From nobody Mon May 4 13:06:47 2026 Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B25D3921FA for ; Mon, 4 May 2026 10:15:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.43 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889752; cv=none; b=nB6u3rJ1BHo0UZNffPM+/jqyGSFnntLNTPZ6Y5Q84jbjZWXvXxDbFJj2P1CeSKVyEaXqxlTwmoVQ2gBlX4v+lAFF8NK68M1oMr1uzxrxsn2RCvRUT8Wm9YtOnCy0OF+jNkHf56VDv57+wxBtOvAUJayhTCitSI6N2337/KJgYs0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889752; c=relaxed/simple; bh=QTePW60Bb9iT8APl2jkQnh+1qmdtoSopKY5nHEff6yQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=GLVBtntFF+FT7EeKySDuMxbJIr5FysLIoPyQX4h/oVaHUwx5Q/SAZVK/78gXfDuPU9qos8v6nl1uxJ4jl6SteP5JT5JAZkBYSWByg/qahUfQtUmdEr838McrO5rhMt64uK2CyP6RwdIZq3DWi4wafcmC56taemcZ/DCf6PoI2m0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=GRNitGcF; arc=none smtp.client-ip=209.85.221.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="GRNitGcF" Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-43d734223e4so2235047f8f.0 for ; Mon, 04 May 2026 03:15:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777889748; x=1778494548; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=ougqSxlNHpdb7A3xiXDiO/CHpVSWdAi7241ogZispeo=; b=GRNitGcFvMvuAi977LRZRrppY1SVzrdTE8XkklQTb5PB4CaWHhnidXL1q1ibap2rAZ AVGQeh1m4XegoRWwUxfV1v65SaqqU/iS53LwbNuIJIN+Q2sb38jFmwYMJfoB1L1HTcOZ mBsgor4T+/lUTshT3v5T15cZKGj5pSTfyD7vjrdV/MQ1DkkPOy+cBppkY3KRIY4E079h W3f4VXDl3rPgcuWsFMtlV1P3hKkpFohsOap0PrzCvm9ayTa8R5QAJL/tzzXFrm3cBoI1 DfoI4EI59LITIqHO+SdpR7cbhKNQ4b1JTKsspPJZLa6gzwQLvQYSxAywkbg7xRfBL54k 7fog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777889748; x=1778494548; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ougqSxlNHpdb7A3xiXDiO/CHpVSWdAi7241ogZispeo=; b=VY7eAfgCibI2tnl2acH/HZ7sDfE/1hBZipW3wY0+aOO7jiwb8TrE9V2/4olujHlLQf 29VCv3NXrYIwXorQcz0UIowds0yzwV/pmfabHcf8WYhaNXw26rZe2wc3HPhpP2pPbdWK iWW7COfJ+BAzKWHrr+A1+f+1cRgIKz2CW8fERS94wz6x0hrNytRLsQdPUeUyr6KeATKY OKEeXw2O01wueAr+9Ce9p79htKjv8ziWr4rVFyeFxssjmJw/w8bFEXhiwoX7lLaAsoDG qiqJtB3h2V0ufSOvc6QWqzfOEGdMxM4jwyXFP9ZtdpAeEgnME4iesWqKsu8jnCgEhJha MaPA== X-Gm-Message-State: AOJu0YzpmDyo9NlhXLEYZXs+Bxnc2R0OwbBEqtQUSE2pSBmZJ93VB4RS Tj+TwtvAitYwG0RUFsHE0HXKyaUXksqO+sYcc0txDjuOD4UtHgwwbTnGr4bBFecagpA= X-Gm-Gg: AeBDiev6nHpNO0chDUninJ6JxPMdX9LPmgItAWsfv513Zarwjfwv8wfe1+3RNTCSY+s SzgXxTB1gnmMBVc7bkhuwkuuBZIlbk6XnU723/f+nzPe5Irz13JcN5+zG5TL+CNSRC1mUrcvG+q uO+vwvTwBTl7czR3mQ+LQckIvJWL6G4BLN/bVWs1oDXB2LTRDHRFbRoLbn1FeSl/7MSrHODxtiu qBeiPxDdFqsZyX8v5ST0JjnkoCx3g2DiuRTv08J1QksaoYgQhvv2nsddqoODd3FMXHR/BL21AMj B9IsMfAsjFbUAhGW/kdBrbBFERIDV2BkcmNdlTxQrRt9WPBAWS1rp2KqZdJ1zwm5ZdE7G1/AJWz kKBnDnOMYMBRXL1KYoUtdDvZqrUyIpJEWrjTF9UioOEgzf+67bhZjWtuEjj1RGOmdvSvF+aqasd vM4Q2so0Bnt2yHrI1p6lj0hFDiFUSabosj6yit8iTrEtABmYu0mNYfzevLWH4vLhNXfBE0BrdpF W8fH5tQj8vjoQrAFA== X-Received: by 2002:a05:6000:3109:b0:44d:821:1a07 with SMTP id ffacd0b85a97d-44d08211be5mr10020820f8f.13.1777889747958; Mon, 04 May 2026 03:15:47 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-44a9879ef89sm28545366f8f.30.2026.05.04.03.15.