From nobody Sat Feb 7 22:06:47 2026 Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3468338F35 for ; Fri, 19 Dec 2025 11:46:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766144784; cv=none; b=lYQL1U4LLEf6mENbvuY0OY+otyY+bemoqDaEJ0KtQvzr1NlMd7biXCZBvQ1JFbIAf7+R2cXZq8y3Mvm/TSTK78RDUwbcxRXrpOClnSgF7jWnsOF+oMu9QsuB9V1XGhSbJFX5mtWZCTKcp0j2ZwOMSPEtvUyhFv1icbrbP8hxyLA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766144784; c=relaxed/simple; bh=mBjL/yNWjeY79Dafwb0KAaJwI5kZoGV19sKfmRv2Cjs=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=S864qx/fcHZW4vJvQoJUGgL6B8SnwOw8tLtgQB0PudI+VIYL1FZb/84JYpuWze2dNOBp4OGIMQJtmMj4tscolIQUiywCCW5Q8f4juavN4bmNsWxT74a/n038Q9HiObScuayhUPKZeVfg4ofR2Av6NnZgAXjAQSA8TrH2WdabLwA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PVgS2j1z; arc=none smtp.client-ip=209.85.167.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PVgS2j1z" Received: by mail-lf1-f47.google.com with SMTP id 2adb3069b0e04-595910c9178so1362442e87.1 for ; Fri, 19 Dec 2025 03:46:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766144781; x=1766749581; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=H3slMuAc0DlPsqmSXZpbwpx526MvEmle/4DotqrbAZE=; b=PVgS2j1zmqsFHP7gR9AtwX5QhJHemAER0PQSPUbXUyA4N+Wj4WtJ0FNtekCQQ5nwTb E5j3dknHmGrX3S5bJuPF9KFHdAgqySh5/rBEth5PIeFUTfzwhg4t+D8vTPDUCXgN8GPl qtYEWcqBXHU4YjDDvKn5JHuFcNtRnj51ba/RTeM+84mzbu48QXpmt8DG+IQxIGkUltuY Jm/rOUFTnySmE8JcgvLxINj6nEbKyBGmTjjlFB3+yE1xuqOkOdJFj/zpV/3ZFHmYhNEN YQqNeUuQWnzpQvPH/gFt5NlVz4619GGby2A9D2r3s9ws1QdWv0JppvfQ3qrB9oQO0j6i xnQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766144781; x=1766749581; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=H3slMuAc0DlPsqmSXZpbwpx526MvEmle/4DotqrbAZE=; b=B4/xBSHW9wHKqynaU+dTncy5Erzz4pMLf7/ieWJCPYB6rC/jGEPEINYP6lhMio6r5M shW1e+SrWXTEGP2A//609YCQPSijM2F8SO83nXYjI5vymUVqhNHvOLkKuiKVaENzRFoX AeiXW2vBZQ/t/WDBjtojRnUXRXaMKRr+Ddjm2NxvQ+D3ezk1Uouy1Th2nHdCDapXeILA yAmGOJYBJlC52Xsb+uKySvf4JjcsUmZ4by9GwObESWpCWBZ88sB8sAEVelj5kxUFHvNz 7Ujlff4OKx+Z2XBJAYWgKwUXjFO0ylC6i6SABalTg02p0CUmqk0nqfFQumcZke+mst6D 23Qw== X-Forwarded-Encrypted: i=1; AJvYcCUpN0UpA0ds7xYjUQcEeEOq8qvevtNhb1ivZVV9Ez7SvITTusjm0b8Tj4nakyx7/8UjD5a0wOuMr13WUZw=@vger.kernel.org X-Gm-Message-State: AOJu0Yw7han0/8JcG7D7fs5FoZ1aX671PRDuE7o/FFwPnJooQNaxsGa9 sC4LT1Dj7yZ9c/it2eQej1aebO36+ZPJxuWh/icB2RRZQcOy8RQCGRyT X-Gm-Gg: AY/fxX46lt+Ohf2mgKpbKAE+Cg3Cblxg3a/j5ex8QP8FAi1QqPhMThBw2n08y5sFzDN kOTuXTtXzY4lRbbkEBAzFyZLNRN4V8BrSy+FMk64D6wg0heT1sv4bFAeSQQF7HvlqI1eSeUBmdW hVa4WceeJPze9tNQ/C5h5F9eH5ivpdcCWbj2/4hqIg8jmZFbg/L1isEgj/wfff8zaQqGaYVVwts J4l2EMTYdpztETLLlHko4D8+uCBLLNWusPT0dPb3Vc1LnBsuQIh3MR3bft10olbMjqbTbASnynA 0XcIMusXcTmd93nyy7vTakXTU5tVU8seXqbpdrAvE6NrGQ89+TcBPJ/9TVxnAoCNJiJg2nWlhi2 NckjW4UE+7kUX5JA5GN/0IE8lHJohm6nWc2y1CoTpAcdEdjWbbG17XpztT+D3W1OXtGvkOxAkEP 7gO62Xoenri5bfOxDsJqlrBSRTkZE= X-Google-Smtp-Source: AGHT+IE2dzwhnzenN7c5SQt80XIPrIwa3arfO8FHTkl1HzzGSCjhijUW2HFHsyB+YFJIWZnI0YzRVg== X-Received: by 2002:a05:6512:3b86:b0:598:f283:e12f with SMTP id 2adb3069b0e04-59a17d08b96mr1129675e87.11.1766144780522; Fri, 19 Dec 2025 03:46:20 -0800 (PST) Received: from NB-6746.corp.yadro.com ([188.243.183.84]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-59a185d5ff5sm633651e87.6.2025.12.19.03.46.