[v2] firmware: qcom: scm: Fixes for concurrency

[PATCH v2 3/6] firmware: qcom: scm: Handle various probe ordering for qcom_scm_assign_mem()

Posted by Krzysztof Kozlowski 1 year ago

The SCM driver can defer or fail probe, or just load a bit later so
callers of qcom_scm_assign_mem() should defer if the device is not ready.

This fixes theoretical NULL pointer exception, triggered via introducing
probe deferral in SCM driver with call trace:

  qcom_tzmem_alloc+0x70/0x1ac (P)
  qcom_tzmem_alloc+0x64/0x1ac (L)
  qcom_scm_assign_mem+0x78/0x194
  qcom_rmtfs_mem_probe+0x2d4/0x38c
  platform_probe+0x68/0xc8

Fixes: d82bd359972a ("firmware: scm: Add new SCM call API for switching memory ownership")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

---

I am not sure about commit introducing it (Fixes tag) thus not Cc-ing
stable.
---
 drivers/firmware/qcom/qcom_scm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
index 5d91b8e22844608f35432f1ba9c08d477d4ff762..93212c8f20ad65ecc44804b00f4b93e3eaaf8d95 100644
--- a/drivers/firmware/qcom/qcom_scm.c
+++ b/drivers/firmware/qcom/qcom_scm.c
@@ -1075,6 +1075,9 @@ int qcom_scm_assign_mem(phys_addr_t mem_addr, size_t mem_sz,
 	int ret, i, b;
 	u64 srcvm_bits = *srcvm;
 
+	if (!qcom_scm_is_available())
+		return -EPROBE_DEFER;
+
 	src_sz = hweight64(srcvm_bits) * sizeof(*src);
 	mem_to_map_sz = sizeof(*mem_to_map);
 	dest_sz = dest_cnt * sizeof(*destvm);

-- 
2.43.0

Re: [PATCH v2 3/6] firmware: qcom: scm: Handle various probe ordering for qcom_scm_assign_mem()

Posted by Bjorn Andersson 11 months, 2 weeks ago

On Mon, Dec 09, 2024 at 03:27:56PM +0100, Krzysztof Kozlowski wrote:
> The SCM driver can defer or fail probe, or just load a bit later so
> callers of qcom_scm_assign_mem() should defer if the device is not ready.
> 
> This fixes theoretical NULL pointer exception, triggered via introducing
> probe deferral in SCM driver with call trace:
> 
>   qcom_tzmem_alloc+0x70/0x1ac (P)
>   qcom_tzmem_alloc+0x64/0x1ac (L)
>   qcom_scm_assign_mem+0x78/0x194
>   qcom_rmtfs_mem_probe+0x2d4/0x38c
>   platform_probe+0x68/0xc8
> 
> Fixes: d82bd359972a ("firmware: scm: Add new SCM call API for switching memory ownership")
> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
> 
> ---
> 
> I am not sure about commit introducing it (Fixes tag) thus not Cc-ing
> stable.
> ---
>  drivers/firmware/qcom/qcom_scm.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
> index 5d91b8e22844608f35432f1ba9c08d477d4ff762..93212c8f20ad65ecc44804b00f4b93e3eaaf8d95 100644
> --- a/drivers/firmware/qcom/qcom_scm.c
> +++ b/drivers/firmware/qcom/qcom_scm.c
> @@ -1075,6 +1075,9 @@ int qcom_scm_assign_mem(phys_addr_t mem_addr, size_t mem_sz,
>  	int ret, i, b;
>  	u64 srcvm_bits = *srcvm;
>  
> +	if (!qcom_scm_is_available())
> +		return -EPROBE_DEFER;

This API is generally called from places other than probe, making the
return of EPROBE_DEFER undesirable. While not pretty, a client depending
on the scm driver to be probed is expected to call
qcom_scm_is_available().

qcom_rmtfs_mem_probe() does this right before calling
qcom_scm_assign_mem(), am I misunderstanding the case you're describing?

Regards,
Bjorn

> +
>  	src_sz = hweight64(srcvm_bits) * sizeof(*src);
>  	mem_to_map_sz = sizeof(*mem_to_map);
>  	dest_sz = dest_cnt * sizeof(*destvm);
> 
> -- 
> 2.43.0
>

Re: [PATCH v2 3/6] firmware: qcom: scm: Handle various probe ordering for qcom_scm_assign_mem()

Posted by Krzysztof Kozlowski 11 months, 1 week ago

On 07/01/2025 01:42, Bjorn Andersson wrote:
>>
>> diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c
>> index 5d91b8e22844608f35432f1ba9c08d477d4ff762..93212c8f20ad65ecc44804b00f4b93e3eaaf8d95 100644
>> --- a/drivers/firmware/qcom/qcom_scm.c
>> +++ b/drivers/firmware/qcom/qcom_scm.c
>> @@ -1075,6 +1075,9 @@ int qcom_scm_assign_mem(phys_addr_t mem_addr, size_t mem_sz,
>>  	int ret, i, b;
>>  	u64 srcvm_bits = *srcvm;
>>  
>> +	if (!qcom_scm_is_available())
>> +		return -EPROBE_DEFER;
> 
> This API is generally called from places other than probe, making the
> return of EPROBE_DEFER undesirable. While not pretty, a client depending
> on the scm driver to be probed is expected to call
> qcom_scm_is_available().
> 
> qcom_rmtfs_mem_probe() does this right before calling
> qcom_scm_assign_mem(), am I misunderstanding the case you're describing?

I tried to reproduce my NULL ptr but now I cannot and indeed if every
path is protected with qcom_scm_is_available() everything should be fine.

Let's skip this patch then.

Best regards,
Krzysztof

Re: [PATCH v2 3/6] firmware: qcom: scm: Handle various probe ordering for qcom_scm_assign_mem()

Posted by Bartosz Golaszewski 1 year ago

On Mon, 9 Dec 2024 at 15:28, Krzysztof Kozlowski
<krzysztof.kozlowski@linaro.org> wrote:
>
> The SCM driver can defer or fail probe, or just load a bit later so
> callers of qcom_scm_assign_mem() should defer if the device is not ready.
>
> This fixes theoretical NULL pointer exception, triggered via introducing
> probe deferral in SCM driver with call trace:
>
>   qcom_tzmem_alloc+0x70/0x1ac (P)
>   qcom_tzmem_alloc+0x64/0x1ac (L)
>   qcom_scm_assign_mem+0x78/0x194
>   qcom_rmtfs_mem_probe+0x2d4/0x38c
>   platform_probe+0x68/0xc8
>
> Fixes: d82bd359972a ("firmware: scm: Add new SCM call API for switching memory ownership")
> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
>
> ---
>

Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

[PATCH v2 1/6] firmware: qcom: scm: Fix missing read barrier in qcom_scm_is_available()
[PATCH v2 2/6] firmware: qcom: scm: Fix missing read barrier in qcom_scm_get_tzmem_pool()
[PATCH v2 3/6] firmware: qcom: scm: Handle various probe ordering for qcom_scm_assign_mem()
[PATCH v2 4/6] firmware: qcom: scm: Cleanup global '__scm' on probe failures
[PATCH v2 5/6] firmware: qcom: scm: smc: Handle missing SCM device
[PATCH v2 6/6] firmware: qcom: scm: smc: Narrow 'mempool' variable scope