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 03:15:47 -0700 (PDT) From: Tudor Ambarus Date: Mon, 04 May 2026 10:15:44 +0000 Subject: [PATCH v4 1/7] firmware: samsung: acpm: Fix cross-thread RX length corruption Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-acpm-fixes-sashiko-reports-v4-1-529246be6b2b@linaro.org> References: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> In-Reply-To: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777889746; l=4319; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=QTePW60Bb9iT8APl2jkQnh+1qmdtoSopKY5nHEff6yQ=; b=80zUlQrtsKlzxDbNPAjqKdF4gRyC7gSE+jSLVylLga3lpLyJFqwFJkPuwnnw17f/SpUk/JAGu D5Ns70AdZ2IAayurrPZxSkCThctnUnNJWZhSO/BWwzOez8JvXE3lf8N X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a cross-thread RX length corruption bug when reviewing the thermal addition to ACPM [1]. When multiple threads concurrently send IPC requests, the ACPM polling mechanism can encounter responses belonging to other threads. To drain the queue, the driver saves these concurrent responses into an internal cache (`rx_data->cmd`) to be retrieved later by the owning thread. Previously, the driver incorrectly used `xfer->rxcnt` (the expected receive length of the *current* polling thread) when copying data for *other* threads into this cache. If the threads expected responses of different lengths, this resulted in buffer underflows (leading to reads of uninitialized memory) or potential buffer overflows. Fix this by replacing the boolean `response` flag in `struct acpm_rx_data` with `rxcnt`, caching the exact expected receive length for each specific transaction during transfer preparation. Use this cached length when saving concurrent responses. Consequently, ensure that `xfer->rxcnt` is explicitly zeroed in driver helpers (e.g., `acpm_dvfs_set_xfer`) for fire-and-forget messages to prevent uninitialized stack garbage from being interpreted as a massive expected receive length. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm-dvfs.c | 3 +++ drivers/firmware/samsung/exynos-acpm.c | 15 ++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm-dvfs.c b/drivers/firmware= /samsung/exynos-acpm-dvfs.c index 06bdf62dea1f..fdea7aa24ca0 100644 --- a/drivers/firmware/samsung/exynos-acpm-dvfs.c +++ b/drivers/firmware/samsung/exynos-acpm-dvfs.c @@ -31,6 +31,9 @@ static void acpm_dvfs_set_xfer(struct acpm_xfer *xfer, u3= 2 *cmd, size_t cmdlen, if (response) { xfer->rxcnt =3D cmdlen; xfer->rxd =3D cmd; + } else { + xfer->rxcnt =3D 0; + xfer->rxd =3D NULL; } } =20 diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index 16c46ed60837..e95edc350efa 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -104,12 +104,12 @@ struct acpm_queue { * * @cmd: pointer to where the data shall be saved. * @n_cmd: number of 32-bit commands. - * @response: true if the client expects the RX data. + * @rxcnt: expected length of the response in 32-bit words. */ struct acpm_rx_data { u32 *cmd; size_t n_cmd; - bool response; + size_t rxcnt; }; =20 #define ACPM_SEQNUM_MAX 64 @@ -199,7 +199,7 @@ static void acpm_get_saved_rx(struct acpm_chan *achan, const struct acpm_rx_data *rx_data =3D &achan->rx_data[tx_seqnum - 1]; u32 rx_seqnum; =20 - if (!rx_data->response) + if (!rx_data->rxcnt) return; =20 rx_seqnum =3D FIELD_GET(ACPM_PROTOCOL_SEQNUM, rx_data->cmd[0]); @@ -256,7 +256,7 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) seqnum =3D rx_seqnum - 1; rx_data =3D &achan->rx_data[seqnum]; =20 - if (rx_data->response) { + if (rx_data->rxcnt) { if (rx_seqnum =3D=3D tx_seqnum) { __ioread32_copy(xfer->rxd, addr, xfer->rxcnt); rx_set =3D true; @@ -268,7 +268,8 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) * clear yet the bitmap. It will be cleared * after the response is copied to the request. */ - __ioread32_copy(rx_data->cmd, addr, xfer->rxcnt); + __ioread32_copy(rx_data->cmd, addr, + rx_data->rxcnt); } } else { clear_bit(seqnum, achan->bitmap_seqnum); @@ -380,8 +381,8 @@ static void acpm_prepare_xfer(struct acpm_chan *achan, /* Clear data for upcoming responses */ rx_data =3D &achan->rx_data[achan->seqnum - 1]; memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd); - if (xfer->rxd) - rx_data->response =3D true; + /* zero means no response expected */ + rx_data->rxcnt =3D xfer->rxcnt; =20 /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ set_bit(achan->seqnum - 1, achan->bitmap_seqnum); --=20 2.54.0.545.g6539524ca2-goog From nobody Mon May 4 13:06:47 2026 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C7F339768D for ; Mon, 4 May 2026 10:15:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889752; cv=none; b=KmNGkiQX17wViMtS/w1jVYRYIpdRSHLv4Yber712xiIOcfU/x42uCjNOAIn73qSCF5FGmQKoL70JAoqL9nzK0r85tUroRnpnMJTaJ+ZPCfJ5oLIBGtEi1ceW9LF20aeZZCgBLmF/hJ8SSX3jJLgpf8iJkMwmXijSyAbF+CN+wXA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889752; c=relaxed/simple; bh=d7vm0U9qdAXbH4NbIyamvNnVpjWmz6WguBCwDQ3CBjQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ocDR1JBMOkQiXgSgpYh6kNIhq5zd4oETNPM/r2RkfS11Ic0rqXvsboIXRF8nS9izhaoaiRN+5aGO8bXpJFD+9sxqx8UvLh2JI3nwhc9yHwdP3vMQxeo34LusEorhAi0VMLDbCtir8fPJKmb6oVWg5xILlOKPx8A0tRtU4EvZh44= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=uDs8mYqo; arc=none smtp.client-ip=209.85.221.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="uDs8mYqo" Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-44a044cb827so2524609f8f.0 for ; Mon, 04 May 2026 03:15:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777889749; x=1778494549; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=7zXNbcb1r2bmykw+LmN/b7BGBlvkjjNT8szr48jA7Sk=; b=uDs8mYqoVfAfiUt5oTZH1g887cUggCLw5tQiBMKpDBcP8aM7kWPVuMv0bqv5k6VagF ItbPiMgZjKK3DZ4KKjGEtciqpIVcVVEnkHT/u96SMnn0wwRiBKLvGXn5UXh3iKGhCQB4 uSqSrpTV7jRCKaxCcdV+7iSVuDbSowtPXdYIoxnnSlNFcGnPqdH5UGOaty5ZIW5QBpkd F4m+PVQYO1K3f4PrY3xLyGgCtX3in+zxySdlC04vwDwLIWw6RhIUxJ4naK3tzdeqnFz4 gXah22So9897tHjSrrwxUGq1RG8BaS3XUWGXzvq1jJKEnvEcE76GQzZx4N0oKkOrspot b8zA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777889749; x=1778494549; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=7zXNbcb1r2bmykw+LmN/b7BGBlvkjjNT8szr48jA7Sk=; b=qxhc3I/IXw/aPE4683nZHwhEwMazrBlQisZG9PRePCqv+nlN1GlOSOTohNS7YKx6l5 dF8xGswq6yNJs98bmaF/dKzT56S3sNz3OFWnCAv6EWNJXNzmdDZYNfRqwYA40lrTjKHL FD5yYYXbj9edZ7U9Xiy5Nhu+R7bW7rzZ9wV3HnBhnVpNV1tbnjjONGaAOqAZCqtxhOEO q5vkce4Pf12te3y0A18mVvFMpECtmW+laoOGBdvN/6tlpkMX6xGvl1PmC6xvTJzYttaA 1xQdNQcewI7BXUM0wVFcqm7gHHtk9Qt4Tp5RzAcHKsgU88fr3c13Lo9wmBeaJr+wqQxw PGkg== X-Gm-Message-State: AOJu0Yy6axFlibWT4tkUrsVHdisBLqEayFuUCS5ULqj403RClQRKjuU2 A49Bm/Wu+veM8r5V3VQUSFXgO+N37iVcQoVP8Gv4iSjK8DdhGYecMpeIdGqU/uwg5Dc= X-Gm-Gg: