1. Patchew
  2. linux
  3. View series

[PATCH v1] firmware: microchip: fix UL_IAP lock check in mpfs_auto_update_state()

Valentina Fernandez posted 1 patch 1 year, 2 months ago 
drivers/firmware/microchip/mpfs-auto-update.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH v1] firmware: microchip: fix UL_IAP lock check in mpfs_auto_update_state()
Posted by Valentina Fernandez 1 year, 2 months ago 
To verify that Auto Update is possible, the mpfs_auto_update_state()
function performs a "Query Security Service Request" to the system
controller.

Previously, the check was performed on the first element of the
response message, which was accessed using a 32-bit pointer. This
caused the bitwise operation to reference incorrect data, as the
response should be inspected at the byte level. Fixed this by casting
the response to a  u8 * pointer, ensuring the check correctly inspects
the appropriate byte of the response message.

Additionally, rename "UL_Auto Update" to "UL_IAP" to match the
PolarFire Family System Services User Guide.

Signed-off-by: Valentina Fernandez <valentina.fernandezalanis@microchip.com>
---
 drivers/firmware/microchip/mpfs-auto-update.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/microchip/mpfs-auto-update.c b/drivers/firmware/microchip/mpfs-auto-update.c
index 0f7ec8848202..df1d69bdc1d7 100644
--- a/drivers/firmware/microchip/mpfs-auto-update.c
+++ b/drivers/firmware/microchip/mpfs-auto-update.c
@@ -402,10 +402,10 @@ static int mpfs_auto_update_available(struct mpfs_auto_update_priv *priv)
 		return -EIO;
 
 	/*
-	 * Bit 5 of byte 1 is "UL_Auto Update" & if it is set, Auto Update is
+	 * Bit 5 of byte 1 is "UL_IAP" & if it is set, Auto Update is
 	 * not possible.
 	 */
-	if (response_msg[1] & AUTO_UPDATE_FEATURE_ENABLED)
+	if ((((u8 *)response_msg)[1] & AUTO_UPDATE_FEATURE_ENABLED))
 		return -EPERM;
 
 	return 0;
-- 
2.34.1
Re: [PATCH v1] firmware: microchip: fix UL_IAP lock check in mpfs_auto_update_state()
Posted by Geert Uytterhoeven 1 year, 1 month ago 
Hi Valentina,

On Mon, Nov 18, 2024 at 4:56 PM Valentina Fernandez
<valentina.fernandezalanis@microchip.com> wrote:
> To verify that Auto Update is possible, the mpfs_auto_update_state()
> function performs a "Query Security Service Request" to the system
> controller.
>
> Previously, the check was performed on the first element of the
> response message, which was accessed using a 32-bit pointer. This
> caused the bitwise operation to reference incorrect data, as the
> response should be inspected at the byte level. Fixed this by casting
> the response to a  u8 * pointer, ensuring the check correctly inspects
> the appropriate byte of the response message.
>
> Additionally, rename "UL_Auto Update" to "UL_IAP" to match the
> PolarFire Family System Services User Guide.
>
> Signed-off-by: Valentina Fernandez <valentina.fernandezalanis@microchip.com>

Thanks for your patch, which is now commit 48808b55b07c3cea ("firmware:
microchip: fix UL_IAP lock check in mpfs_auto_update_state()") in v6.13-rc4.

> --- a/drivers/firmware/microchip/mpfs-auto-update.c
> +++ b/drivers/firmware/microchip/mpfs-auto-update.c
> @@ -402,10 +402,10 @@ static int mpfs_auto_update_available(struct mpfs_auto_update_priv *priv)
>                 return -EIO;
>
>         /*
> -        * Bit 5 of byte 1 is "UL_Auto Update" & if it is set, Auto Update is
> +        * Bit 5 of byte 1 is "UL_IAP" & if it is set, Auto Update is
>          * not possible.
>          */
> -       if (response_msg[1] & AUTO_UPDATE_FEATURE_ENABLED)
> +       if ((((u8 *)response_msg)[1] & AUTO_UPDATE_FEATURE_ENABLED))
>                 return -EPERM;
>
>         return 0;

Why is response_msg not a u8 pointer in the first place?

        u32 *response_msg __free(kfree) =
                kzalloc(AUTO_UPDATE_FEATURE_RESP_SIZE *
sizeof(*response_msg), GFP_KERNEL);

So AUTO_UPDATE_FEATURE_RESP_SIZE is the number of 32-bit words...

However:

        response->resp_size = AUTO_UPDATE_FEATURE_RESP_SIZE;

and drivers/mailbox/mailbox-mpfs.c::mpfs_mbox_rx_data():

        u16 num_words = ALIGN((response->resp_size), (4)) / 4U;

so response->resp_size is the number of bytes?

See also drivers/char/hw_random/mpfs-rng.c::mpfs_rng_read():

        struct mpfs_mss_response response = {
                .resp_status = 0U,
                .resp_msg = (u32 *)response_msg,
                .resp_size = RNG_RESP_BYTES
        };

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds
Re: [PATCH v1] firmware: microchip: fix UL_IAP lock check in mpfs_auto_update_state()
Posted by Conor Dooley 1 year, 2 months ago 
From: Conor Dooley <conor.dooley@microchip.com>

On Mon, 18 Nov 2024 15:53:54 +0000, Valentina Fernandez wrote:
> To verify that Auto Update is possible, the mpfs_auto_update_state()
> function performs a "Query Security Service Request" to the system
> controller.
> 
> Previously, the check was performed on the first element of the
> response message, which was accessed using a 32-bit pointer. This
> caused the bitwise operation to reference incorrect data, as the
> response should be inspected at the byte level. Fixed this by casting
> the response to a  u8 * pointer, ensuring the check correctly inspects
> the appropriate byte of the response message.
> 
> [...]

Applied to riscv-soc-fixes, thanks!

[1/1] firmware: microchip: fix UL_IAP lock check in mpfs_auto_update_state()
      https://git.kernel.org/conor/c/48808b55b07c

Thanks,
Conor.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.