From nobody Tue Jun 16 19:36:52 2026 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B4E663F7A87 for ; Wed, 29 Apr 2026 13:11:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468316; cv=none; b=WrNlkA69TQWEl8BAuiYs/i2q0dVc0/QLB2i4JJIv5ARnwKeLbElOdw+QUXa0JvKb6gAbjO08GeN8U5RYb3A7mYX4P4woltZXQ53a7L06wij+agN0J2z1ymo52sxisipgNNvSOkKNd9958tqBHD4LT7RsJaRhAaScL32Y/2cbzqQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468316; c=relaxed/simple; bh=QTePW60Bb9iT8APl2jkQnh+1qmdtoSopKY5nHEff6yQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=V2RiLPv6aUAdId4hMaTxavoYfsRcdfmnD8DTygu2fERE4dprJ2WMSAY8f2aAp4OnbznAneBqf3B7NqImoOE80HBLoedfIC5v2BCkfThjZj61vzaeoBAbR4NEUkuLT0nwE2if+Y3m7Qm6S0yh46Fz2rc+36ROwffTmfPhvE9wf68= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=dkNf3Rdw; arc=none smtp.client-ip=209.85.221.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="dkNf3Rdw" Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-43d6fbd0954so9484735f8f.1 for ; Wed, 29 Apr 2026 06:11:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777468313; x=1778073113; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=ougqSxlNHpdb7A3xiXDiO/CHpVSWdAi7241ogZispeo=; b=dkNf3RdwCZJ1bX8oKWvJAz6rCwe+L1bYu6CK0gk9gPO1f923lNdOZvl5WVDerryei1 TIDknR7QgIOpmZcvXH3MPMju9Wr8sFJxPGN9JO6+4PNuam2gsy1b1go5McypZqJFlsK3 zPDj+c5LrrJbEMfy0WMrahNv6XsFieAklhuZB2xrMn/9tpQaz232kjAk5+WEQwq92vfB o6wbylxqcTJ4NLRJRU/6bt2lq2nd2r1t3krFlkpDFMuaUXKok0PerEbd+Qo1j9Xt/mGa c3HTIMw4wd4PvjWd7b9dsGe70KshuIr8o/jILzDjK1bhP7h6mJZzSeifUYxW5PrtJm9N UcDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777468313; x=1778073113; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ougqSxlNHpdb7A3xiXDiO/CHpVSWdAi7241ogZispeo=; b=GYBSDHR6l/Utg32wEnR0+VMLPd6HXQ0TIAxPUzwWVQ7H29styAaekfCnkmOTBwyXQv bCg+L/7pLYIgd2fbUKx816NDX4eCVvZsn4v49OMt5piweJfc8WpnALKNSH088EfiNXmn HkHZZZtaxVmgRQIpqxDFTzWshHCJn2hdh6QrxEYpew1QtMtysTirRQTdd+WowWNmQKQV mUc+523WuFkM+EzpgcjE/em+2F6eIG0i0y3MHNwKLwpMKE2PDtqlSqrh5aKlvCLTcRrS 1TQZCREtfbtGYs8iCWDQiCs0KzkzIMbNs7XIDNTuFjOttB9GN4vZH4TygFw8tp/FcBRo j6Gw== X-Gm-Message-State: AOJu0YzXk9KSfUhG24C2DayOrflMyXqtg/9OX7wJ9KgUp6acYfUkJYMX MJXXI43wqudGV47Xs8aXcLsJBRR2jLPvLZ+aG87uTPOGDj/I7dXvEKMTKRF9kXTeY8I= X-Gm-Gg: AeBDietnr5bm+PsquK92Qcx54W4/nZbWsUv9yQtqThmykwLtcoFzo4kyq2AzyDW/zxa B9JDxQ6QKUGwtwW6Hf+DQX8Xq/yJfuG1gIM4CO1mxwJwexMPmuGlVhFyC1/mmx1/KEjdDyijiUS sLlIGFEw86P23Vc1mfc7n1575IhSLwAWlsMZGa4dwbt/mFC0iBbJEkllwqa5TLVG/KMwyBOOll6 pMjPUscqgI7cbhTbwnDfX61rlb0ZaNTruatj8nGcVGYLbN5lLPTeUQweAHgsYLdP9ndtM5zZhgE 6oSe7MQvwstXqusSqq141tNTN7+8SH38Gt22yB3atuuM7tsxdfiMdfF3AVXoj/WU+5VQGRvoODn yuwVeW09gCWRmk55KuYEkfK22Ve2cRpPcpuxf9u4qWwq+/ITsqV2Pv9iheZulXzYGqiQOVTqYGc uaC7LeN8aXTiR7v/Bk390RdLrPVXIHfflhPa0/g45xLxLZCVlR6zaCb/sZCbwcEto4Ree4HKfA1 a6FHUv7zT784rJzFw== X-Received: by 2002:a05:6000:2486:b0:439:c62a:6dc2 with SMTP id ffacd0b85a97d-44790d12b4amr6375164f8f.41.1777468312577; Wed, 29 Apr 2026 06:11:52 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-447b7ca67b9sm4752867f8f.34.2026.04.29.06.11.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 06:11:52 -0700 (PDT) From: Tudor Ambarus Date: Wed, 29 Apr 2026 13:11:50 +0000 Subject: [PATCH v3 1/6] firmware: samsung: acpm: Fix cross-thread RX length corruption Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260429-acpm-fixes-sashiko-reports-v3-1-47cf74ab09ad@linaro.org> References: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> In-Reply-To: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777468311; l=4319; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=QTePW60Bb9iT8APl2jkQnh+1qmdtoSopKY5nHEff6yQ=; b=JjWGtIEPDHzDE3ifeqhjWynWDXy4srvXw+WvUSrlmTnb9fxve30Ztz8YMbnfS7UZEI4jrFd87 agoMLbvSxq9D5XsocCvyY1WX21MMIdiQSYMYgNL+fN7MfdDcMC+3y8t X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a cross-thread RX length corruption bug when reviewing the thermal addition to ACPM [1]. When multiple threads concurrently send IPC requests, the ACPM polling mechanism can encounter responses belonging to other threads. To drain the queue, the driver saves these concurrent responses into an internal cache (`rx_data->cmd`) to be retrieved later by the owning thread. Previously, the driver incorrectly used `xfer->rxcnt` (the expected receive length of the *current* polling thread) when copying data for *other* threads into this cache. If the threads expected responses of different lengths, this resulted in buffer underflows (leading to reads of uninitialized memory) or potential buffer overflows. Fix this by replacing the boolean `response` flag in `struct acpm_rx_data` with `rxcnt`, caching the exact expected receive length for each specific transaction during transfer preparation. Use this cached length when saving concurrent responses. Consequently, ensure that `xfer->rxcnt` is explicitly zeroed in driver helpers (e.g., `acpm_dvfs_set_xfer`) for fire-and-forget messages to prevent uninitialized stack garbage from being interpreted as a massive expected receive length. