From nobody Wed Jun 17 06:28:44 2026 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3940C31F9B9 for ; Mon, 27 Apr 2026 15:04:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302255; cv=none; b=hj3w5Hcv85dokV6dHvCPSJ2pwU3nOdqB+tEd+FO6n61BHoy69y9dzwhisMYMDkeSrK5MzpFHzkALnnoDClkEJ+rxuTx1E22MXkGvNoQRD8/MGW9AJNT8gkFrlzFuRqgv+gc3D53YveZcxfq8u47LncKJVkrtj/7adJV4a1B2k+8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302255; c=relaxed/simple; bh=TreFdYinnhSJgXpknKYqTtPyjIcb0I8seNUyWKt+xKw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=mbPD2VNc7i+o5szCt7zddM84GNDw2OA5vDWgUgRjcMGf99PivTdvn8lcyeVOSBD66vwZnWgI4B2f01n/yepP+h2mUNSqiSMcHo6BKgzcgCtC4aO/zPFNpwEYNWVhZ93glGx2Knl+sFB7BMxM9afyrv+rn1mkdkvl15bWga7H7FU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=iMKN7afk; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="iMKN7afk" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4891e5b9c1fso88309325e9.2 for ; Mon, 27 Apr 2026 08:04:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777302252; x=1777907052; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=Ti2400kELeoTTXiRLb/VuTvlneI8nPmBzCy26OVf/VQ=; b=iMKN7afkrInt7oVARd/n6mkfDjqN8HlWdFVlEU/UPU+GiBSv7FpD1jV1gkUwyVu5ZB QxJpRVF5xPHff4/c47pd+1TUD1xEpWE+IBKC4XFtM/ViXCD6NtW5bEOjVqmh7yVtLccp eyuG8Kupngpia3ysQWZwNMH0pgoREVytlGX2x8m4ixV+DNfTtjj10b5gUa6jEHW2Pz4/ VtK16ONC4756Hbjo9lcdnEADcway9kLwBuFUCe4D43I6ea/nl9FR+Y1dsXAz7ddO5INT QgR2K2xjCVMRXTp99LxMwAdygElex4u3YWcjPomOJBVNq+i1+x9z3qK8+6EKjPuBNs9y YOjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777302252; x=1777907052; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Ti2400kELeoTTXiRLb/VuTvlneI8nPmBzCy26OVf/VQ=; b=LWD5p1CyMlmJj0EbA1HfCHFPINonsN49SUr2GmIwRcGF0a0Q3lnmR7aUxCGn75Kncw 6+GewSRgw2cRreXuXmtEVlfuoUtLLC1BS8+nB86ZdT/85CrlZerBYPena4l/RmoXcg9/ sN9bJJqh0+xnS4R9lJjwc//CjVWGauJp5JBx7F/iTyaN3Er3V4EnXtIZDUJojJLDJNcU dVSRS7x6J5oJWQKoQ1UIZHZ5NX/1hZqS+6e8DAsJ6614ZhA8skJ3ieijhkQv6XCx8Zlf y5aeZsFiJw4VKazOjMifor/FaY1l0Yog+IgVYBYw1Ybte0vOvesIGNHz2Av2CCzuUohS X6Hg== X-Gm-Message-State: AOJu0YwgqrP+eWLOErgmYMgQSGEcr2ySUCrFUH0K387L4ciTMKPSXev/ abXiGKLn0ZLbckKWBaLYzI4gBK09LfDxgUaQ7h+7TSiuO3NnXJ0QpOwrF1Gmmnz1uSE= X-Gm-Gg: AeBDiev0X/JHbulpryjPowc3i46uw5SkJz1FyECI23sn+/YtpTNImJM4gnNXia3y5U2 Jbq9sqYpsDSd5tE6ITnDKGF9GjzOjCH3AzOJ0um1dCbKpEkERIrNi51ChexogghdASoWcEBGUDJ O9Kf+vPB8UcDSg2DPNEgEliUwyDCXvOg4hvcRWeC5nlIUfRl570cYiTKkq9nGHngKG8KSWd9Z6D kjVnJXRm3GjVl4ewiKe7VJuhGtxNHXhAmV86d5F1kNlOfObBEY6DjOXZoNL9xZJ3HgPs3kgiVfQ gZgpLxH6z+gN8rMyW1XbzjaCmVOg0vRnxeLLCIPlWMxtkNKDMgC8894GFrK2jho3S7SWs7dPPH8 K+OgqKHVP+oFj5pCBW1k9bHIaYbrr1UJtAuB/ROeQ4Q4nAivCPOdSZ0mgyynTVRYHGp9zJqVMYG 6+7YGVbWmPSwPoZoy8v7ICaWMrlWDYmi1GlP7ZtLxnEBw/xg6DnCRzZftHE836rXJ4Fdz10+9ex ZN31DwfCycQJNhL8f0t4eKbxAEI X-Received: by 2002:a05:600c:6296:b0:488:c40b:c8a4 with SMTP id 5b1f17b1804b1-488fb73d764mr592141905e9.1.1777302251486; Mon, 27 Apr 2026 08:04:11 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48919f54572sm235370215e9.26.2026.04.27.08.04.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 08:04:10 -0700 (PDT) From: Tudor Ambarus Date: Mon, 27 Apr 2026 15:04:06 +0000 Subject: [PATCH v2 1/6] firmware: samsung: acpm: Fix cross-thread RX length corruption Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-acpm-fixes-sashiko-reports-v2-1-1ff8de94a997@linaro.org> References: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> In-Reply-To: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777302249; l=4323; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=TreFdYinnhSJgXpknKYqTtPyjIcb0I8seNUyWKt+xKw=; b=pAQoGOrdB9aglx1LoZ4o96ai+lG9Ru4bx/cyfczVUvFORThYC9GKBIcXcQY0ZFt5VUSyHBvQy eyHq/pMisNABff5Vkr8uR57Y8FVlmYKouun6Wac6MFT32bKcRwYv9Vc X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a cross-thread RX length corruption bug when reviewing the thermal addition to ACPM [1]. When multiple threads concurrently send IPC requests, the ACPM polling mechanism can encounter responses belonging to other threads. To drain the queue, the driver saves these concurrent responses into an internal cache (`rx_data->cmd`) to be retrieved later by the owning thread. Previously, the driver incorrectly used `xfer->rxcnt` (the expected receive length of the *current* polling thread) when copying data for *other* threads into this cache. If the threads expected responses of different lengths, this resulted in buffer underflows (leading to reads of uninitialized memory) or potential buffer overflows. Fix this by replacing the boolean `response` flag in `struct acpm_rx_data` with `rxcnt`, caching the exact expected receive length for each specific transaction during transfer preparation. Use this cached length when saving concurrent responses. Consequently, ensure that `xfer->rxcnt` is explicitly zeroed in driver helpers (e.g., `acpm_dvfs_set_xfer`) for fire-and-forget messages to prevent uninitialized stack garbage from being interpreted as a massive expected receive length. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm-dvfs.c | 3 +++ drivers/firmware/samsung/exynos-acpm.c | 15 ++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm-dvfs.c b/drivers/firmware= /samsung/exynos-acpm-dvfs.c index 06bdf62dea1f..fdea7aa24ca0 100644 --- a/drivers/firmware/samsung/exynos-acpm-dvfs.c +++ b/drivers/firmware/samsung/exynos-acpm-dvfs.c @@ -31,6 +31,9 @@ static void acpm_dvfs_set_xfer(struct acpm_xfer *xfer, u3= 2 *cmd, size_t cmdlen, if (response) { xfer->rxcnt =3D cmdlen; xfer->rxd =3D cmd; + } else { + xfer->rxcnt =3D 0; + xfer->rxd =3D NULL; } } =20 diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index 16c46ed60837..e95edc350efa 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -104,12 +104,12 @@ struct acpm_queue { * * @cmd: pointer to where the data shall be saved. * @n_cmd: number of 32-bit commands. - * @response: true if the client expects the RX data. + * @rxcnt: expected length of the response in 32-bit words. */ struct acpm_rx_data { u32 *cmd; size_t n_cmd; - bool response; + size_t rxcnt; }; =20 #define ACPM_SEQNUM_MAX 64 @@ -199,7 +199,7 @@ static void acpm_get_saved_rx(struct acpm_chan *achan, const struct acpm_rx_data *rx_data =3D &achan->rx_data[tx_seqnum - 1]; u32 rx_seqnum; =20 - if (!rx_data->response) + if (!rx_data->rxcnt) return; =20 rx_seqnum =3D FIELD_GET(ACPM_PROTOCOL_SEQNUM, rx_data->cmd[0]); @@ -256,7 +256,7 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) seqnum =3D rx_seqnum - 1; rx_data =3D &achan->rx_data[seqnum]; =20 - if (rx_data->response) { + if (rx_data->rxcnt) { if (rx_seqnum =3D=3D tx_seqnum) { __ioread32_copy(xfer->rxd, addr, xfer->rxcnt); rx_set =3D true; @@ -268,7 +268,8 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) * clear yet the bitmap. It will be cleared * after the response is copied to the request. */ - __ioread32_copy(rx_data->cmd, addr, xfer->rxcnt); + __ioread32_copy(rx_data->cmd, addr, + rx_data->rxcnt); } } else { clear_bit(seqnum, achan->bitmap_seqnum); @@ -380,8 +381,8 @@ static void acpm_prepare_xfer(struct acpm_chan *achan, /* Clear data for upcoming responses */ rx_data =3D &achan->rx_data[achan->seqnum - 1]; memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd); - if (xfer->rxd) - rx_data->response =3D true; + /* zero means no response expected */ + rx_data->rxcnt =3D xfer->rxcnt; =20 /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ set_bit(achan->seqnum - 1, achan->bitmap_seqnum); --=20 2.54.0.rc2.544.gc7ae2d5bb8-goog From nobody Wed Jun 17 06:28:44 2026 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81CA8322DAF for ; Mon, 27 Apr 2026 15:04:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302256; cv=none; b=Z3WwPIOmFfwCffVtRByET3PN6pV7PmA8kAw/jFYV84nygvHY/6hp+GF/7peTUEDtSdUNJEKH+LwxdRxW5gxCehve8zw7bk8sWsVyGk141fqxDOAtY1gYf8l8CRZJttKzra+8l0XXfyyjVMbX9Rkv/S86U4eRV7xQ3sC1hinPxqI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302256; c=relaxed/simple; bh=Ba+dTVUBhKnEfFMyTWML1d2ClIcN7W0bbbcIFyIYV0Y=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=nuTS14MyngNUjRlmBkjCk8QEdmm3a5vTr4njjAlbfvczVL/1JL7RPw2mkgXRHhPdP29co/rTqe3sgvEkrelsgh2g8fLDyQsf8bMhcNB8tONyef/UIp33LbVIuMEJEwlLWqOB429B2MVEtNE5ptMD/OlCwEDKdtWsgyp79dvrqGY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=afgIxeEs; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="afgIxeEs" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-4891e5b9c1fso88309615e9.2 for ; Mon, 27 Apr 2026 08:04:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777302253; x=1777907053; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=th+fTKGfuo6huv0uM66BibBdeXURX3Gjx4cjUN6LP74=; b=afgIxeEstITQJMJ6gENwrk3sK6SxAbqZawE65ujqjjxYitWrkP6igePZ6I8x3BdUDm 8ZExyyPOq5m5WxZ2FhPqO3gxIEEVJnIfOUbBDS5WgSPdo0rD07uBJNS5oi4Ci9nI0nRL RpAuTf68Af8YksvnXUpU7ziDKBg7gurNonTGAnlr1xtClQnhEuRQqRYtkZ/AJkbBPOw8 7iMyEBuW4QxK0qnDvgF9jLy/VGNUJpNu57TyPSFKVTU0ZRK97JRCHJIucDnjPIRFy4UR 3823vF2fOesV/875scsUHhl5b063JMCkTrrEcOYx7kU3JUcknznExK4gU7zEi3HokidP l+RA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777302253; x=1777907053; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=th+fTKGfuo6huv0uM66BibBdeXURX3Gjx4cjUN6LP74=; b=Bp3f4DGuQ4KI4HvWAzMvi01tv7tt9PeloW0SqmQUpPiT7+xtrqMsmSibgyFooeiggI /c6CBQkPmDHZX28YvnRyT4P/dunm/sDMW9rcQg1IyN91EJmkI83V6ErY+c+xo9bLRhVH 58zbbXsiziDWvOhfaS1E/aooAWvVEfoG9fd4tzV8YHHq+EaKsqb6up4FMmrQNaM7sVaA zRfpT54swzHTD2ljUcxWlLQQbIssH2dbXNlErrhJr2s87J2Vber/JFDRp5ZoDLRyjtHn 8bicZOWsYIOdOOAUPJYX+wu3bgtT5r35n5IZvNLq2TB0jnQ4tSxfBZr85stSyRnkT3VH wGFQ== X-Gm-Message-State: AOJu0Yx/kkB68A2HEUjiGhFPCxEvz+4bUovhr9eB2lqAuAAN8n1PXFNg m22fRoIyvq/Q7Bu4MuAudBkpxBw0amxJpR3z0b8aeObH/5sWHIbZISD2gatVjb0X3Tw= X-Gm-Gg: AeBDiesdC7smP7czeI9C1774RXJMZegNFplNuBugmLD9zA/5C4xDqoIyJhoN6I/bCAg NqLW/w9AdZZnhr4g+7B4NKHrrPg63oQDtueeZqtccJZFyIEcuzrCt3xKsE0G5F5MQe3UNIqbOLj AV142ClslsVUYjuWZY/bAjvAUpikmI0onN4BjuZKHZLxQixgPgPoT+idhOWsnL7axZSxMcL3V1G 5jeEnouzw/aqDCfLLOn2gzThtN6fdQ7UPcOP91HGTTtRnrsYAg29HJr2nJc4cVharqDbD8JKT40 p/Y29YAcAritVGea+SKdo7cHdrqsgXrY83L0FLZXbgg4Y93MDPNM/weB9tYCyAS4oodisrqUGlP V0WLznyY54lhx0fb/LNwrdveixQbuSqtdovthuR0dxW6XGKsTXEk6jcunaXRK75/notd5qOit6i 0h0TtE1/ZE6kpg9FHcZqkiXB9uffNgXNB817EIcw2Cv6xozqNDiA2MT2PlA9pCqKFz2A+AFrv84 nsGGdBNP5tGNp9xQw== X-Received: by 2002:a05:600c:5295:b0:486:fbd1:9dc0 with SMTP id 5b1f17b1804b1-488fb780463mr598840525e9.22.1777302252912; Mon, 27 Apr 2026 08:04:12 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48919f54572sm235370215e9.26.2026.04.27.08.04.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 08:04:11 -0700 (PDT) From: Tudor Ambarus Date: Mon, 27 Apr 2026 15:04:07 +0000 Subject: [PATCH v2 2/6] firmware: samsung: acpm: Fix mailbox channel leak on probe error Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-acpm-fixes-sashiko-reports-v2-2-1ff8de94a997@linaro.org> References: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> In-Reply-To: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777302249; l=2357; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=Ba+dTVUBhKnEfFMyTWML1d2ClIcN7W0bbbcIFyIYV0Y=; b=+4DHqrrOrGVH6m6Wr5Ur7SY6SyVl3EwK2I9IlGtYy5oHdPr9Pl50/6Hc5kvjbRc6gNH+qLFVB ynehG37WZSHCZr4+uQEBK/+nnABGuiJG/bdVGw9ezePZ9tunC9qr/lM X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified the leak at [1]. The ACPM driver allocates hardware mailbox channels using `mbox_request_channel()` during `acpm_channels_init()`. However, the driver lacked a `.remove` callback and did not free these channels on subsequent error paths inside `acpm_probe()`. Additionally, if `acpm_achan_alloc_cmds()` failed during the channel initialization loop, the function returned immediately, bypassing the manual cleanup and permanently leaking any channels successfully requested in previous loop iterations. Fix this by modifying `acpm_free_mbox_chans()` to match the `devres` action signature and registering it via `devm_add_action_or_reset()`. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index e95edc350efa..bd0d48e9d157 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -529,8 +529,9 @@ static int acpm_achan_alloc_cmds(struct acpm_chan *acha= n) * acpm_free_mbox_chans() - free mailbox channels. * @acpm: pointer to driver data. */ -static void acpm_free_mbox_chans(struct acpm_info *acpm) +static void acpm_free_mbox_chans(void *data) { + struct acpm_info *acpm =3D data; int i; =20 for (i =3D 0; i < acpm->num_chans; i++) @@ -558,6 +559,10 @@ static int acpm_channels_init(struct acpm_info *acpm) if (!acpm->chans) return -ENOMEM; =20 + ret =3D devm_add_action_or_reset(dev, acpm_free_mbox_chans, acpm); + if (ret) + return dev_err_probe(dev, ret, "Failed to add mbox free action.\n"); + chans_shmem =3D acpm->sram_base + readl(&shmem->chans); =20 for (i =3D 0; i < acpm->num_chans; i++) { @@ -579,10 +584,8 @@ static int acpm_channels_init(struct acpm_info *acpm) cl->dev =3D dev; =20 achan->chan =3D mbox_request_channel(cl, 0); - if (IS_ERR(achan->chan)) { - acpm_free_mbox_chans(acpm); + if (IS_ERR(achan->chan)) return PTR_ERR(achan->chan); - } } =20 return 0; --=20 2.54.0.rc2.544.gc7ae2d5bb8-goog From nobody Wed Jun 17 06:28:44 2026 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA830322C6D for ; Mon, 27 Apr 2026 15:04:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302260; cv=none; b=CVPp+RbrDcdJ4bNBSCWP2xsQd8dGYG3vaM2o+TmmjTYrZh+Yi+UV6h+pftgycL2e2z0Z4wIYurVBYDRzXp2UrJzUu6c/HQkOApaH6SuP9teKPJ8fIG/RkWj2H6EP4YkFUj3k8BFIHr/X8EmFgDTz+tWQQ+eTI7YGTxVXQhGFnYA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302260; c=relaxed/simple; bh=fB8OyE4pYKQPjuNbbE1A8QI3wwuWeF5JuYv3jd8eSZs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=qKf3AaxIeOBCBAJvOZAKp9W0ZO1NfMD1q+3t1PR7I/nNwjUnPY5rNf7/BYPgHyxe2kpF5sioh2QfZHfgHOKwhAwSTCh3D6+4jyOSDAPxCxoRac9Nmu2wB3O2PLOQGia8UltFxBhCBIvGJjinFW+mrPa6gbM/cjlbMsrrHtUBEbE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=Spm2aVO0; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="Spm2aVO0" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-48a563e4ef7so70366455e9.0 