AeBDieuHA9sQ1sKMYGAMeKWRwNf4WAKsMtNHfSUWz93Ji6tXVhLeFZ5UrpJv3MgnkG9 AYdkYGnmTaT12AGQm33bab+jmg96XbGF7dcJX67K6yX1tU0zbeksZX0j7Fh4VUfwPzqjJhN2DJx uvM1VBfPNomZsPM2nFGtZLaeco6guenRwChQgnfsGkwXPogxT4Z90bT4NK2e84y6pMkqprQMjJK jw3skW084VXwhRx1wgnbB9z9SjTfbs3oQEZRU7/5hexutt914ualrtaCl6eVxSX1hZbrTCbDh1Z C/3sWPHuoaxkvZFFF7eYtbd/TuFzyFuew6YycC4Cof4yP663mjHFaZ24WODNH/4FvqlnbOC2rgQ SWEYrQjLmlcXTMC/EoliXOcsWxYu9aibnJnUpX9s3ZAGyvvrXLPKLqZKIW/Nc6gsFepMBObdCUt 8uc/QI5xPwlxJtLqXGkI6SNb1IfhrxQUEkvziv9+QPBUFDt6E2fFaJ5w/GuhHUyRKUyjko1ZsKo j04Cgb05O/W+z8TfA== X-Received: by 2002:a05:6000:1a8a:b0:439:beb9:5a96 with SMTP id ffacd0b85a97d-44bb6ab21e9mr15653154f8f.31.1777889748670; Mon, 04 May 2026 03:15:48 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-44a9879ef89sm28545366f8f.30.2026.05.04.03.15.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 03:15:48 -0700 (PDT) From: Tudor Ambarus Date: Mon, 04 May 2026 10:15:45 +0000 Subject: [PATCH v4 2/7] firmware: samsung: acpm: Fix mailbox channel leak on probe error Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-acpm-fixes-sashiko-reports-v4-2-529246be6b2b@linaro.org> References: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> In-Reply-To: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777889746; l=2402; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=d7vm0U9qdAXbH4NbIyamvNnVpjWmz6WguBCwDQ3CBjQ=; b=0rNQ8Y4iQCyOFXljmUsK4qxlKqz8T5lsKjJdTaI1xueZa/M4bjprLdfeJPxcebI5j9oy37Z3F lHwd2yowtI2AHXEbLPaxKxhmQ4iqTdhtr+bGVHVA1ymMWJdqABBvTvX X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified the leak at [1]. The ACPM driver allocates hardware mailbox channels using `mbox_request_channel()` during `acpm_channels_init()`. However, the driver lacked a `.remove` callback and did not free these channels on subsequent error paths inside `acpm_probe()`. Additionally, if `acpm_achan_alloc_cmds()` failed during the channel initialization loop, the function returned immediately, bypassing the manual cleanup and permanently leaking any channels successfully requested in previous loop iterations. Fix this by modifying `acpm_free_mbox_chans()` to match the `devres` action signature and registering it via `devm_add_action_or_reset()`. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index e95edc350efa..9766425a44ab 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -527,10 +527,11 @@ static int acpm_achan_alloc_cmds(struct acpm_chan *ac= han) =20 /** * acpm_free_mbox_chans() - free mailbox channels. - * @acpm: pointer to driver data. + * @data: pointer to driver data. */ -static void acpm_free_mbox_chans(struct acpm_info *acpm) +static void acpm_free_mbox_chans(void *data) { + struct acpm_info *acpm =3D data; int i; =20 for (i =3D 0; i < acpm->num_chans; i++) @@ -558,6 +559,10 @@ static int acpm_channels_init(struct acpm_info *acpm) if (!acpm->chans) return -ENOMEM; =20 + ret =3D devm_add_action_or_reset(dev, acpm_free_mbox_chans, acpm); + if (ret) + return dev_err_probe(dev, ret, "Failed to add mbox free action.