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm-dvfs.c | 3 +++ drivers/firmware/samsung/exynos-acpm.c | 15 ++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm-dvfs.c b/drivers/firmware= /samsung/exynos-acpm-dvfs.c index 06bdf62dea1f..fdea7aa24ca0 100644 --- a/drivers/firmware/samsung/exynos-acpm-dvfs.c +++ b/drivers/firmware/samsung/exynos-acpm-dvfs.c @@ -31,6 +31,9 @@ static void acpm_dvfs_set_xfer(struct acpm_xfer *xfer, u3= 2 *cmd, size_t cmdlen, if (response) { xfer->rxcnt =3D cmdlen; xfer->rxd =3D cmd; + } else { + xfer->rxcnt =3D 0; + xfer->rxd =3D NULL; } } =20 diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index 16c46ed60837..e95edc350efa 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -104,12 +104,12 @@ struct acpm_queue { * * @cmd: pointer to where the data shall be saved. * @n_cmd: number of 32-bit commands. - * @response: true if the client expects the RX data. + * @rxcnt: expected length of the response in 32-bit words. */ struct acpm_rx_data { u32 *cmd; size_t n_cmd; - bool response; + size_t rxcnt; }; =20 #define ACPM_SEQNUM_MAX 64 @@ -199,7 +199,7 @@ static void acpm_get_saved_rx(struct acpm_chan *achan, const struct acpm_rx_data *rx_data =3D &achan->rx_data[tx_seqnum - 1]; u32 rx_seqnum; =20 - if (!rx_data->response) + if (!rx_data->rxcnt) return; =20 rx_seqnum =3D FIELD_GET(ACPM_PROTOCOL_SEQNUM, rx_data->cmd[0]); @@ -256,7 +256,7 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) seqnum =3D rx_seqnum - 1; rx_data =3D &achan->rx_data[seqnum]; =20 - if (rx_data->response) { + if (rx_data->rxcnt) { if (rx_seqnum =3D=3D tx_seqnum) { __ioread32_copy(xfer->rxd, addr, xfer->rxcnt); rx_set =3D true; @@ -268,7 +268,8 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) * clear yet the bitmap. It will be cleared * after the response is copied to the request. */ - __ioread32_copy(rx_data->cmd, addr, xfer->rxcnt); + __ioread32_copy(rx_data->cmd, addr, + rx_data->rxcnt); } } else { clear_bit(seqnum, achan->bitmap_seqnum); @@ -380,8 +381,8 @@ static void acpm_prepare_xfer(struct acpm_chan *achan, /* Clear data for upcoming responses */ rx_data =3D &achan->rx_data[achan->seqnum - 1]; memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd); - if (xfer->rxd) - rx_data->response =3D true; + /* zero means no response expected */ + rx_data->rxcnt =3D xfer->rxcnt; =20 /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ set_bit(achan->seqnum - 1, achan->bitmap_seqnum); --=20 2.54.0.545.g6539524ca2-goog From nobody Tue Jun 16 19:36:52 2026 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA4153FA5DE for ; Wed, 29 Apr 2026 13:11:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468316; cv=none; b=cB00SgGnSNtiaKJVhUw68Gv/fHNxTZ0OBHQl2hU+8jNJ8LT+/3IQjO9MJTdhmPhl8NXj+8Q9T59tmOS6WQtrQ4hH10la933Pu4duMgOnRIs3JdLX4lR/gsrMOTd9ZyXR3lWJ26I4+ibKbRCM2mbCReFvkRWSMJYEJdgdtuh9ML8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468316; c=relaxed/simple; bh=VKO+y19Pmg/NLq4w9DyMkKEZ4ajWvhIqJpQfNSp1fww=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=WHUqwUumQ3gEKblLPND3mghJ9UL4YNbTazTn+YvCwRxiqVQnFXpspXEfo78DgEF7qt7cE+ZnuEMtHIDwRkL6JupK0TosdE/LasUKJdwo7lS5KIa1yIubxfY13Bi2fdy0iCwxn165QHaF3q1xGawL0E1cVM5iSJ/B2cJRkR2Ectk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=RObhQBHZ; arc=none smtp.client-ip=209.85.221.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="RObhQBHZ" Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-43d0deb7ad5so10262250f8f.2 for ; Wed, 29 Apr 2026 06:11:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777468313; x=1778073113; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=tGTs6AF8YA/dsJ5X6YrGeOvqR7qYdbsvIoXjGXSTGR4=; b=RObhQBHZKGH/M3SfrnL+5KN1fiDASD2bNJ2dZTqUF2mro5nOrbvB0w1EdPeYui4QTW 42egfXcTEHnpAxQ+R2JJ+nJD/gGVAoYhz8w3BDgLO+R8RqQwjASzQ7iWvZcwtc/G9yUz aVReWfn3cmHokNK+fC6aDUZ6ggF2m/jqd94Gvm0vfLt/wxjKS/XnV2kurxHkF75+kPug q172prNG1v/RaRVkiofS44GnyPVj04wZLUElkAO72VVvTHljgMg3/8ErS6TkD2fp+XCw wTZFmQ15AkSj+/5KvJonRMNL/CzI5xHtHGV+gZ4DPzhWEIegaayYKn11sh/W8pLTd2j0 yodw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777468313; x=1778073113; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=tGTs6AF8YA/dsJ5X6YrGeOvqR7qYdbsvIoXjGXSTGR4=; b=qYF//L/mnWv8h0AqA+PorvJkGtb1Ef3/ctlHAhCsTXpFh9PZCdY7ke/ZXB2lW3yiFc xtlhEGIZoWVOjcxJvlywVG7D7lrAWdmlLq/QyUbkbp31uFyqwuWoou/KYmPxduud9kgK LZhWNBkhIaQLrSTvaDDytjIIZgz+iR0GHJN95uF+RvsW8bsM3TY69dBWT4KAUt9IxeqD Gz/ZLFn/laWZvgMQ5pokCn5usQVkOaN6dGfKkDwm1AbktsDngK+brsgyxQA+gYYm2U7p u+2+q7W2HN4ay3b6RMpDp9Dms018mx6PyaE/vXCqqZNzgi23uDoFkjxd9Z31cki6zgo7 dp5g== X-Gm-Message-State: AOJu0YwGOlQ0u3BEGbVckOS7IFVUPxdEiwMWCKK7TqX3g388Fs8PuUQO s6MJWWxDUhKjWP7Ph6QOXLKgoU9fA2xOuHzZGBGM/o0CXZbXwP0d6RZBbs+siiAMJS7BghFZw77 JScIILr4= X-Gm-Gg: AeBDieuCtG3vrPsg8QlrPvP+belT9kJ0ASLFZN+cT+oAqMVEvE2COqAGuGAL5Y6P52r vHdP3AVQXs03V2eyPaB03z9E4xwEXRDmDmcJZZITRuDFuEgXauJRmuQ3rxYASqbWT6QYjYaY2GM f8+UNmpLnrY4bEf8NBZlkI9i9OsXsQIMdSi5CO9IjUGusu80/Hafj0HfIrcMAELaD53MeSXUBWa MA7AMoGMgFBLqj/Z4/F0xO83pPlY8rothAWKHMDn8xJGiHr2LwohOXPQGYgCAPZ8lscq6ceNnmR AlhyH9VFI91sNBoTcg6NlnLTwClmHWZPWCm2AyOPcFrGkPKxAdDTT4B1f3NcX9gHVVG/J50BrgH QdO42BONenZJQcVYYo4vUlrYI2kCizAkB53XvCAqu20+7j1tT8pmdw31tKhKZ5o3IWZdIU3K+jo HsD8toK0Hb+KLmXJPqHz4Uy6yCWsKD53eT7SF4icpJWuCVboMC31NNRcsWaDqZ3xqfA6ILMf4mR 231NVG49JDUnu2TmA== X-Received: by 2002:a05:6000:2681:b0:441:1ca1:6404 with SMTP id ffacd0b85a97d-4478ee6236amr6849560f8f.18.1777468312985; Wed, 29 Apr 2026 06:11:52 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-447b7ca67b9sm4752867f8f.34.2026.04.29.06.11.