for ; Mon, 27 Apr 2026 08:04:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777302254; x=1777907054; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=Xfcec3d2oELkX+F8ksbnLWsp1V1TC87fqGSb/6ZmXtE=; b=Spm2aVO030DFbZfIBBjTfW9dTfGYYkBVvMXcfrua38eHHeD08I806NNtJ6VT7sa1rq 6ICnc13qxKK4qEVLnBoDSN0gc549EsxOzukIoy7dymRKGLZEfHdqP4v0vcitYjg7XPQN UIFLru9emAhXcjh7NvFMPJvEyHagxYfqeo6IA1XliHUnqDCYebn3gi1oieXs7BtrGT8F RMy7LQsTAviXWweDJU3weaMCcIlIBzyIWm6bY9lWpAaOXG2Q55n2ntbWacNbJ1IYdF5H RVIm6O0k4pp4lZOK8PR3H8siwyL54OTTYuQNNWScgDGws/bYI49CkcaW0OJrpk9NIFXW 1J6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777302254; x=1777907054; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=Xfcec3d2oELkX+F8ksbnLWsp1V1TC87fqGSb/6ZmXtE=; b=NmnArobD/Sto0mTHPQANylHFotXJCFjYmgOMmY9ZHwo/rlQpqaEAOhiDI9vnW5G5EE scN6C34+tUN9OYtOS0rwjkhJDvNGOfnG4J3L3+rLl9WXEFv3dQ182fBZ8zeIVcybaOH4 e93EvKU05MpWOL1lOtDvPE23uNDOtzgz6mrvoJU0N9VraphcJ8vV8O5o56X0IlyKy548 SVoRPhSg7IzGzeNN6PSa+Xxe0DSmLDDsSKxgn165TqZVwJ9AdCnKQvr0gS1nUoJPXGBF i0fQBWzVW9DhsTq+j0qyVAfhiI3GQu1ZHJzgg2E0qoF3KdqsOzoHniCARs5qLn2xbPG2 5jRA== X-Gm-Message-State: AOJu0Yz7AVLoIoutY0tthcuxH8w+pH5S5IFmOVqDwil6MKgqn+a/8R0y ihtMN/LI3CajfNB/eHFQnspFgA79XezS0RWx9Tz+ip/PkjdR4QNVSEyuFNSr8LspCHw= X-Gm-Gg: AeBDiesxjkSXswN9I5IiyupuV+j6FCyQIiB0ZCH39E5uDDQ0JQSJMV9koBKd2eKovws ymOm4c+5FVe8WXmPgtRp1QgEEiPVbAyzpA55GPlwlzzP+QTF9UpdqW22lwZx6J6//EW2Yk4UTNW zDQZYakEqQ37U8YRDXvg93SFbRoC9+KG54MBMcB9q1yHsGtbzlbh2Ru/HG4+QQxQohEGAcyEM5f pOSRqZ6Oj+mRbSTfrsW+pulA/RebcLX2/JJ67b9BwbCWfcFH3+fXdv8S6bYgOpaV+PImZPzad7X QvNngDKZwhdafYJS7HPCpJ83xYVT4+H3UQ9J/VaQPB8a8PH9+ERzyALLV0VzJXpkcL0TgdHKdvF ci025BWbq4vVscYILMBu1h4qzsMsVXBxgDU7+NqD//EfhbkdVAr49sQZ5AlHHvnovIE0IaV1yKc rY1RVJ262CwyZSOWu0kZ49qK1gh2x767Kp0Myn7WWAU3Y9sKzkYTZsBVYGNB3vqYbSCEg1rAtQY XYQr1vuVJ8KajtF/A== X-Received: by 2002:a05:600c:888b:b0:488:c40b:c8bf with SMTP id 5b1f17b1804b1-488fb73d234mr527219795e9.2.1777302254188; Mon, 27 Apr 2026 08:04:14 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48919f54572sm235370215e9.26.2026.04.27.08.04.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 08:04:13 -0700 (PDT) From: Tudor Ambarus Date: Mon, 27 Apr 2026 15:04:08 +0000 Subject: [PATCH v2 3/6] firmware: samsung: acpm: Fix dummy stubs to return ERR_PTR Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-acpm-fixes-sashiko-reports-v2-3-1ff8de94a997@linaro.org> References: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> In-Reply-To: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777302249; l=1847; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=fB8OyE4pYKQPjuNbbE1A8QI3wwuWeF5JuYv3jd8eSZs=; b=KohU9VKCfVuIuMOhYROvJR+HIea1m6feyQAHQ9e2Mpn0g4X2Wbh/yKKVyVJF9PPGgjh7Ab6d8 EfSIXn22EfOCWktI5TyxXcMHyE/XyGEbK9k3ED3GJnlMfiiN9DlvX6v X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a potential NULL pointer dereference [1]. The dummy stub implementation for devm_acpm_get_by_node() returns NULL when CONFIG_EXYNOS_ACPM_PROTOCOL is disabled. However, the active implementation of this function returns an ERR_PTR on failure, and the consumer driver checks the return value using IS_ERR(). Because IS_ERR(NULL) evaluates to false, returning NULL from the stub tricks consumer drivers into treating the NULL return as a valid handle. Subsequent attempts to access handle->ops result in a fatal NULL pointer dereference. Fix this by returning ERR_PTR(-ENODEV) in the disabled configuration to correctly propagate the disabled state and match the API contract. Cc: stable@vger.kernel.org Fixes: 6837c006d4e7 ("firmware: exynos-acpm: add empty method to allow comp= ile test") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- include/linux/firmware/samsung/exynos-acpm-protocol.