projects / platform / kernel / linux-starfive.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f2906aa)
firmware: arm_scmi: Relax base protocol sanity checks on the protocol list
authorCristian Marussi <cristian.marussi@arm.com>
Mon, 23 May 2022 17:15:59 +0000 (18:15 +0100)
committerSudeep Holla <sudeep.holla@arm.com>
Mon, 6 Jun 2022 14:46:35 +0000 (15:46 +0100)
Even though malformed replies from firmware must be treated carefully to
avoid memory corruption in the kernel, some out-of-spec SCMI replies can
be tolerated to avoid breaking existing deployed system, as long as they
won't cause memory issues.

Relax the sanity checks on the recieved protocol list in the base protocol
to avoid breaking one of the deployed platform whose firmware is not easily
upgradable currently.

Link: https://lore.kernel.org/r/20220523171559.472112-1-cristian.marussi@arm.com
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Reported-by: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
Tested-By: Frank Wunderlich <frank-w@public-files.de>
Acked-by: Michael Riesch <michael.riesch@wolfvision.net>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
drivers/firmware/arm_scmi/base.c patch | blob | history

diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c
index 20fba73..d0ac96d 100644 (file)
--- a/drivers/firmware/arm_scmi/base.c
+++ b/drivers/firmware/arm_scmi/base.c
@@ -221,11 +221,17 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph,
                calc_list_sz = (1 + (loop_num_ret - 1) / sizeof(u32)) *
                                sizeof(u32);
                if (calc_list_sz != real_list_sz) {
-                       dev_err(dev,
-                               "Malformed reply - real_sz:%zd  calc_sz:%u\n",
-                               real_list_sz, calc_list_sz);
-                       ret = -EPROTO;
-                       break;
+                       dev_warn(dev,
+                                "Malformed reply - real_sz:%zd  calc_sz:%u  (loop_num_ret:%d)\n",
+                                real_list_sz, calc_list_sz, loop_num_ret);
+                       /*
+                        * Bail out if the expected list size is bigger than the
+                        * total payload size of the received reply.
+                        */
+                       if (calc_list_sz > real_list_sz) {
+                               ret = -EPROTO;
+                               break;
+                       }
                }
 
                for (loop = 0; loop < loop_num_ret; loop++)
Domain: System / Kernel;