\n"); + chans_shmem =3D acpm->sram_base + readl(&shmem->chans); =20 for (i =3D 0; i < acpm->num_chans; i++) { @@ -579,10 +584,8 @@ static int acpm_channels_init(struct acpm_info *acpm) cl->dev =3D dev; =20 achan->chan =3D mbox_request_channel(cl, 0); - if (IS_ERR(achan->chan)) { - acpm_free_mbox_chans(acpm); + if (IS_ERR(achan->chan)) return PTR_ERR(achan->chan); - } } =20 return 0; --=20 2.54.0.545.g6539524ca2-goog From nobody Mon May 4 13:06:47 2026 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B555F3988EB for ; Mon, 4 May 2026 10:15:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889753; cv=none; b=SEpLalwehUkp4zdRGl5iqhTK07VlNDbt4i3PPsfaLKUe84pppUVzAEJSm1fwC7InkE2yI01oLbeqFM/Cbj9e6ajsw1vjEFQqXXA5S0gOzaRtYPmenCcJJcGgV6CQNr7C4saTdQRUzYxIEjgs/83JZ51EvVloK3/FTIN/NI9TCaw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889753; c=relaxed/simple; bh=TrETAIBRtr5BpleipM5VXU32aMTdlU394IStlNmAoNo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=l1AypErGzx7KRLKRM++XX6wjKfqJZdOKfEs1eBTeEkztE1DEv03qj/iczO07SJJTSyZ8rVOluSdQAwFBFqAgD26gemhho2bHC3xJCizBC2nYXAMwWK0ToU/o7LgbIb88SkHFYoa3gPTG+VzGXEzuvbDybluMkAXLIrjJdIo1Xao= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=OjTEUlfN; arc=none smtp.client-ip=209.85.221.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="OjTEUlfN" Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-44ce78ab5feso1203897f8f.0 for ; Mon, 04 May 2026 03:15:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777889749; x=1778494549; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=+Mo2IeU/AaXoLyUW0cqRpgQJYVfBlAhtHpp2oMUPg6A=; b=OjTEUlfNxGC41758zh+ueT+RSYTzbRLcr2f7rdcA1FddffBQvJRzuQ5VeCum4DQH+o JfDAy5iqZ83wZjf0gaRLLSH+cXD/GD6+l5eOvph3ezunkwPTXxJ7Md6bxacUGJUmbrN6 BA2yTigkoxFbC0J0gdp7MTZCcnnK+Ufn47OGUWvx6NiiBAnADEpvHf14GMHQio6DzGL/ PiZuIDNmzMx10SAp5ijYGeEX3QBLdxAqw6maGgp89LmJtm9OJZYhfVNBvn2sOHGr7Akf WhmnPNXWgcB+o5OKPzEDEnzLK1ejw9rHoY+mF4xG6R077lnDuApsDXs+S8jHCdrixypn WQyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777889749; x=1778494549; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=+Mo2IeU/AaXoLyUW0cqRpgQJYVfBlAhtHpp2oMUPg6A=; b=bw9FMCnxAceKYoHz2QtLDQD4MkP2lA+h/VG7Vpvzxjc33V2TPi2tu2KUPP7qRR7YZ2 aus7BizyNiMhaaKAcibh9O0MqnQtTMN8hz8rOdBOJEGLC67b7QHMnBPoHYR7JWSeTA/0 8bnufMx0p8+alm6BoB4URJu4iZAGH3rw/yJkiHHlNOJdX8RW/vO8uEuEMFwCIhgbMXd/ dMwMu025Y0guqHZLPWGOflXURdsODUciW2fH5lRv64IXSfmcuJ7jWel+B7qxo2MyuU5y VqUKR5ZYbZdWlnouoXcSzryYz/yMERJaLY5afp/LQbT2cYR2S7iUWYkOE3BgiM+dNk+L Sf0Q== X-Gm-Message-State: AOJu0YwXC3I+VXY/5baXsbkPo4iFpbwEqP1bmBMSveybbXXuuSdMmC8X lukPfjlQVoADP5KhLc2OiFpRzFd4+YEkmfhva3SkS75dY70sMQ9+00AtiLGablrYAnI= X-Gm-Gg: AeBDieuDP0r31y8O2X8DLrrD/TAdIAxkXXbF9f+V1rBM8OdKVBm5oWj4N4MyzveD4od DPgqCZJayE3T6qH0jQpagqSJ3R7nRLRwRT8UpClOz0tj4l1JO3wHbeUMhQ+5dKWfSTd/KYeJ7Bv 328Lnb444CXWNnWq+WztcHyBWX46gZKAHyKiewSzqZAMkJy1ysGV+HpbMgqS4HtNwBMusbnyjN0 sKtgVNKg1yJ3wekA/tP3fdkddWqw7EgBqTtfemz2+mEzujdoPHz41KBDbUa3ke4tFcmyu4ps6De Ag3WfHWg1BXteGZA5B0mIh9S57Xcmb4GVq6h31BZxCG3EcXJgLqtQVcC1MI+l6FlHtQtGWSd7NY AbmTD2SWs9ddUG5ZgpWoC4JBMJBEgZLbC6MBfd53khdvPa60ocFBHcTX0PQf6Nl9GMn0Le6oL+i QfB283L/Osxjh3TqmHtP90f8lF7dCetmOOJoyBN+e1iP6ogXihMCOWsdMY3JKK/2X6sv8ElBzGF tLFrFnlLbjurvfDkA== X-Received: by 2002:a05:6000:2dc6:b0:43f:e99a:ff91 with SMTP id ffacd0b85a97d-44bb4538036mr13545221f8f.4.1777889749199; Mon, 04 May 2026 03:15:49 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-44a9879ef89sm28545366f8f.30.2026.05.04.03.15.