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 06:11:52 -0700 (PDT) From: Tudor Ambarus Date: Wed, 29 Apr 2026 13:11:51 +0000 Subject: [PATCH v3 2/6] firmware: samsung: acpm: Fix mailbox channel leak on probe error Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260429-acpm-fixes-sashiko-reports-v3-2-47cf74ab09ad@linaro.org> References: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> In-Reply-To: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777468311; l=2353; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=VKO+y19Pmg/NLq4w9DyMkKEZ4ajWvhIqJpQfNSp1fww=; b=1gWFaMA3Cd6Dw7QDwhBQgAQ8DdYnx8S5TmxRBEoW9KCayFmX+XpOy0oYB12RXbvUT0DJgo2Xk TeJmSkes8lZCIccs94W3mYrZcqMBIsK/nC7MMT+GLZDKIUgxFTnzRhv X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified the leak at [1]. The ACPM driver allocates hardware mailbox channels using `mbox_request_channel()` during `acpm_channels_init()`. However, the driver lacked a `.remove` callback and did not free these channels on subsequent error paths inside `acpm_probe()`. Additionally, if `acpm_achan_alloc_cmds()` failed during the channel initialization loop, the function returned immediately, bypassing the manual cleanup and permanently leaking any channels successfully requested in previous loop iterations. Fix this by modifying `acpm_free_mbox_chans()` to match the `devres` action signature and registering it via `devm_add_action_or_reset()`. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index e95edc350efa..bd0d48e9d157 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -529,8 +529,9 @@ static int acpm_achan_alloc_cmds(struct acpm_chan *acha= n) * acpm_free_mbox_chans() - free mailbox channels. * @acpm: pointer to driver data. */ -static void acpm_free_mbox_chans(struct acpm_info *acpm) +static void acpm_free_mbox_chans(void *data) { + struct acpm_info *acpm =3D data; int i; =20 for (i =3D 0; i < acpm->num_chans; i++) @@ -558,6 +559,10 @@ static int acpm_channels_init(struct acpm_info *acpm) if (!acpm->chans) return -ENOMEM; =20 + ret =3D devm_add_action_or_reset(dev, acpm_free_mbox_chans, acpm); + if (ret) + return dev_err_probe(dev, ret, "Failed to add mbox free action.\n"); + chans_shmem =3D acpm->sram_base + readl(&shmem->chans); =20 for (i =3D 0; i < acpm->num_chans; i++) { @@ -579,10 +584,8 @@ static int acpm_channels_init(struct acpm_info *acpm) cl->dev =3D dev; =20 achan->chan =3D mbox_request_channel(cl, 0); - if (IS_ERR(achan->chan)) { - acpm_free_mbox_chans(acpm); + if (IS_ERR(achan->chan)) return PTR_ERR(achan->chan); - } } =20 return 0; --=20 2.54.0.545.g6539524ca2-goog From nobody Tue Jun 16 19:36:52 2026 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 422DE3FADEE for ; Wed, 29 Apr 2026 13:11:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468317; cv=none; b=uNltLm81tT8+/SmblL253RiE8Vply2uqtO6U4gC/rHMPD0PDTaEd1qIz0zexjwnoEzoFtabBDU83CgblVbL/1lI5gAnLHDvRzpw2FknnZbnNPkdDHYKrEvhyBGddMLDIwyMFkVsCoPZtggq4N/UtActB7YATWpKJ0i5ovZcQNqM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468317; c=relaxed/simple; bh=TrETAIBRtr5BpleipM5VXU32aMTdlU394IStlNmAoNo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=vC/c2lU1GEVSer5c6F89HYAZhfmj8aCHik15Jt/oCr545UCRDA6ZYuFANuq8cgC7m8uOi+VUi2ewnfnhEAYXUIFZJ0vWkwROpUc5CpiADfCXr6Eq68YvdopSw8eHFN/pNg3UENsFyVpys0E++c5U0osZ7+ehOmXbWhp/PEythIY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=WO7hfi0O; arc=none smtp.client-ip=209.85.221.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="WO7hfi0O" Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-43d73352cf2so10548164f8f.1 for ; Wed, 29 Apr 2026 06:11:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777468314; x=1778073114; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=+Mo2IeU/AaXoLyUW0cqRpgQJYVfBlAhtHpp2oMUPg6A=; b=WO7hfi0OTj8I0r4gt+AcC/GFNmGJ2kwUKPNET49mMFGmOkGQCOPiPfoYn16nQv4xQw HRju2Xkrl4X7Mfa7QQdI8fhp6jjrfXfhZe/sv6dQXewGP02tgAr83hlX3tB0BFsHezB5 GRo63mO2Gkt7tcs6K7FWlF+0iHc/BU00NkSW2hH31NGoCK7ht+mSAceNaKnMGnmnxNW3 wf1lpIRZP6OTN0W/7u3tNzmDKGJFKqjeYny3MOc8sbzVyI7KhTqFoH/onShwFDpUdw3N 9FT2MAG/KCevGWkS32vnOF12IOIMpHIHWj//cDwhMdxeW/p8ZGlOQKkE2DSA0n6mbo4a jkaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777468314; x=1778073114; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+Mo2IeU/AaXoLyUW0cqRpgQJYVfBlAhtHpp2oMUPg6A=; b=fKZgSm5pac/n7YP7DLFvD5h2xNGCABukBM6dPLBJCqO6J6hHdVG598Jf9FKExfrNtd diWb6TvxQoczphRuAXZQL3kdu0xDBO5+oTpDdDdwmzF3tHNvz9VFOBhJ1MjUorofw9bN q8ppCicqAf8SgUJl/4kNG3UuWaqGnnIv2GnZnI+n+fbVj8pG7EoO+dkRaHpJlBeVSct7 UKWXCIh4vUJyMcpuW5N3m1jkP/N+iFEXkSZcd9CP0Pqz79QQ+697VlYdUPMOI9acZ3yA uRuIRg4Q858IFqiuzIfWQOCVzkCzW7rlTVvAUKCUnau5PWFcUvZhDvGujDNqdUF58CoD v/TA== X-Gm-Message-State: AOJu0Yy5VEkYv/g+dBac8TWKFutcUgEWn5c+g1cix1akvCVjuT5nc1UE WU3vjIoUGtoKvRdx4yLiVfZH8zATiF3j5Kbp85OGdQZLIr/MrGsktxQXss9p5FrUQVY= X-Gm-Gg: AeBDieuzGy46yM/0OPpit/TH2p9LQq/VwsyJtSo329kAjWShS5xDOa8vPHYg55OddBX WFXZXRclZeHic5ZQFYVbDrbiGV4xO7TgMbTtoHnhnq/z01+svGWM9xyPQePPzPk/SJSoiNg92aX zr8kXftPjSPFkbjqRHDhPZPnOMWpweVuz8x1Smr8uX7atlTPOfvNUnGtmUFcZgvVsvlyW5M54h2 1/pEVIFcXP4jSLsFSfyoOM/E9SVjAyWshdKmmE2KKBqPbZALmX6En6DvfUSoX16oFGgtuA7H0d3 ikSoy8LbZL4b0PRM9Zq5GivDdv0+jAVcpmAkhOoAjzdm5dJZ6tEkfgRcX9IUkg9EdV+DyIsHLSB /wv/ufR2XNxBNmJT8Pk2EQIRX/Jo2wBOHkvwh5HclmawOXvOk9/PtDgjvVNZa3ib6X8H+2qvqkv GROZ8R9Ql5tLrDVnv1tOHR30giTYsPbUCtoOQRtP9CMeCq4w1Qgdixbrhv8DuB0quT6Ec1AwaMl 82nu2JTE9SAmMk72Q== X-Received: by 2002:a5d:5d82:0:b0:43d:7946:bae6 with SMTP id ffacd0b85a97d-4464aced1c2mr13929202f8f.43.1777468313490; Wed, 29 Apr 2026 06:11:53 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-447b7ca67b9sm4752867f8f.34.2026.04.29.06.11.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 06:11:53 -0700 (PDT) From: Tudor Ambarus Date: Wed, 29 Apr 2026 13:11:52 +0000 Subject: [PATCH v3 3/6] firmware: samsung: acpm: Fix dummy stubs to return ERR_PTR Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260429-acpm-fixes-sashiko-reports-v3-3-47cf74ab09ad@linaro.org> References: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> In-Reply-To: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777468311; l=1843; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=TrETAIBRtr5BpleipM5VXU32aMTdlU394IStlNmAoNo=; b=BzENjihfCSCZFL3n7ZtJCw2aaF7Gh/2Zynwp/jBunN4QYv/RWtS8Taoiuk5IhWHY6l6iEMxVW ufkny/ebf62B5nQoJpAwAt2YH2fLC9o7HUUqzZp5c9a71p70GqOONME X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a potential NULL pointer dereference [1]. The dummy stub implementation for devm_acpm_get_by_node() returns NULL when CONFIG_EXYNOS_ACPM_PROTOCOL is disabled. However, the active implementation of this function returns an ERR_PTR on failure, and the consumer driver checks the return value using IS_ERR(). Because IS_ERR(NULL) evaluates to false, returning NULL from the stub tricks consumer drivers into treating the NULL return as a valid handle. Subsequent attempts to access handle->ops result in a fatal NULL pointer dereference. Fix this by returning ERR_PTR(-ENODEV) in the disabled configuration to correctly propagate the disabled state and match the API contract. Cc: stable@vger.kernel.org Fixes: 6837c006d4e7 ("firmware: exynos-acpm: add empty method to allow comp= ile test") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- include/linux/firmware/samsung/exynos-acpm-protocol.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/firmware/samsung/exynos-acpm-protocol.h b/includ= e/linux/firmware/samsung/exynos-acpm-protocol.h index 13f17dc4443b..d4db2796a6fb 100644 --- a/include/linux/firmware/samsung/exynos-acpm-protocol.h +++ b/include/linux/firmware/samsung/exynos-acpm-protocol.h @@ -8,6 +8,7 @@ #ifndef __EXYNOS_ACPM_PROTOCOL_H #define __EXYNOS_ACPM_PROTOCOL_H =20 +#include #include =20 struct acpm_handle; @@ -57,7 +58,7 @@ struct acpm_handle *devm_acpm_get_by_node(struct device *= dev, static inline struct acpm_handle *devm_acpm_get_by_node(struct device *dev, struct device_node *np) { - return NULL; + return ERR_PTR(-ENODEV); } #endif =20 --=20 2.54.0.545.g6539524ca2-goog From nobody Tue Jun 16 19:36:52 2026 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 582B33E5EE3 for ; Wed, 29 Apr 2026 13:11:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468318; cv=none; b=XIvUCYryo2SEOuza5Jeu8mPS6N+9z3diNQGYJ1c5yAkghf9ozk0w6RfplpoPnEWIlEx0vKAwxfB74RUot0IBSjctH8A0QSi+7mu0oB89jBGNrA0kb/rukAemgERWHBg85upUQes+Wikbco/bDWbalid4mw52+jB04BSnw0dkC+A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468318; c=relaxed/simple; bh=q1S+03aGlcH6n28TvbZ1L4it7+K5AeVq24YPPGzZ2I0=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=M4QpoOTvIaTM7J1Ocjxytvap+VQ4HBBRqZJml6aiwYVMBz3LqRlnpAofuadm/FgnQO0N37qXPdTzGDHA6yBFi8lIXRw0yURaLwaax0lZOcBzs1Jw5RWwrPjsHeUqIj/opWNIhsMB5XNuV2tC8bJq+WJp7DNTE+7gFDSSpZsNUlQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=OM2qgAVG; arc=none smtp.client-ip=209.85.221.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="OM2qgAVG" Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-43cfd832155so9202518f8f.1 for ; Wed, 29 Apr 2026 06:11:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777468315; x=1778073115; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=7JCJJgoNCZ5gGQkcl+YQnJFPiiEiR515Ip28lGR0OcA=; b=OM2qgAVGiXx6gBYTnLqyewl/sVYxfsEPzJHFvxfy2GF/peKZUUXJHNn5d2Io6JJ7GF zOor7AXV/ARNROons4cq6GmKhGS12c57A92AVyROFnTEJMDUh8i7bGp0SMZRCZfGIyYT 7NIFeum0effEdGdemIPxH6nSWNA1nJBk66tkOTGp0F0wPKYHRfV0wj1MXr3t23h0wdSa YiI33hxYSe6ud32eZj8JdhPkDNfEhaamYYOHtELKyssVhxF1RmOtJr1ht3lDoC9A3Ixu 1Ul5jR4TvgYbHn3pUPypsbmemQnLq1EOuRruUhzdhMnxtNc9LTKv3wRef7AcUbI/dZJm 1MvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777468315; x=1778073115; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=7JCJJgoNCZ5gGQkcl+YQnJFPiiEiR515Ip28lGR0OcA=; b=JI7L7B3eQwjOWvgUqQbOOi4UnAgh23RW/YrJB21rccgtbxzNSdTuDIi+rWaqQpssC7 