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/firmware/samsung/exynos-acpm-protocol.h b/includ= e/linux/firmware/samsung/exynos-acpm-protocol.h index 13f17dc4443b..d4db2796a6fb 100644 --- a/include/linux/firmware/samsung/exynos-acpm-protocol.h +++ b/include/linux/firmware/samsung/exynos-acpm-protocol.h @@ -8,6 +8,7 @@ #ifndef __EXYNOS_ACPM_PROTOCOL_H #define __EXYNOS_ACPM_PROTOCOL_H =20 +#include #include =20 struct acpm_handle; @@ -57,7 +58,7 @@ struct acpm_handle *devm_acpm_get_by_node(struct device *= dev, static inline struct acpm_handle *devm_acpm_get_by_node(struct device *dev, struct device_node *np) { - return NULL; + return ERR_PTR(-ENODEV); } #endif =20 --=20 2.54.0.rc2.544.gc7ae2d5bb8-goog From nobody Wed Jun 17 06:28:44 2026 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 282FD322C77 for ; Mon, 27 Apr 2026 15:04:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302261; cv=none; b=Qaxotv3drXcs3DqttTM1c7csBO66ld5kqjQ1pqm9X7Mguh8+x6MUvzhPx5Cy/V1SeEv/YOa9ewVbptrAtkCl+cg2i9d3P8PZ7bRos0piR+NpuB3RK/VbdsINb4pDOFk3COboY/gCgw3neGn0T9ujYZKaiGO14DTJRbuYN2I2VNU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302261; c=relaxed/simple; bh=m/tO5SKZlsZv2lDCNDVLmgGJxhoMZAGNBisteBM84SY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=OCaVnflRN6uZ1lyyspKkRq/ERWNK8bxoVZAHzbd2O23o9Dpq4yxWTf0Yu/mWLTNdX8TPCDCp5oqlW1hEFuJCsQRy3ecOtkbYBWXBWskFHyXJt77FLDYGHV6mFTbMPIofoBPVVgsRdOAZCeBcOa+bWlZdhe3eeFUCt8JWsbzK+ow= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=cuAGkdaG; arc=none smtp.client-ip=209.85.128.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="cuAGkdaG" Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-488a9033b2cso110775305e9.2 for ; Mon, 27 Apr 2026 08:04:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777302255; x=1777907055; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=k+rXCO4mUBoHaMSfoUP0Fw9J65bipPOLJZg1yJy+iuw=; b=cuAGkdaGAOlVpLNjrCNBPAZMJxNNHxl4hg36qoSXDkm21wTOHvnKmUO4I4y9Uggf85 Z3aRIoARPVn67DiutyXhymhjz4NUS0TV/wlDfYUKQ5YQa4bpdlhK4WgQ/pAfehH4WIXJ SpWCfC2vuI1LWzCZGQHuFf49NlHCk6NB2PAId797AenTWOZIG0mgwM5ULqytpAM8MfpK IJHuhdv+bQPr24UiqRDMFGfTrPAssuoU9x38JQTyA+/1OzpUMbsf4Swz+m6pVAF/P+Hu FFeYsDvG6Xm3t95AI/jjoZz81lwviBSMEnmnimbB/YFoGLEqJovkzCbZwABPlFOvD2aA KfLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777302255; x=1777907055; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=k+rXCO4mUBoHaMSfoUP0Fw9J65bipPOLJZg1yJy+iuw=; b=cHO2xX5Opbwz+YqSNxWSyTuLVJ1ScP28Hu4bn/y5LxuGaDpJIHNP4Xa+ku2WEcv+6T IAgGHXEo2ZGEmKrm6WeplZO0r3A9styE7VFdnXqbVYYRnGXq/NGqInbxlK4buraC7dvS wTAo7OcrS3VxJa9XlO/q0DkweDkeo7GeK7ZMhcZKuRFvB78g7Ean8aNUUuDcQACfUoVi nixm8VltIZ0ktrsBLaooZIEBHAvJ0ilhj1aAT0mUqS8ZhCVGSeJ5AyWYuEY6AEdASNhV iaEjr702HNYltXtzgIUDHhMBTDHyCBbw2BYHrfGjBeMi4N6X2BKJlo+TPWCwHYErqs0f L7rg== X-Gm-Message-State: AOJu0YxJMDL62RHecHdT9TzdygHds8ABpiFmCzDlvfuHIajMkZfhSIFy 7RumqJ+7+ZP5VNHBdn+f5Iti4B6Z6TO131s2RCGmtoyveuxHX0h2XRZrrH0keF8LRqM= X-Gm-Gg: AeBDieubrwD7oONNMMNXtu2FPLJ+GJFUJlW/uu7PaKBUW7pwLyddR2Dx0Zzf+Y6QYN+ ox89HynoT35ihc7V70gRRq1ZO3U0hLS3a2tNoVIIVV1b09fTpuTx7xixBEOqVSl5Tf71DWhJqRH 7/PmmbDPmJzEF/Sbn3+VDflP6PAi/79MW2W0S0RKxpcFdxkzEPUtMtNDYA9q/1wpOC8B+oT4R8m n5/naziFNmeffYQze/z/S87TdVp06WHLrcrHHw7qXj26VHaAs+5j6ZPynLZlPXNN0nWjt1go/Uh L3HNsY4OPhlCPYIcK7sKv04tvIj39Na70ljmQnZN9wJYYkW8+6t5R0MZMzMioUY2Xd43XOsIFHG AwitM8OsC62K2PGzMSf21TEUbZ07E3wVXdQTSgsbpgh03+ZYwgyzL6JGqB0sdrQ5UNE9EQbfyI/ rdxrRkB43mCRqQUmZrt2CByeRUprcTj4izGE6q72tIWVH/2eyJdsv0F78eQUN09rkHxqtNR+XL3 rAoN6CAy6Ewx3r6Xw== X-Received: by 2002:a05:600c:a30b:b0:485:17a7:b9c7 with SMTP id 5b1f17b1804b1-488fb750a2bmr435746585e9.10.1777302255373; Mon, 27 Apr 2026 08:04:15 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48919f54572sm235370215e9.26.2026.04.27.08.04.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 08:04:14 -0700 (PDT) From: Tudor Ambarus Date: Mon, 27 Apr 2026 15:04:09 +0000 Subject: [PATCH v2 4/6] firmware: samsung: acpm: Fix memory ordering race in RX path Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-acpm-fixes-sashiko-reports-v2-4-1ff8de94a997@linaro.org> References: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> In-Reply-To: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777302249; l=2809; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=m/tO5SKZlsZv2lDCNDVLmgGJxhoMZAGNBisteBM84SY=; b=5E5ST4vkspz2pIaYKwMEQIblGJZBWV/PhVFqy7dQxYqnohf57zk5thyo0lnNMquWf8nB01W4p JkoNrnwDadEBiGfuVEy/6Jd1w3UB0St5O12XXnW1CVE5X7T8uoO6Tlh X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a memory ordering race in RX path [1]. When draining the RX queue or reading saved responses, the driver uses clear_bit() to release the sequence number back to the available pool. However, on weakly ordered architectures like ARM64, clear_bit() does not provide implicit memory barriers. This allows the CPU to reorder instructions, making the cleared bit globally visible before the preceding memory operations (memcpy() or __ioread32_copy()) have completed. If a concurrent thread allocates the newly freed sequence number, it can execute acpm_prepare_xfer() and zero out the buffer via memset() while the RX thread is still actively reading from it, leading to silent data corruption. Fix this by replacing clear_bit() with clear_bit_unlock() across the RX path. This provides release semantics, guaranteeing that all prior memory reads and writes are fully completed and visible before the sequence number is marked as free. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260423-acpm-fixes-sashiko-reports-= v1-0-2217b790925e%40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index bd0d48e9d157..c9aa79c2faa4 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -7,7 +7,7 @@ =20 #include #include -#include +#include #include #include #include @@ -206,7 +206,7 @@ static void acpm_get_saved_rx(struct acpm_chan *achan, =20 if (rx_seqnum =3D=3D tx_seqnum) { memcpy(xfer->rxd, rx_data->cmd, xfer->rxcnt * sizeof(*xfer->rxd)); - clear_bit(rx_seqnum - 1, achan->bitmap_seqnum); + clear_bit_unlock(rx_seqnum - 1, achan->bitmap_seqnum); } } =20 @@ -260,7 +260,7 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) if (rx_seqnum =3D=3D tx_seqnum) { __ioread32_copy(xfer->rxd, addr, xfer->rxcnt); rx_set =3D true; - clear_bit(seqnum, achan->bitmap_seqnum); + clear_bit_unlock(seqnum, achan->bitmap_seqnum); } else { /* * The RX data corresponds to another request. @@ -272,7 +272,7 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) rx_data->rxcnt); } } else { - clear_bit(seqnum, achan->bitmap_seqnum); + clear_bit_unlock(seqnum, achan->bitmap_seqnum); } =20 i =3D (i + 1) % achan->qlen; --=20 2.54.0.rc2.544.gc7ae2d5bb8-goog From nobody Wed Jun 17 06:28:44 2026 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 26A3131F9BE for ; Mon, 27 Apr 2026 15:04:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302261; cv=none; b=DidNPsmeK3Sh4XQoTDZD5/Gxt0r9OTxqcR6CbLASQYVW3aomthgB0lL6WFFEs2IQZ0nGuwWu2lobDcyo5l//bw430essO+KrgPQy/QggHZ72KW62grPvFD5ghJvx+JEdyq2wqoh1/YVVXkNYx5JTJ+sIqF+/SdwL/mQU6VTRvOQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302261; c=relaxed/simple; bh=Ew+fLThVC+dSbzbNb1AU8XHhAhSM9m8r433IWvT/JQk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=sDKJx1C8l5y7HZIfLk0yvpaydTPL16dizmZokEc6FJBnXP+WB/smcjCP23GNJltLUl9YMgxTPXhfL0KAeit/36q+n2HXlP9dqSm/fHtGKG61G4QwfkeHDf/5qhL01g/jucudjVJEKZmM2Nf8jw5wivy2r2FsqPbr/F2fjynHDqY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=N71769j6; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="N71769j6" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-48374014a77so135179395e9.3 for ; Mon, 27 Apr 2026 08:04:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777302256; x=1777907056; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=RZ7wHKT/b/1jeOqUNO1Le/y2Yble71O6C83Q1O+ta3U=; b=N71769j6wVHnXHihmoUacjSEEbz4P5NLhr/wxFHnXXW7cjGdsbcF9/sqdqbTEyY0u0 MadbvMdVbo6adSOF5RqUcN/N0phbC6OUSC5GFfKtgc8UXwhUn3KTPUvsgT3fjDPz5CBR YJQF4Kb/NKximM/Q1SoiEnmlO5guLQZRPpYItE2BGNuMwPxP5JeWc93teJs1UitttB6B 5ePhFMdPuNVskJrGNHbumXDGBhHjhCW7TGozlkStMXgTVOh5PgFoaEg8g+TDyURrrHuY VPBBVubp3jF1az+1sBT0TlLjVD8qn301SJr6m+22i8uDttBm0GzxTZJ5C+Z763Fd22wO nxKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777302256; x=1777907056; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=RZ7wHKT/b/1jeOqUNO1Le/y2Yble71O6C83Q1O+ta3U=; b=gUnmTvge7vnZiO30xXkgjbUo+VqDUFfci1Ial59jJi0csyaaDsxMR1BlFstNfbQAK/ 8p4ueLd5/SnQfFjqz/pE637NZ1G13SiRgT11ScNmakLCh19HS30leK+tNCvmZCQY9e14 xZlVS8MJKRQnTxTmaIaCAUgBicwj6a2BcqlN3wkETsGbVLZ5Q5mxIjgxAUYQ2Tz4puEx XrBFU4oI3HyGYBwguhQh38IJc/azdHpA9+Bax9L6ZRaxQ1LurL5gabfF9eDmO677PIDP xIH5Se3ikmAV1kvFpWV3xQJqKqXdjIJ7C2RDevf3xTXAXDUx8mx1KIurB1+bBZfjVo2G D5eA== X-Gm-Message-State: AOJu0Yx/ZtDIt/jxaFsbTts9U2WbS1kQX/AGEPWb75QmrzlgrDlNdwAW 547ri7ZLdttor5F9B6F4CYt7ebk1/UsMfjYrPiULrz7PCOiC9UtF0l1nBJd3CjEIWmA= X-Gm-Gg: AeBDieuLSUzjnH3QoyQ82TRMCE9M5iQX8Stmy5epyAqZwCyP6hQtaAA7DSMCHOAxitB /MPC7Iosp53DK87RcwLMoCIvoQwDZ4IkXYh27z68J8OelzzpJnjt3Qiznp8aQVtYvgghmX6zTwJ rvHomsw2wQzYpxLE1LkpqVYWIEGL93/xcWPokEy2l4vGHMP7WC1317b7swkvopRf5kf2jCY3Fyw jV5UtOJqshcaPMZJpm1Z61LfSGzfP6HlCyxwr8WV9yUkchHrjjtupgjBsRCpI0OaVjwOsMdDqR+ dz4yehKo4vFIP5AE1jmCSxKX1D10ZeAgRdeJ6H6FS4dACxUKHGGNa/f/gS3P0WUOVFrrNFEZsvd 8FSosN0OnWFfrEGEmV2fokEgae2pAHwSoF0W7RA+j/8ViPsSVKLRl+I4GXMOcoP/TUf0B/QpC8T OE+i65MeS8MFXVvPFVJedFefdKRH2FyofH7xaEIvBJxqr+0KamldGUexcNMoa7/+4YFCPPgDYJ/ eRVtCVoLo7Jjk9S4Q== X-Received: by 2002:a05:600c:6297:b0:486:d76c:fa57 with SMTP id 5b1f17b1804b1-488fb77155dmr577914705e9.17.1777302256438; Mon, 27 Apr 2026 08:04:16 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48919f54572sm235370215e9.26.2026.04.27.08.04.