where t4 = (s + count) & -SZREG.  When s is aligned and count is a
> multiple of SZREG, t4 equals s + count and the loop loads a full word
> starting at exactly s + count.  If s + count falls on a page boundary
> with the next page unmapped, this faults.
> 
> Fix by computing the aligned boundary from the last valid byte
> (s + count - 1) instead of s + count.  This makes the loop stop at the
> word containing the last valid byte rather than potentially loading the
> word after it.  The count == 0 case is already handled by the beqz
> early exit.
> 
> Also add a pre-loop guard (bgeu t0, t4) for the case where all valid
> bytes fit within the first word.  With the adjusted boundary, t4 can
> equal t0, and entering the loop with stale register state from the
> first-word processing would produce incorrect results.
> 
> The final minu clamp ensures the result is still correct when the last
> loaded word extends past s + count - 1 within the same aligned word.
> 
> Fixes: 5ba15d419fab ("riscv: lib: add strnlen() implementation")
> Signed-off-by: Michael Neuling <mikey at neuling.org>
> Assisted-by: Claude Opus4.6 High Thinking
> ---
> ...

Hi Michael,

Thanks for catching and fixing this! Your analysis is spot on—that
"load-before-check" logic was indeed an oversight on my part, especially
regarding the page boundary edge case.

The test case you provided is extremely helpful. Since you've already
built this reproducer, would you be interested in helping to improve
the KUnit test string_test_strnlen() in lib/tests/string_kunit.c as well?
Currently, it mainly tests strings with NUL terminators and lacks coverage
for these kinds of non-terminated boundary scenarios.

Thanks again!

-- 
With Best Regards,
Feng Jiang

More information about the linux-riscv mailing list