eYTZdUfYlhjPg2H5yfIpatqCVk4uhNJfsA4JGpLHzrx+XWPz1EgnGZLhHK/NYQF/FPhM 7W22ICkZyO+tNCcbqmxSHnabQMfgFnqBdvrCK61ga1H31sCaQhy40dXv3rcjRsf79ywS wHbUyx/aBwKD+Jv3UhNg06bJ8vfeQzRW77LTpLyO9KUZuT86UgEluk/tenCUCf9Zekb9 H4DLCsoPD94fVbdUiOsK+Eq0ub6QR1CNkyE9P7/nSOJQKVVEX8mPQAtgb5dKMZl1iivq XGpg== X-Gm-Message-State: AOJu0YwrpyQHJ+VCeeaIEsOYL4FcbTtmaHJf37KYuPQXyVJ3//aiuKcY AxK3xE2RC+fPdMrbM/oYOwnIc3XgIeueybjAAIQ5JkrS8x5+9eceYI4yzH0qG3sHL6ABU6H5Bk0 H0N6JeL4= X-Gm-Gg: AeBDietHlwJto2HCs7S8EOsVxtnDYatPpLLr9yDUFjEkDM40n96eiIxk6SgLGo4zGZH tRMcTP52s2oPvGJeVhhVuvRs/GWFSYpod0G9SNopJNLqdTMxR+JV8x2gJe7OsExfmUwlSXN2Zd/ 5k+Yp/g/yr1N3Qz0/24cyYL3I+swKT3Fb+zTBncrKRrre/5SGlfFv6FpxHGExqYvNQSEeShUtcd E8R+aXlcF9OlbFE3jmKNBtdgn295ZseDqozAaNCpeE6ufhL4B1YVRfKo/OGu44BwX0MQ/7wK9EG nE80ASydR1LnWnkcICvzfrlE4dQHr2Tup0kDFAIMGTJqN4Dy/JGCHww7tACWTbaGNYH2qrSDxBO QCTwLoc+xUNB8/eFXVxDF9QQ+518BfVY9J4gcdYbEWpvFYq9AzCEwkd7TwcqyTLPP1l/VGGUyQb R9us9Hplw55O3ryqSevotSwcc/7wIi0Le70Je7msDVZAv/bsh/1n3nmJXT57I9HrrUqI9zsXgSH Ma8QnhVvd6afzu2kw== X-Received: by 2002:a5d:5f83:0:b0:43c:fdd:ea96 with SMTP id ffacd0b85a97d-446496d7958mr13247989f8f.26.1777468314477; Wed, 29 Apr 2026 06:11:54 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-447b7ca67b9sm4752867f8f.34.2026.04.29.06.11.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 06:11:53 -0700 (PDT) From: Tudor Ambarus Date: Wed, 29 Apr 2026 13:11:53 +0000 Subject: [PATCH v3 4/6] firmware: samsung: acpm: Validate SRAM shared memory and queue pointers Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260429-acpm-fixes-sashiko-reports-v3-4-47cf74ab09ad@linaro.org> References: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> In-Reply-To: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777468311; l=3318; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=q1S+03aGlcH6n28TvbZ1L4it7+K5AeVq24YPPGzZ2I0=; b=Vg9Aq4hjk+3SdpYiyCFYei12SF/+xSvtM3lyisaToANK/5u1mqS2/n17ihJi1MyptTCu7yyiN oSXoNoWnjfQBZOF7NiENy941dWjDk3deXwUbalPXuFT9pK5A5euN62h X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified multiple missing validation checks [1]. The ACPM driver reads queue pointers (rx_front, rx_rear, tx_front) and configuration parameters (qlen) directly from shared SRAM without verifying their validity. Relying blindly on firmware-provided values leaves the kernel vulnerable to crashes or infinite loops if the firmware misbehaves. This patch fixes three specific vulnerabilities: 1. RX path infinite loop and OOB read: The rear pointer ('i') is used to calculate the MMIO address before the modulo operation is applied. If 'rx_front' or 'i' are >=3D achan->qlen, the driver performs an out-of-bounds read. Furthermore, because 'i' is mathematically capped by the modulo operator, if 'rx_front' is >=3D qlen, 'i' will never equal 'rx_front', causing the CPU to spin forever and deadlock the polling thread. 2. TX path out-of-bounds: 'tx_front' is used to calculate queue indices. If it exceeds the queue length, it causes invalid state tracking and out-of-bounds memory accesses during __iowrite32_copy(). 3. Divide-by-zero panics: 'qlen' is read from SRAM during channel initialization. If 'qlen' is 0, any subsequent modulo operations (% achan->qlen) will trigger a divide-by-zero kernel panic. Protect the kernel by strictly validating the initialization parameters and MMIO queue offsets immediately after reading them. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index bd0d48e9d157..e4d8d1120192 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -230,6 +230,13 @@ static int acpm_get_rx(struct acpm_chan *achan, const = struct acpm_xfer *xfer) rx_front =3D readl(achan->rx.front); i =3D readl(achan->rx.rear); =20 + if (rx_front >=3D achan->qlen || i >=3D achan->qlen) { + dev_err(achan->acpm->dev, + "Invalid RX queue pointers from firmware: front=3D%u rear=3D%u qlen=3D%= u\n", + rx_front, i, achan->qlen); + return -EIO; + } + tx_seqnum =3D FIELD_GET(ACPM_PROTOCOL_SEQNUM, xfer->txd[0]); =20 if (i =3D=3D rx_front) { @@ -439,6 +446,14 @@ int acpm_do_xfer(struct acpm_handle *handle, const str= uct acpm_xfer *xfer) =20 scoped_guard(mutex, &achan->tx_lock) { tx_front =3D readl(achan->tx.front); + + if (tx_front >=3D achan->qlen) { + dev_err(achan->acpm->dev, + "Invalid TX front pointer from firmware: %u (qlen: %u)\n", + tx_front, achan->qlen); + return -EIO; + } + idx =3D (tx_front + 1) % achan->qlen; =20 ret =3D acpm_wait_for_queue_slots(achan, idx); @@ -574,6 +589,12 @@ static int acpm_channels_init(struct acpm_info *acpm) =20 acpm_chan_shmem_get_params(achan, chan_shmem); =20 + if (!achan->qlen) { + dev_err(dev, "Invalid shared memory parameters for channel %d: qlen=3D%= u\n", + i, achan->qlen); + return -EIO; + } + ret =3D acpm_achan_alloc_cmds(achan); if (ret) return ret; --=20 2.54.0.545.g6539524ca2-goog From nobody Tue Jun 16 19:36:52 2026 Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA6103FBED4 for ; Wed, 29 Apr 2026 13:11:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468319; cv=none; b=XDZF4d/w+6KHB3YHE3w2EbrasOw0FMuoLDaxuVxKinmuJnZUesIQ+V/3tXrvDFq3f4gwVaz0HL65zb/lR7fr8NBUv5yzukAa/8aGu5RLpB34sVL+a3VxfM/Gi02Lz9ZoZAxIhJaEfMdtruuKkcFUr0e15uTPf4WTi9Svnd8cK7Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468319; c=relaxed/simple; bh=icbMfRdCY++qMwHt3NVqCYtxBBVHdcrDPMwKwp8NvrY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=H0x/bOt7Uez9v7uYy2qV02ff7IoG/I3Baby5180/biN5IY5N/YTX2xybbjCGCzI6X68ATm4L3iE6E6QV+Rx6qgkX5nT19jUQqLwsgaNYqIjlLT+VeypA1Mte6oQk3EIhj0Ws2kLFpXTTL37WrwTNk/1miIaud6L/3zhKY5JdF1w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=k374Qs6F; arc=none smtp.client-ip=209.85.221.