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 08:04:15 -0700 (PDT) From: Tudor Ambarus Date: Mon, 27 Apr 2026 15:04:10 +0000 Subject: [PATCH v2 5/6] firmware: samsung: acpm: Fix out-of-bounds read and infinite loop in RX path Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-acpm-fixes-sashiko-reports-v2-5-1ff8de94a997@linaro.org> References: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> In-Reply-To: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777302249; l=2000; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=Ew+fLThVC+dSbzbNb1AU8XHhAhSM9m8r433IWvT/JQk=; b=bNdL0A0E7+FoNQEHWtJ8/0fKtqwb636UbTf2X5UWD2LrhRiobr/5jvf4G8NE0a+KNaWY4PLU+ 5i5T2klfbR9CpJBuSWbdOvWAIXalA2MXO7vpbdhquEJVWqHFNX7wee6 X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified these bugs in [1]. The ACPM driver reads the rx_front and rx_rear pointers directly from SRAM and uses them to calculate SRAM offsets and loop termination conditions. If a firmware bug writes a value greater than or equal to the queue length (achan->qlen) at those addresses, two failures occur: 1. Out-of-bounds read: The rear pointer ('i') is used to calculate the MMIO address before the modulo operation is applied, leading to an immediate out-of-bounds memory access. 2. Infinite loop: The loop iterates using 'i =3D (i + 1) % achan->qlen'. Because 'i' is mathematically capped below qlen, if 'rx_front' is greater than or equal to qlen, 'i' will never equal 'rx_front'. The CPU will spin forever, holding the rx_lock and deadlocking the polling thread. Protect the kernel by strictly validating the MMIO queue offsets immediately after reading them. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index c9aa79c2faa4..43658cc1347a 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -230,6 +230,13 @@ static int acpm_get_rx(struct acpm_chan *achan, const = struct acpm_xfer *xfer) rx_front =3D readl(achan->rx.front); i =3D readl(achan->rx.rear); =20 + if (rx_front >=3D achan->qlen || i >=3D achan->qlen) { + dev_err(achan->acpm->dev, + "Invalid RX queue pointers from firmware: front=3D%u rear=3D%u qlen=3D%= u\n", + rx_front, i, achan->qlen); + return -EIO; + } + tx_seqnum =3D FIELD_GET(ACPM_PROTOCOL_SEQNUM, xfer->txd[0]); =20 if (i =3D=3D rx_front) { --=20 2.54.0.rc2.544.gc7ae2d5bb8-goog From nobody Wed Jun 17 06:28:44 2026 Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7AE6D31F98B for ; Mon, 27 Apr 2026 15:04:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302261; cv=none; b=mO3ny+Q268RzM1G8cneNrPBGbMb6iGrUcJoRb51huCgJB4wuVGhf4qiCs58UFUnkdKPpit1ToGemgn9iqEIndDhznWaRFGTkZAbjLoGJS93RdTB8kYJ+DlFwF3lJwDv9LaYp25KIafxJDJbMwdq8r1Iq82LIcyz+EALNqtWbYFk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777302261; c=relaxed/simple; bh=Pfox4HTiotQewHotJo3sawpHHhi3T/+sCUyRrpfeAbg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=NKSHV2MQyZE2uLMEO/dnz0iRheK5afLfhWGvETAMTDRsX5VkDTM9oQAGiw291FqMPJQzDjRUkbTeGp1tMLd7tlkzTA1f+9cynOUWkSSFjpBec99ajrXUd7D3/2hqawfHzsJzqmdJE/0udwSL8JnzXC07+5m4I+GWJbUwUHjPHho= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=lW5S+Vkd; arc=none smtp.client-ip=209.85.128.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="lW5S+Vkd" Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-488a14c31eeso85704895e9.0 for ; Mon, 27 Apr 2026 08:04:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777302258; x=1777907058; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=jr9BfdzOzeMntv3lCO5f0JbSt8ePeb2CrWVw6p0+VLk=; b=lW5S+VkdqWcsNUOYc4hnbsvTcyl/hYSh5XS2pZyuy0+gmDBQ+9h0Wy4JtO/V3d5AlZ 6BNsQHaxfkvIBFWiW99i3O4CU6VwaZXoTd1ZFIvkMh6S8jX/GJB5/Tzzc6SZU6/qn/1R Twgr6Bngm6fVnfyf5eRKfYE/PNhS5WlvoKwMWT1rQBygjo1XlCXPT75PwBfbJa/gD2RZ m9gO4Q/3dEdgel4kDSXHxGyMCbT+/FmxciThq7gVDeoBrKVV3X69qGbv4wqPxh+CHDCB u2WVyDCaRd2Oewmg3IH6idpB1+vo2wprX8yFtuvEgMa0KKMtGM7EI1vKYlP4QYWF1TU6 HNxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777302258; x=1777907058; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=jr9BfdzOzeMntv3lCO5f0JbSt8ePeb2CrWVw6p0+VLk=; b=CvwI4BdyMiGOxKGIoeuWdNiSUIDasv/JYDywHu6nHZr+HPiXFDkREJ44pca13K+6Ep ggWpfmQ5ZXmZrwdV0B761BKqqKUR9Wl7Ik+JyrintcKtHoFLBu77Wki/NHzyq9mMBhwW GnQL5nOduOsjkhA539Ue0u8ezh6g+0E/tPtdnfJsb5QnBVXSvXUVw50htGws3PUZptoV prPoKGAdBibWYCNpU9l1smTKu+U7dMfFJU55y78uvZ95qKeMwGSbp3qPAd+BqhZBY5tf nLhuvsA3fXntrXYt6j635uJAAlIH9EtYMLLUpmR6y2oh8DadKTuZtCWesIrf5gUNj1Ff AwCw== X-Gm-Message-State: AOJu0Yz3dT6BCDDvfqbZYQU17sQ7snnO938qrNrTnsQrbS5GTWm+VKyL WuZnX5hNLSBIE/nHl5pJrgl5hDodcbwxCciZtxeKfXpZOegWL0lZ4defZAl6aR1N180= X-Gm-Gg: AeBDieu1I6KnxpbQIONlYB0uVe34MHtK0lCIYPb3iZZ04DV1oCyzK9cKZapLpFop+xq O7dy4DU/LcRdUa966oiDyqZmtBbIKr7QDUUY63gt3a4iJxmBR5PusJrdAENXQF055d9aELMHJOq c/LAP8vLLW4c3BCmqBMT4TktGesAWJ6ZAHhzN1axengANvGqKfD6Srv0yugzbLikodr2lUp/UHl P+FowARhhEAxh9xouwnbxIRo2+ly4faBo8C+eXCxjJqMHiDzzx3IZ6raC2NBfvelUiFMXLSIL62 eyWwaUPsdMSA9DuCg2tZAhBWgWJww/FQLj0aiWuNBN3zr527YJVaKc8njpyXqFbMqPtSv9fnqb+ I0EtJll3FBgc2y5MAnvQHYoISU5YmH2wnaAlJbA7A62uHdpMf5iyqQZvklGpgeBgfKnlhGevNOd NotkWanw4B711DpkrQ0jG8Yuz4kJFy26j+aDfW6pGhKQcYmF9u5kZcUL2DwBoWm+sKkVr5kZIlQ smfKPoZQlq/SApNtLfJcrjieEJp X-Received: by 2002:a05:600c:a31a:b0:488:b239:77ec with SMTP id 5b1f17b1804b1-488fb778db4mr483500285e9.17.1777302257796; Mon, 27 Apr 2026 08:04:17 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48919f54572sm235370215e9.26.2026.04.27.08.04.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Apr 2026 08:04:16 -0700 (PDT) From: Tudor Ambarus Date: Mon, 27 Apr 2026 15:04:11 +0000 Subject: [PATCH v2 6/6] firmware: samsung: acpm: Fix infinite loop on sequence number exhaustion Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260427-acpm-fixes-sashiko-reports-v2-6-1ff8de94a997@linaro.org> References: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> In-Reply-To: <20260427-acpm-fixes-sashiko-reports-v2-0-1ff8de94a997@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777302249; l=3632; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=Pfox4HTiotQewHotJo3sawpHHhi3T/+sCUyRrpfeAbg=; b=T6uQ5V1I+QLmMDgHILxHzE6K8w70UcBWioqloz5BhgvWQGhSMPzxfAy0AkhHfQG2ZamvcXx8a Q2H+pFf3/J+D/OWHe0FvWpxr8FO1X0YQ9t6yJrretsDXP2JmLZ/djhx X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a possible infinite loop [1]. ACPM IPC sequence numbers are tracked via a 64-bit bitmap. Previously, acpm_prepare_xfer() used a do...while loop to search for a free sequence number. If all 63 available sequence numbers are leaked due to transient hardware timeouts or mailbox failures, the bitmap becomes full. The next call to acpm_prepare_xfer() would enter an infinite loop. Fix this by utilizing the kernel's optimized bitmap search functions (find_next_zero_bit / find_first_zero_bit). If the pool is completely exhausted, log the failure and return -EBUSY to allow the kernel to fail gracefully instead of hanging. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 36 +++++++++++++++++++++++-------= ---- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index 43658cc1347a..f086084202fb 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -370,29 +371,40 @@ static int acpm_wait_for_queue_slots(struct acpm_chan= *achan, u32 next_tx_front) * TX queue. * @achan: ACPM channel info. * @xfer: reference to the transfer being prepared. + * + * Return: 0 on success, -EBUSY if the sequence number pool is exhausted. */ -static void acpm_prepare_xfer(struct acpm_chan *achan, - const struct acpm_xfer *xfer) +static int acpm_prepare_xfer(struct acpm_chan *achan, + const struct acpm_xfer *xfer) { struct acpm_rx_data *rx_data; u32 *txd =3D (u32 *)xfer->txd; + unsigned long size =3D ACPM_SEQNUM_MAX - 1; + unsigned long bit; + + bit =3D find_next_zero_bit(achan->bitmap_seqnum, size, achan->seqnum); + if (bit >=3D size) { + bit =3D find_first_zero_bit(achan->bitmap_seqnum, size); + if (bit >=3D size) { + dev_err_ratelimited(achan->acpm->dev, + "ACPM sequence number pool exhausted\n"); + return -EBUSY; + } + } =20 - /* Prevent chan->seqnum from being re-used */ - do { - if (++achan->seqnum =3D=3D ACPM_SEQNUM_MAX) - achan->seqnum =3D 1; - } while (test_bit(achan->seqnum - 1, achan->bitmap_seqnum)); + /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ + achan->seqnum =3D bit + 1; + set_bit(bit, achan->bitmap_seqnum); =20 txd[0] |=3D FIELD_PREP(ACPM_PROTOCOL_SEQNUM, achan->seqnum); =20 /* Clear data for upcoming responses */ - rx_data =3D &achan->rx_data[achan->seqnum - 1]; + rx_data =3D &achan->rx_data[bit]; memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd); /* zero means no response expected */ rx_data->rxcnt =3D xfer->rxcnt; =20 - /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ - set_bit(achan->seqnum - 1, achan->bitmap_seqnum); + return 0; } =20 /** @@ -452,7 +464,9 @@ int acpm_do_xfer(struct acpm_handle *handle, const stru= ct acpm_xfer *xfer) if (ret) return ret; =20 - acpm_prepare_xfer(achan, xfer); + ret =3D acpm_prepare_xfer(achan, xfer); + if (ret) + return ret; =20 /* Write TX command. */ __iowrite32_copy(achan->tx.base + achan->mlen * tx_front, --=20 2.54.0.rc2.544.gc7ae2d5bb8-goog