Arm SCMI fixes for v6.12(part 2)

Couple of fixes to address slab-use-after-free in scmi_bus_notifier() via scmi_dev->name and possible incorrect clear channel transport operation on A2P channel if some sort of P2A only messages are initiated on A2P channel(occurs when stress tested passing /dev/random to the channel). Apart from this, there are fixes to address missing "arm" prefix in the recently added property max-rx-timeout-ms which was missed in the review but was identified when further additions to the same binding were getting reviewed. -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEunHlEgbzHrJD3ZPhAEG6vDF+4pgFAmcjvPAACgkQAEG6vDF+ 4pg2mA/9GejbeYklmQLUl4EoEjz305mdorg29CCilJ7SvUachV7T7Rv2I/W1GCmB F1eEwQe+SZ2COOEoIzKKvmEi7z49Cqm5gJbVvm8RVoR4Mrl1kAR373ZoO8rCFYEc DMThkSJcPOPG976mf5Fy9tbCpTOrHSBh46afqid09+0r1u2/5VzLqo3uBVsoclGB j8OixOlGokjL4K8cUs9cXLEJ9CJOyTu+0Z5e9HLvh4xj5l5n4remrMl9XWYBWuCR PWUAAxdDUlmyDbrWsmeIyed/E8m0i/+O6SOupteGNd7NLMSKBYAfFw2XSYxz1wj3 yuF5hWxyU5a3icF+r2pGS00m6M8GbGF1yiY0U6tu4EAqfZTHdfsFh3X2ix+uFi0m NCg9LmRLtlyBfgpt+Tj+X9Gw9Xq8nNBkaaVV14iYl1K7My3+RxLis8yesc+vfWmh aoMnYr7fLKHUb+gVg6C6Ge1DOSDA6rg+JLQR/UG8Q1nKuIa0Yu/rrWKGammsd4CR VMg48qKGTzpknSEh99yHzlFqGABdAUvJhpGqXcpHt+b13fjG3YY72gjT+uoThrDo IWe5JFAFypR4P7bdfNkIWOFAH7Um7M86lanCd+LXsZ94CtZeO0CfF4d/nCB89DI2 TPXb0E6UOdZitXhWpN2BO4S9yxPQGPIypIP/I3cThA6I762aOvc= =jlhL -----END PGP SIGNATURE----- gpgsig -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEiK/NIGsWEZVxh/FrYKtH/8kJUicFAmck6icACgkQYKtH/8kJ UifMMw/7BRDD3WeczzKlXY0MbnufnrVD2C/317Mx7OawcaInXALqfniMTjUIs3X/ 06Ix90y7deDsCnXx9BCvpyOTVYGpwD7rjwDfiwrD+6wDeLWLMSpb53VRlIFNT8tc F7uu4onUYH699Z/XkGRAoyZKhARE3+2zhFPLU6qoTuE6n6ImD6DzrEQBFwhQbH+L gCCyIXfsFg5ALmKxi8Tcy3DSMnJt/AkV8o1dioTcOhxcQMScTeDgNUnSjglizvcB Hca+l7cNxRFod9Ux95PqRH2ny4tzwNN2omX/AHRAeaScgPkpfcsAWYlKRXfhdroy cxwdVGGEp73QbO2e+hTg99lwUi2mIb5AjDrGAmNp9YZF/8rZQ2qIMIWhdg4ugneJ H5iZSe3NOQYDdo4hpO5q1kXQQQbECBVimjpcV4+vlxD8OZ6AQoCNrPV0oC3atV9A 49yZq/RmMZMYJUmEIFjAgLx0HuDmH/QjlSVZbqBDiWpzpOf4fW8B+DaKqQOUlIpP 1+w2nBiWvtKCpG5g4rNfF+fvDv0H3EEWKUSREF8EIHQ1sAQiXcQToSDbKDkeJVOG ty4NDAMMM2JCd0MoD9QWE9UCOAdZbHw0Ub3FCZ03GP1gDb+HTifwZSFDlQLY8MqZ /89kptiwBdMd1Taclraw/lANThpgITaiqJe2Mubuz8LEvZslK7k= =E7pD -----END PGP SIGNATURE----- Merge tag 'scmi-fixes-6.12-2' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into HEAD Arm SCMI fixes for v6.12(part 2) Couple of fixes to address slab-use-after-free in scmi_bus_notifier() via scmi_dev->name and possible incorrect clear channel transport operation on A2P channel if some sort of P2A only messages are initiated on A2P channel(occurs when stress tested passing /dev/random to the channel). Apart from this, there are fixes to address missing "arm" prefix in the recently added property max-rx-timeout-ms which was missed in the review but was identified when further additions to the same binding were getting reviewed. * tag 'scmi-fixes-6.12-2' of https://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_scmi: Use vendor string in max-rx-timeout-ms dt-bindings: firmware: arm,scmi: Add missing vendor string firmware: arm_scmi: Reject clear channel request on A2P firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() Link: https://lore.kernel.org/r/20241031172734.3109140-1-sudeep.holla@arm.com Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2026-05-29 17:43:52 +02:00 · 2024-11-01 15:48:06 +01:00 · 2024-11-01 15:48:06 +01:00 · c3b56da655
commit c3b56da655
parent e5c06efdc0 54962707f8
4 changed files with 15 additions and 6 deletions
--- a/Documentation/devicetree/bindings/firmware/arm,scmi.yaml
+++ b/Documentation/devicetree/bindings/firmware/arm,scmi.yaml
@ -124,7 +124,7 @@ properties:
      atomic mode of operation, even if requested.
    default: 0