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="k374Qs6F" Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-43cfd832155so9202522f8f.1 for ; Wed, 29 Apr 2026 06:11:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777468315; x=1778073115; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=PHZhPl6Ww9luKOTLTqFrUaU4l6PHixrZT0EheMjlh0M=; b=k374Qs6FEGM9zmGAzuRFjS+liWljA2doi0MFqkp34y5WtHnTWC1Lo5VJbZ4XdLmRgY QDm0h2PUuccnc6qiBJ191TtjUjMZNoz4p6S0/jTtYA6E0okbt9EyBl/WgSpbYKHQUUU7 +ac7OO+rDGa3iWqL4p+xe638mOpL6gPJr9uwgfrhW0Sd57AvF6QhTBUtIoysWtoW7OVv GA/HAf2udXZDDtcwaMAK++rvYv1BdLHGhb93UgZIr73N3OvpPr9SD+KihF4FLxzh/W1+ LHfX35tb1pwp4rGNKVBbzurWHn+WTykK1zNYbvFp1tjcCUd/N3vxhs7rYxRJUuHbKqzn blMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777468315; x=1778073115; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=PHZhPl6Ww9luKOTLTqFrUaU4l6PHixrZT0EheMjlh0M=; b=ClQCwEwVWKQkIp4SfZ4e1o9yAdAy8ZpVGWVQtjG0VTTXY8ifqwGXEEQxSMNlU4AEVc G/uTNU2vMXn1E3owXMp7ZtRr3SbzwW2XyF34MP2awg9ZECzizke6gSlfJ0y8JxpHhCh5 /OXGnlzvnm/w0wEDuaFNaxKuDh2wqVi7vPK4Mf1i99E+Dbt4WpR8twR3gBP6Jf6VwrKN t7ZIorC/3jKyTJYAbj/ZUX8tKtM2iBtz/dF8V2tgGt7T2/wQYtlgXauIhG+r+i4vBDo/ UlDDXbJ36L0+9Ux5NeU3J2OY+Bo8LclMH4lFDfmy3hTTRNhEZx3HXpSAi/Am93RnDY6k dHEg== X-Gm-Message-State: AOJu0Yx75lcJWhqMvDs5uV4pQdpEmmCrgT2ypMAbOYLpQTnuk/V1sMpz xtELY3LgeuVDGs17lCs82cMmcaCS8Ra8SXlVlLyykg2zFxgxdFI3EB43wJeKlOK+X3k= X-Gm-Gg: AeBDievVZTCE9CmyfJp788J8HppswTMGxfvK8Fu4qC3dMYV4vMM2JHOcjiDGyWF5vSX oxEMqPughQGeBIorJ5txI6gTcgZ8BpZp1D/XJPdcjCL/lmaLKOUHskcOsD+DKP0ZCvRiIv61v8M X2h0ltgc3mogngjyr0AMHA86FECEhP8jG8tJSL6H8cQQSU/P39qHghBu7UZCedhiXX/RxBIIAuX 5dxs5g3l4Ral2NykYKc9sz8Zqxu/qEQocGm0fn2KvOmAUTDuhyVSM9tLYwjKyZSXnF9vczf2yQ5 l5POLKp/Ld/4nUPDrRvR/36ni37UNHZ91ElJRH94qZgGWEjuBl5J3VtZz2+xGBQjfJ/QhHcnHSq 2rql/4gSG6SYqOEF6eaIw36rl5aeB6NHYbtMk/k/d8OrJUr4Z853Yw/ij4wkCQ2/cHNt7hz72MF 9oImIhiqQAVI8Mmf0FL3AxFBzgV/N03n/JT9iAVTbhwk5V9chsxk2GykalPd8ySSd3Dee5qBvw0 v9yAcwGgUbBzOOSRw== X-Received: by 2002:a05:6000:40cb:b0:43d:6244:f8b with SMTP id ffacd0b85a97d-44647dcf63fmr14140392f8f.13.1777468315079; Wed, 29 Apr 2026 06:11:55 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-447b7ca67b9sm4752867f8f.34.2026.04.29.06.11.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 06:11:54 -0700 (PDT) From: Tudor Ambarus Date: Wed, 29 Apr 2026 13:11:54 +0000 Subject: [PATCH v3 5/6] firmware: samsung: acpm: Fix infinite loop on sequence number exhaustion Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260429-acpm-fixes-sashiko-reports-v3-5-47cf74ab09ad@linaro.org> References: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> In-Reply-To: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777468311; l=3628; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=icbMfRdCY++qMwHt3NVqCYtxBBVHdcrDPMwKwp8NvrY=; b=UCDCLiY5Dim90lCTsvySxGERU+EK7a5cZdW8VdrNdJKi6eaVx8FFW563ZHPo2gPXZsudXtv5X pxkQW8MG2VsDOsA1JB+fwd9hF3nzSSKENx8TQukhXM5W9K2e0mMwZbQ X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a possible infinite loop [1]. ACPM IPC sequence numbers are tracked via a 64-bit bitmap. Previously, acpm_prepare_xfer() used a do...while loop to search for a free sequence number. If all 63 available sequence numbers are leaked due to transient hardware timeouts or mailbox failures, the bitmap becomes full. The next call to acpm_prepare_xfer() would enter an infinite loop. Fix this by utilizing the kernel's optimized bitmap search functions (find_next_zero_bit / find_first_zero_bit). If the pool is completely exhausted, log the failure and return -EBUSY to allow the kernel to fail gracefully instead of hanging. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 36 +++++++++++++++++++++++-------= ---- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index e4d8d1120192..b8a4978b091b 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -370,29 +371,40 @@ static int acpm_wait_for_queue_slots(struct acpm_chan= *achan, u32 next_tx_front) * TX queue. * @achan: ACPM channel info. * @xfer: reference to the transfer being prepared. + * + * Return: 0 on success, -EBUSY if the sequence number pool is exhausted. */ -static void acpm_prepare_xfer(struct acpm_chan *achan, - const struct acpm_xfer *xfer) +static int acpm_prepare_xfer(struct acpm_chan *achan, + const struct acpm_xfer *xfer) { struct acpm_rx_data *rx_data; u32 *txd =3D (u32 *)xfer->txd; + unsigned long size =3D ACPM_SEQNUM_MAX - 1; + unsigned long bit; + + bit =3D find_next_zero_bit(achan->bitmap_seqnum, size, achan->seqnum); + if (bit >=3D size) { + bit =3D