Arm SCMI and SMCCC fixes for v6.5

Set of fixes addressing issues: 1. Possible use of uninitialised results structure in the SMCCC SOC_ID driver if the driver fails to complete the initialisation 2. Missed signed error return value handling from simple_write_to_buffer() used in scmi_dbg_raw_mode_common_write() 3. The OF node reference obtained is not dropped if node is incompatible with "arm,scmi-shmem" in the mailbox as well as SMC transport channel setup 4. The possibility of a late response to an in-flight pending transaction that could end up triggering the interrupt handler after the SCMI core has cleaned up the transport channel as part of core driver remove -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEunHlEgbzHrJD3ZPhAEG6vDF+4pgFAmS6bgsACgkQAEG6vDF+ 4pjJ7g/9FXkBnaMvXWk0oj+qKINtNY4sdoQ8+18L6vQpXaXR9ub9NE88aV3KjkYq voM1HdNnaTswFt5GSrVb1I/OGRikQx5R1PVZ3RHLI2IIUOVHGy9EPBLT/xgcaOZ5 6b3atc7r08CZhO3U57cc//WEWqsNXRTFp2ZeCaGDu52Rp6eCABCHzzBbvAbmrZ1z EPFTit59i9poj8VP/TsCOEG5PnLm2DwWtqEHN9WGMXu4fZSIYddgb9swZKEJf1qZ Yl4en+eISd6swgDEMeqQcbzfLcFUhNbvjgK3+0eI/RBlCg8cgsN/yKwjdSsm+Dmu Z2JwWy2lPoSvMKwivJXfO0s+wWoLErEbDl49O4zqqhXccXOsaFF87FmUTvVuy4hc 0GK0ruDzcWE4PDoGjnq1vxCG/bIH6RAospbfDE32VdENNPxoMJWl6t1xyQSBQCme WZoeUgp5kmxkACP6KZMUmvfkdgfxBP1Hxf9YqzZajWCpoPtWBR6Wp76jX4VY7k1O vhIFmxE6DsPOWR1Rvz5R9YeMqRp/lf9CBM+R24OE1ZFSkPBicd46ENNtrKnTRCWT ZSUlgdLCGX3bcUIJvXBOXCYsanUgvVS4x05vQYb7meDbv9Cauc1tYDPmBU7RT9D2 489bz74ovYUWV55bMxnzR41S+p7MbangXprgu0o/A5TCzT7WrHA= =oZRl -----END PGP SIGNATURE----- gpgsig -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEiK/NIGsWEZVxh/FrYKtH/8kJUicFAmS+eg4ACgkQYKtH/8kJ UifSmw/+ItVo4Z6YZkXRIw1VEqlJaZ8jhkwPCvS1d+7W7MKQnnpR5zH1fWH8lh9O 9fS3Vr8u74KPny5tGHNhyPCM+sJorQhAJdWsI0yadTST4Ylvtv+3y20ogu62l4JQ U1m8j9KiAi+Ut4IvatJSeC6gAedRiIFCeBb4uzHzHgJPiIMdoFSlkiWnBbwOSqIe ox3Utzxg8KLgiS/ywJM1H2NO9rwIp/7Dh8WYa9z1FV+1vYo7+xGa8AR/kxdxB/Kg aWvJTwZ3dMnPoAI/O+AtvWoC8ADqJx7k2AZKrD6N9S522jXja3yyT0gVl06+Au9V jIX9xL73PVt41koX0uZ5QdQmNKmDE34Edm2TbfZgl/AjBXdAQg0pRJZTSOlHNOqB Wob9L0mYkL+Vo0kAP2DguUl+RDhEGgtRjqxRFveI/zy93t6HyQntS5J2KoOqwWIs YP3CH41OriJDLnf8L0syXxnleNJ5h++N9SUB1T31d2LH14rNxlPgUNhwJdHC2E0O Ng4dNK7tt1XbLNvobTmIKAHKHCa7Ia1CJcev9+bCCq93azWXtzGibmOtPUr4yCIZ fyKlxZlQX565qV1/qm90HoXgSYwAOSBPc6Hpx1WX+MMwVE+30pQCXc1qjIG0+QO3 jjuOdMrMXiYStjDVgWt/nWso2DmvKk5S9Ka/bZLbi51Lpl055Hk= =FE9J -----END PGP SIGNATURE----- Merge tag 'scmi-smccc-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into arm/fixes Arm SCMI and SMCCC fixes for v6.5 Set of fixes addressing issues: 1. Possible use of uninitialised results structure in the SMCCC SOC_ID driver if the driver fails to complete the initialisation 2. Missed signed error return value handling from simple_write_to_buffer() used in scmi_dbg_raw_mode_common_write() 3. The OF node reference obtained is not dropped if node is incompatible with "arm,scmi-shmem" in the mailbox as well as SMC transport channel setup 4. The possibility of a late response to an in-flight pending transaction that could end up triggering the interrupt handler after the SCMI core has cleaned up the transport channel as part of core driver remove * tag 'scmi-smccc-fixes-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_scmi: Fix chan_free cleanup on SMC firmware: arm_scmi: Drop OF node reference in the transport channel setup firmware: arm_scmi: Fix signed error return values handling firmware: smccc: Fix use of uninitialised results structure Link: https://lore.kernel.org/r/20230721114052.3371923-1-sudeep.holla@arm.com Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2026-05-22 22:22:08 +02:00 · 2023-07-24 15:17:59 +02:00 · 2023-07-24 15:17:59 +02:00 · 1b64daa602
commit 1b64daa602
parent f6ad3c13f1 d1ff11d7ad
4 changed files with 23 additions and 12 deletions
--- a/drivers/firmware/arm_scmi/mailbox.c
+++ b/drivers/firmware/arm_scmi/mailbox.c
@ -166,8 +166,10 @@ static int mailbox_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
 		return -ENOMEM;