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 Dec 2025 03:46:20 -0800 (PST) From: Artem Shimko To: Sudeep Holla , Cristian Marussi Cc: Artem Shimko , arm-scmi@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] firmware: arm_scmi: Fix raw mode async completion race Date: Fri, 19 Dec 2025 14:46:16 +0300 Message-ID: <20251219114617.2057576-1-a.shimko.dev@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A race condition exists in scmi_xfer_raw_worker() where async_done completion can be accessed after being nullified by scmi_xfer_raw_waiter_put() in scmi_handle_response(). This happens because the worker skips wait_for_completion_timeout() when ret has an error value and goes directly to nullify the async_done. Fix by waiting for async_done unconditionally when it exists, without checking the result of the ret variable. This ensures the worker always synchronizes properly with the scmi_handle_response()'s complete for async_done. Fixes: 3c3d818a9317a ("firmware: arm_scmi: Add core raw transmission suppor= t") Signed-off-by: Artem Shimko --- Hello maintainers and reviewers, This patch fixes a race condition in the SCMI raw mode implementation that can lead to kernel crashes when handling asynchronous delayed responses. I temporarily added the trace_printk("%s\n", __func__) to track the problem. # mount -t tracefs nodev /sys/kernel/tracing # mount -t debugfs debugfs /sys/kernel/debug # cd /sys/kernel/debug/tracing # echo 1 > options/trace_printk # echo 1 > tracing_on Doing that until Oops # echo -e -n 'sorry, but NDA raw msg' > /sys/kernel/debug/scmi/0/raw/messag= e_async=20 Without the changes: [ 19.513750] Unable to handle kernel NULL pointer dereference at virtual = address NDA [ 19.524756] Oops [#1] [ 19.527034] Modules linked in: [ 19.530097] CPU: 0 UID: 0 PID: 124 Comm: irq/12-1e200000 Not tainted 6.1= 2.0-NDA ... [ 19.638262] [] do_raw_spin_lock+0xa/0x10a [ 19.643843] [] _raw_spin_lock_irqsave+0x20/0x2c [ 19.649941] [] complete+0x1e/0x76 [ 19.654826] [] scmi_rx_callback+0x66e/0x7cc [ 19.660589] [] transport_rx_callback+0x4e/0x56 [ 19.666534] [] mbox_chan_received_data+0x10/0x1a [ 19.672730] [] transport_chan_do_rx+0xea/0x136 [ 19.678311] [] transport_mbox_threaded_isr+0x42/0x9c [ 19.684408] [] irq_thread_fn+0x1a/0x5a [ 19.689733] [] irq_thread+0x16c/0x20a [ 19.694962] [] kthread+0xda/0xf6 [ 19.699761] [] ret_from_fork+0xe/0x18 [ 19.712403] ---[ end trace 0000000000000000 ]--- With the changes: we dont have the Oops # echo 0 > tracing_on # cat trace Without the changes: irq/12-1e200000-120 [000] ..... 23.368262: scmi_rx_callback: scmi_h= andle_response=20 kworker/u45:0-95 [003] ..... 23.394836: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put=20 irq/12-1e200000-120 [000] ..... 25.625926: scmi_rx_callback: scmi_h= andle_response=20 kworker/u44:0-94 [002] ..... 25.653884: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put=20 irq/12-1e200000-120 [000] ..... 27.202031: scmi_rx_callback: scmi_h= andle_response=20 kworker/u45:0-95 [001] ..... 27.228216: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put=20 irq/12-1e200000-120 [000] ..... 28.504546: scmi_rx_callback: scmi_h= andle_response=20 kworker/u45:0-95 [002] ..... 28.531534: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put=20 irq/12-1e200000-120 [000] ..... 30.102729: scmi_rx_callback: scmi_h= andle_response=20 kworker/u44:0-94 [003] ..... 30.129688: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put=20 irq/12-1e200000-120 [000] ..... 31.108407: scmi_rx_callback: scmi_h= andle_response=20 kworker/u44:0-94 [003] ..... 31.136012: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put=20 irq/12-1e200000-120 [000] ..... 