find_first_zero_bit(achan->bitmap_seqnum, size); + if (bit >=3D size) { + dev_err_ratelimited(achan->acpm->dev, + "ACPM sequence number pool exhausted\n"); + return -EBUSY; + } + } =20 - /* Prevent chan->seqnum from being re-used */ - do { - if (++achan->seqnum =3D=3D ACPM_SEQNUM_MAX) - achan->seqnum =3D 1; - } while (test_bit(achan->seqnum - 1, achan->bitmap_seqnum)); + /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ + achan->seqnum =3D bit + 1; + set_bit(bit, achan->bitmap_seqnum); =20 txd[0] |=3D FIELD_PREP(ACPM_PROTOCOL_SEQNUM, achan->seqnum); =20 /* Clear data for upcoming responses */ - rx_data =3D &achan->rx_data[achan->seqnum - 1]; + rx_data =3D &achan->rx_data[bit]; memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd); /* zero means no response expected */ rx_data->rxcnt =3D xfer->rxcnt; =20 - /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ - set_bit(achan->seqnum - 1, achan->bitmap_seqnum); + return 0; } =20 /** @@ -460,7 +472,9 @@ int acpm_do_xfer(struct acpm_handle *handle, const stru= ct acpm_xfer *xfer) if (ret) return ret; =20 - acpm_prepare_xfer(achan, xfer); + ret =3D acpm_prepare_xfer(achan, xfer); + if (ret) + return ret; =20 /* Write TX command. */ __iowrite32_copy(achan->tx.base + achan->mlen * tx_front, --=20 2.54.0.545.g6539524ca2-goog From nobody Tue Jun 16 19:36:52 2026 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A27D83FD126 for ; Wed, 29 Apr 2026 13:11:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468320; cv=none; b=Krgd5U3u7TnqB9LBA+5OEx9n7W6RVYhqebcJLKQNBReMklueGuzLOImqzsI4BEdFfCRTn0Fs1Hr5u4zTVPUL1uXlzFqYN8ImOPeK7zUzUlWEHXK4eQimRwN/NLBOLmKwYJzaeXgLshZ4t1Kc6QoDBhnCB7Uoc9g+RBSC33YZXE0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777468320; c=relaxed/simple; bh=qIi4uEXjUsPRYYUetGAKlVVsN1QT6jgcMevIIMn2wws=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=OpLscdtUIWAZZ4HqjS6o95J9dfdXR/acCcTngZ99GETf+1EpW6YlmIfZsa0kyjj+5j+MgdNNklxRTPqTfzxXYpzBelSYgczgeJ05aqeiFsDonRVQ1elAtKJxVe8En6izZu8eTeSjx1cyQBdtSR9Jz0j+qwt6PGoUWmW6KlTMwPU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=Phta15bj; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="Phta15bj" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4891f625344so9824315e9.0 for ; Wed, 29 Apr 2026 06:11:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777468316; x=1778073116; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=w+M8AOXn9O7RUpeUBA+tCnoNyyooYIprfAY53DgU1d8=; b=Phta15bj7dK6ifHnXNE1PUDeeem2mECDR8x7je5w4oXzrzPhi+JLnORS/8c9ITVDxJ RzDMTXYEAb0ScTyDEkwZFWkbbzvd9Qfubw3okNrvRhchKSyZrGqLOZXRK4Y22jtFehvU EQrY/6LHhi1E1w98gKrEg7tJrgh4CjsMCRHJiQMFAmC0A8gzuxgD03v3oxggZZDu3NY0 Wv7XqpqVHu1oHnbV3JuV4vU9JADnUNj/9doScTb6A4yS7gJ/VaLPyhoENCF/AEfBrEz3 3Nbg0ribgzXCWmlCAFDSkTkEgG2Nf5TIpTrTlmNRE3NPJZTmrJsflcZxE4UyGkoHuAtc ROmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777468316; x=1778073116; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=w+M8AOXn9O7RUpeUBA+tCnoNyyooYIprfAY53DgU1d8=; b=bAc2eTH73RUGn8QLT5bByNnH41aUbh+jk/ddG722GWlhWTzxMmtMiNHWwqec046+L5 ZPQGB0MgM03MvoK7DupccGl0s7nf8PJyrv6lph061/ePf8icSFibKtkAppz3SjW4VaBJ K49EY9fjotR+plyb8ehC/wc5oWcRcsUc2eSMONbMjRPq7KOU1khZ2ZRO18nww0YW1AL5 kuVnzaYb409KVeqTznryNVQ0dPzIhkIgBHxITN74vy321hJRrxTLDhJWs7xu4gxbWVlZ IJa8xWXj5lLcCop24C98NQbDrczfSofbA66OhEodxEe0LUJHzXBZqhfCTS7KfkC5C5gK G8hg== X-Gm-Message-State: AOJu0Yxu1uFQNo3QPOuRHTEXddl9cMBLESlFjw5/WA8JUyn7tmLik3Ri 9k0yVPuXU/sp4PjLb/J9ZXlGR1Lb0RTDHIIMBpOX+8ezPKWdkw8wBXhDDmVF/ADJvpM= X-Gm-Gg: AeBDieu7ZRjCi+GpCOV8MXDluqGgeXCzyvuT3LCO9MEhT7QhL7MbCqKysHNtoy5soQT yfEahaJQcXTTy4REt994fyQMIDgwwUShm4a8HFP9CiEKeyH5S0BEXdSI2TzqiAVKyuNj+ZXUY/V YjynObBkUA88bjIFVEIcqs9bg99iHCffV76ClZq8Ko1kBIXoiegrsRgdhAB5P/9cKKX9SCZ+pI9 3BOWL8gEnB3NcuiW+o7eQEGApCR/74TcsucYIM0nDgjXfN4GK5Wtij/IMz4MtJPZHfvR9uMUV9O j6RbFkOHPGk7DsVjofr8O46F35t6FfA8A9VA81nmsCTWgcfY4N4XYrXto2rx7idAWJwLqUHevLR PT5mUgEURHuwWfvHxVISZGBAzPtkt/Ckkl/eaZMRjp1f4OE2Q/ApHOVKQEhaoMy80I+g6VjlrFJ m1oPRRc8yQOQJlT7gaoNddNh/+Rijz2d/CXPaWtT09dmDMzcE5097e6zU+lVaSvRcXuQiHyjhU0 8nWDaF+KZVucV07qw== X-Received: by 2002:a05:600c:2e0c:b0:488:aa33:dc8f with SMTP id 5b1f17b1804b1-48a7bf39d6fmr31504885e9.0.1777468315731; Wed, 29 Apr 2026 06:11:55 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-447b7ca67b9sm4752867f8f.34.2026.04.29.06.11.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Apr 2026 06:11:55 -0700 (PDT) From: Tudor Ambarus Date: Wed, 29 Apr 2026 13:11:55 +0000 Subject: [PATCH v3 6/6] firmware: samsung: acpm: Fix memory ordering races in RX and polling paths Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260429-acpm-fixes-sashiko-reports-v3-6-47cf74ab09ad@linaro.org> References: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> In-Reply-To: <20260429-acpm-fixes-sashiko-reports-v3-0-47cf74ab09ad@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777468311; l=5716; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=qIi4uEXjUsPRYYUetGAKlVVsN1QT6jgcMevIIMn2wws=; b=n6p8KMgV4VXWOdTJOMRAdVfyCy1JYt9VnaozXQPFuRYYG/Sdcg02lvO7Wqps2Wkhke/a6iO7V YjeMPAOm5V2CdnvfidMtNJqGt3sYxPv18LMDCqgVxcTKOhqwQUxY7dC