-  max-rx-timeout-ms:
+  arm,max-rx-timeout-ms:
    description:
      An optional time value, expressed in milliseconds, representing the
      transport maximum timeout value for the receive channel. The value should
--- a/drivers/firmware/arm_scmi/bus.c
+++ b/drivers/firmware/arm_scmi/bus.c
@ -325,7 +325,10 @@ EXPORT_SYMBOL_GPL(scmi_driver_unregister);

 static void scmi_device_release(struct device *dev)
 {
-	kfree(to_scmi_dev(dev));
+	struct scmi_device *scmi_dev = to_scmi_dev(dev);
+
+	kfree_const(scmi_dev->name);
+	kfree(scmi_dev);
 }

 static void __scmi_device_destroy(struct scmi_device *scmi_dev)
@ -338,7 +341,6 @@ static void __scmi_device_destroy(struct scmi_device *scmi_dev)
 	if (scmi_dev->protocol_id == SCMI_PROTOCOL_SYSTEM)
 		atomic_set(&scmi_syspower_registered, 0);

-	kfree_const(scmi_dev->name);
 	ida_free(&scmi_bus_id, scmi_dev->id);
 	device_unregister(&scmi_dev->dev);
 }
@ -410,7 +412,6 @@ __scmi_device_create(struct device_node *np, struct device *parent,

 	return scmi_dev;
 put_dev:
-	kfree_const(scmi_dev->name);
 	put_device(&scmi_dev->dev);
 	ida_free(&scmi_bus_id, id);
 	return NULL;
--- a/drivers/firmware/arm_scmi/common.h
+++ b/drivers/firmware/arm_scmi/common.h
@ -163,6 +163,7 @@ void scmi_protocol_release(const struct scmi_handle *handle, u8 protocol_id);
 *      used to initialize this channel
 * @dev: Reference to device in the SCMI hierarchy corresponding to this
 *	 channel
+ * @is_p2a: A flag to identify a channel as P2A (RX)
 * @rx_timeout_ms: The configured RX timeout in milliseconds.
 * @handle: Pointer to SCMI entity handle
 * @no_completion_irq: Flag to indicate that this channel has no completion
@ -174,6 +175,7 @@ void scmi_protocol_release(const struct scmi_handle *handle, u8 protocol_id);
 struct scmi_chan_info {
 	int id;
 	struct device *dev;
+	bool is_p2a;
 	unsigned int rx_timeout_ms;
 	struct scmi_handle *handle;
 	bool no_completion_irq;
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@ -1048,6 +1048,11 @@ static inline void scmi_xfer_command_release(struct scmi_info *info,
 static inline void scmi_clear_channel(struct scmi_info *info,
 				      struct scmi_chan_info *cinfo)
 {
+	if (!cinfo->is_p2a) {
+		dev_warn(cinfo->dev, "Invalid clear on A2P channel !\n");
+		return;
+	}
+
 	if (info->desc->ops->clear_channel)
 		info->desc->ops->clear_channel(cinfo);
 }
@ -2638,6 +2643,7 @@ static int scmi_chan_setup(struct scmi_info *info, struct device_node *of_node,
 	if (!cinfo)
 		return -ENOMEM;

+	cinfo->is_p2a = !tx;
 	cinfo->rx_timeout_ms = info->desc->max_rx_timeout_ms;

 	/* Create a unique name for this transport device */
@ -3042,10 +3048,10 @@ static const struct scmi_desc *scmi_transport_setup(struct device *dev)

 	dev_info(dev, "Using %s\n", dev_driver_string(trans->supplier));

-	ret = of_property_read_u32(dev->of_node, "max-rx-timeout-ms",
+	ret = of_property_read_u32(dev->of_node, "arm,max-rx-timeout-ms",
 				   &trans->desc->max_rx_timeout_ms);
 	if (ret && ret != -EINVAL)
-		dev_err(dev, "Malformed max-rx-timeout-ms DT property.\n");
+		dev_err(dev, "Malformed arm,max-rx-timeout-ms DT property.\n");

 	dev_info(dev, "SCMI max-rx-timeout: %dms\n",
 		 trans->desc->max_rx_timeout_ms);