 	shmem = of_parse_phandle(cdev->of_node, "shmem", idx);
-	if (!of_device_is_compatible(shmem, "arm,scmi-shmem"))
+	if (!of_device_is_compatible(shmem, "arm,scmi-shmem")) {
+		of_node_put(shmem);
 		return -ENXIO;
+	}

 	ret = of_address_to_resource(shmem, 0, &res);
 	of_node_put(shmem);
--- a/drivers/firmware/arm_scmi/raw_mode.c
+++ b/drivers/firmware/arm_scmi/raw_mode.c
@ -818,10 +818,13 @@ static ssize_t scmi_dbg_raw_mode_common_write(struct file *filp,
 	 * before sending it with a single RAW xfer.
 	 */
 	if (rd->tx_size < rd->tx_req_size) {
-		size_t cnt;
+		ssize_t cnt;

 		cnt = simple_write_to_buffer(rd->tx.buf, rd->tx.len, ppos,
 					     buf, count);
+		if (cnt < 0)
+			return cnt;
+
 		rd->tx_size += cnt;
 		if (cnt < count)
 			return cnt;
--- a/drivers/firmware/arm_scmi/smc.c
+++ b/drivers/firmware/arm_scmi/smc.c
@ -40,6 +40,7 @@
 /**
 * struct scmi_smc - Structure representing a SCMI smc transport
 *
+ * @irq: An optional IRQ for completion
 * @cinfo: SCMI channel info
 * @shmem: Transmit/Receive shared memory area
 * @shmem_lock: Lock to protect access to Tx/Rx shared memory area.
@ -52,6 +53,7 @@
 */

 struct scmi_smc {
+	int irq;
 	struct scmi_chan_info *cinfo;
 	struct scmi_shared_mem __iomem *shmem;
 	/* Protect access to shmem area */
@ -127,7 +129,7 @@ static int smc_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
 	struct resource res;
 	struct device_node *np;
 	u32 func_id;
-	int ret, irq;
+	int ret;

 	if (!tx)
 		return -ENODEV;
@ -137,8 +139,10 @@ static int smc_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
 		return -ENOMEM;

 	np = of_parse_phandle(cdev->of_node, "shmem", 0);
-	if (!of_device_is_compatible(np, "arm,scmi-shmem"))
+	if (!of_device_is_compatible(np, "arm,scmi-shmem")) {
+		of_node_put(np);
 		return -ENXIO;
+	}

 	ret = of_address_to_resource(np, 0, &res);
 	of_node_put(np);
@ -167,11 +171,10 @@ static int smc_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
 	 * completion of a message is signaled by an interrupt rather than by
 	 * the return of the SMC call.
 	 */
-	irq = of_irq_get_byname(cdev->of_node, "a2p");
-	if (irq > 0) {
-		ret = devm_request_irq(dev, irq, smc_msg_done_isr,
-				       IRQF_NO_SUSPEND,
-				       dev_name(dev), scmi_info);
+	scmi_info->irq = of_irq_get_byname(cdev->of_node, "a2p");
+	if (scmi_info->irq > 0) {
+		ret = request_irq(scmi_info->irq, smc_msg_done_isr,
+				  IRQF_NO_SUSPEND, dev_name(dev), scmi_info);
 		if (ret) {
 			dev_err(dev, "failed to setup SCMI smc irq\n");
 			return ret;
@ -193,6 +196,10 @@ static int smc_chan_free(int id, void *p, void *data)
 	struct scmi_chan_info *cinfo = p;
 	struct scmi_smc *scmi_info = cinfo->transport_info;

+	/* Ignore any possible further reception on the IRQ path */
+	if (scmi_info->irq > 0)
+		free_irq(scmi_info->irq, scmi_info);
+
 	cinfo->transport_info = NULL;
 	scmi_info->cinfo = NULL;

--- a/drivers/firmware/smccc/soc_id.c
+++ b/drivers/firmware/smccc/soc_id.c
@ -34,7 +34,6 @@ static struct soc_device_attribute *soc_dev_attr;

 static int __init smccc_soc_init(void)
 {
-	struct arm_smccc_res res;
 	int soc_id_rev, soc_id_version;
 	static char soc_id_str[20], soc_id_rev_str[12];
 	static char soc_id_jep106_id_str[12];
@ -49,13 +48,13 @@ static int __init smccc_soc_init(void)
 	}

 	if (soc_id_version < 0) {
-		pr_err("ARCH_SOC_ID(0) returned error: %lx\n", res.a0);
+		pr_err("Invalid SoC Version: %x\n", soc_id_version);
 		return -EINVAL;
 	}

 	soc_id_rev = arm_smccc_get_soc_id_revision();
 	if (soc_id_rev < 0) {
-		pr_err("ARCH_SOC_ID(1) returned error: %lx\n", res.a0);
+		pr_err("Invalid SoC Revision: %x\n", soc_id_rev);
 		return -EINVAL;
 	}