32.388953: scmi_rx_callback: scmi_h= andle_response=20 kworker/u44:0-94 [003] ..... 32.415700: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put=20 irq/12-1e200000-120 [000] ..... 33.737014: scmi_rx_callback: scmi_h= andle_response=20 kworker/u44:0-94 [002] ..... 33.764977: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put=20 irq/12-1e200000-120 [000] ..... 34.979096: scmi_rx_callback: scmi_h= andle_response=20 kworker/u45:0-95 [002] ..... 35.005377: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put=20 kworker/u45:0-95 [003] ..... 36.758043: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put <- RC irq/12-1e200000-119 [000] ..... 37.561734: scmi_rx_callback: scmi_h= andle_response=20 Withthe changes: irq/12-1e200000-120 [000] ..... 23.368262: scmi_rx_callback: scmi_ha= ndle_response kworker/u45:0-95 [003] ..... 23.394836: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 25.625926: scmi_rx_callback: scmi_h= andle_response kworker/u44:0-94 [002] ..... 25.653884: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 27.202031: scmi_rx_callback: scmi_h= andle_response kworker/u45:0-95 [001] ..... 27.228216: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 28.504546: scmi_rx_callback: scmi_h= andle_response kworker/u45:0-95 [002] ..... 28.531534: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 30.102729: scmi_rx_callback: scmi_h= andle_response kworker/u44:0-94 [003] ..... 30.129688: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 31.108407: scmi_rx_callback: scmi_h= andle_response kworker/u44:0-94 [003] ..... 31.136012: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 32.388953: scmi_rx_callback: scmi_h= andle_response kworker/u44:0-94 [003] ..... 32.415700: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 33.737014: scmi_rx_callback: scmi_h= andle_response kworker/u44:0-94 [002] ..... 33.764977: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 34.979096: scmi_rx_callback: scmi_h= andle_response kworker/u45:0-95 [002] ..... 35.005377: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 36.028136: scmi_rx_callback: scmi_h= andle_response kworker/u45:0-95 [003] ..... 36.055553: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 36.906953: scmi_rx_callback: scmi_h= andle_response kworker/u45:0-95 [002] ..... 36.933304: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 37.548706: scmi_rx_callback: scmi_h= andle_response kworker/u44:0-94 [003] ..... 37.577260: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 38.079993: scmi_rx_callback: scmi_h= andle_response kworker/u44:0-94 [002] ..... 38.108648: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put irq/12-1e200000-120 [000] ..... 38.512822: scmi_rx_callback: scmi_h= andle_response kworker/u44:0-94 [002] ..... 38.540403: scmi_xfer_raw_waiter_put= : scmi_xfer_raw_waiter_put ... -- Regards, Artem drivers/firmware/arm_scmi/raw_mode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/arm_scmi/raw_mode.c b/drivers/firmware/arm_sc= mi/raw_mode.c index 73db5492ab44..362773f3114d 100644 --- a/drivers/firmware/arm_scmi/raw_mode.c +++ b/drivers/firmware/arm_scmi/raw_mode.c @@ -479,7 +479,7 @@ static void scmi_xfer_raw_worker(struct work_struct *wo= rk) ret, scmi_inflight_count(raw->handle)); =20 /* Wait also for an async delayed response if needed */ - if (!ret && xfer->async_done) { + if (xfer->async_done) { unsigned long tmo =3D msecs_to_jiffies(SCMI_MAX_RESPONSE_TIMEOUT); =20 if (!wait_for_completion_timeout(xfer->async_done, tmo)) --=20 2.43.0