X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a memory ordering race in the RX path [1]. Sequence numbers are allocated by the TX thread and freed by the RX thread. Because the TX path is protected by 'tx_lock' and the RX path is protected by 'rx_lock', the shared 'bitmap_seqnum' is modified across two separate lock domains. Thus, the operations acting on the bitmap are effectively lockless and require explicit memory barriers. This patch addresses missing barriers in two paths: 1. The Release Path (RX thread): When draining the RX queue, the driver reads the payload and uses a relaxed clear_bit() to free the sequence number. On weakly ordered architectures like ARM64, this allows the CPU to make the cleared bit globally visible before the preceding memory reads (memcpy or __ioread32_copy) have completed. If a concurrent TX thread allocates the newly freed sequence number, it can execute memset() and corrupt the buffer while the RX thread is still actively reading from it. Fix this by replacing clear_bit() with clear_bit_unlock() to enforce Release semantics. 2. The Acquire Path (Polling thread): In polling mode, zero-length messages (rxcnt =3D=3D 0) can have their bits cleared by a concurrent thread that happens to be draining the queue. The polling thread waits on test_bit(). Because test_bit() lacks an acquire barrier, the CPU can speculatively execute the client driver's subsequent instructions before the RX thread's memory updates are globally visible. Fix this by pairing the release with test_bit_acquire(). Note that the TX allocation path (acpm_prepare_xfer) is safe as-is and does not require an explicit acquire barrier (like test_and_set_bit_lock) for two reasons: * Address Dependency: The CPU mathematically cannot calculate the destination pointer for the memset() until the non-atomic find_next_zero_bit() returns the index, naturally preventing speculative execution of the buffer wipe. * Lock Boundaries: The visibility of the atomic set_bit() to the next TX thread is safely protected by the 'tx_lock' boundaries (specifically the Release semantics of mutex_unlock). Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260423-acpm-fixes-sashiko-reports-= v1-0-2217b790925e%40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 32 +++++++++++++++++++++++++-----= -- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index b8a4978b091b..15627b439838 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -7,7 +7,7 @@ =20 #include #include -#include +#include #include #include #include @@ -207,7 +207,7 @@ static void acpm_get_saved_rx(struct acpm_chan *achan, =20 if (rx_seqnum =3D=3D tx_seqnum) { memcpy(xfer->rxd, rx_data->cmd, xfer->rxcnt * sizeof(*xfer->rxd)); - clear_bit(rx_seqnum - 1, achan->bitmap_seqnum); + clear_bit_unlock(rx_seqnum - 1, achan->bitmap_seqnum); } } =20 @@ -268,7 +268,7 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) if (rx_seqnum =3D=3D tx_seqnum) { __ioread32_copy(xfer->rxd, addr, xfer->rxcnt); rx_set =3D true; - clear_bit(seqnum, achan->bitmap_seqnum); + clear_bit_unlock(seqnum, achan->bitmap_seqnum); } else { /* * The RX data corresponds to another request. @@ -280,7 +280,7 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) rx_data->rxcnt); } } else { - clear_bit(seqnum, achan->bitmap_seqnum); + clear_bit_unlock(seqnum, achan->bitmap_seqnum); } =20 i =3D (i + 1) % achan->qlen; @@ -322,7 +322,14 @@ static int acpm_dequeue_by_polling(struct acpm_chan *a= chan, if (ret) return ret; =20 - if (!test_bit(seqnum - 1, achan->bitmap_seqnum)) + /* + * For zero-length messages (rxcnt =3D=3D 0), the bit can be + * cleared by a concurrent thread draining the queue. Use + * test_bit_acquire() to prevent the CPU from speculatively + * executing the caller's subsequent instructions before the + * hardware transaction is fully synchronized. + */ + if (!test_bit_acquire(seqnum - 1, achan->bitmap_seqnum)) return 0; =20 /* Determined experimentally. */ @@ -392,13 +399,24 @@ static int acpm_prepare_xfer(struct acpm_chan *achan, } } =20 - /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ + /* + * Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62). We do + * not need an explicit acquire barrier here because visibility to the + * next TX thread is safely protected by the tx_lock boundaries + * (mutex_unlock provides Release semantics). The RX thread only + * blind-clears bits and doesn't care about this. + */ achan->seqnum =3D bit + 1; set_bit(bit, achan->bitmap_seqnum); =20 txd[0] |=3D FIELD_PREP(ACPM_PROTOCOL_SEQNUM, achan->seqnum); =20 - /* Clear data for upcoming responses */ + /* + * Clear data for upcoming responses. Speculative execution of memset() + * is prevented by the strict Address Dependency (implicit barrier) on + * 'bit'. The CPU mathematically cannot calculate the destination + * pointer until find_next/first_zero_bit() returns. + */ rx_data =3D &achan->rx_data[bit]; memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd); /* zero means no response expected */ --=20 2.54.0.545.g6539524ca2-goog