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 03:15:48 -0700 (PDT) From: Tudor Ambarus Date: Mon, 04 May 2026 10:15:46 +0000 Subject: [PATCH v4 3/7] firmware: samsung: acpm: Fix dummy stubs to return ERR_PTR Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-acpm-fixes-sashiko-reports-v4-3-529246be6b2b@linaro.org> References: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> In-Reply-To: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777889746; l=1843; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=TrETAIBRtr5BpleipM5VXU32aMTdlU394IStlNmAoNo=; b=pwo0xPZ+j2nUIqRUV0W+GmOAiRSFJ9hB1ibEiJnHUOT5RynjZS2zWHluR75Uagx6xq6iMWjKr 7H6qLWZki7ADMzuDAAtTu0ijPIK7z7dJq5AyuHmxz7AJ+lK1nM6C8kp X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a potential NULL pointer dereference [1]. The dummy stub implementation for devm_acpm_get_by_node() returns NULL when CONFIG_EXYNOS_ACPM_PROTOCOL is disabled. However, the active implementation of this function returns an ERR_PTR on failure, and the consumer driver checks the return value using IS_ERR(). Because IS_ERR(NULL) evaluates to false, returning NULL from the stub tricks consumer drivers into treating the NULL return as a valid handle. Subsequent attempts to access handle->ops result in a fatal NULL pointer dereference. Fix this by returning ERR_PTR(-ENODEV) in the disabled configuration to correctly propagate the disabled state and match the API contract. Cc: stable@vger.kernel.org Fixes: 6837c006d4e7 ("firmware: exynos-acpm: add empty method to allow comp= ile test") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- include/linux/firmware/samsung/exynos-acpm-protocol.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/linux/firmware/samsung/exynos-acpm-protocol.h b/includ= e/linux/firmware/samsung/exynos-acpm-protocol.h index 13f17dc4443b..d4db2796a6fb 100644 --- a/include/linux/firmware/samsung/exynos-acpm-protocol.h +++ b/include/linux/firmware/samsung/exynos-acpm-protocol.h @@ -8,6 +8,7 @@ #ifndef __EXYNOS_ACPM_PROTOCOL_H #define __EXYNOS_ACPM_PROTOCOL_H =20 +#include #include =20 struct acpm_handle; @@ -57,7 +58,7 @@ struct acpm_handle *devm_acpm_get_by_node(struct device *= dev, static inline struct acpm_handle *devm_acpm_get_by_node(struct device *dev, struct device_node *np) { - return NULL; + return ERR_PTR(-ENODEV); } #endif =20 --=20 2.54.0.545.g6539524ca2-goog From nobody Mon May 4 13:06:47 2026 Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 37B2F39B4BC for ; Mon, 4 May 2026 10:15:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.44 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889754; cv=none; b=upWNTYio2/uCiK+g/Wn+Dd6xitQzmPk7P++zFD+cCmgb8beS0Ku+s96gD3ukOT7+ieF82++7dpIlrSOQWMR8V5QzkNTRdlFbDPLi/h7DKaZHmioa/u5Xlp4y9QXSveZE05kNr75aiuWdwrEZwct61MwmGgNfIHZcW3B649Yg9GM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889754; c=relaxed/simple; bh=wZGIg1WvrcZuYhDQpreZS8xozMJIsonW/o4iqtdaJ6c=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=qr+5H0nKSN+qnBCI92kA27HqO2EPJY6NoANpHr8xm3/OkUmB3XqvrQpwstvBMtI6aM9TBC9v3TB9UKQ1ITYFKd7Jbj6+KFUEZ21itae/8FeCUwtqeIo0oK7004H6prF0NRziCEJCjfBlD0eGU98IIShncZJtLoTgN2XHnGMuhi4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=YmeEFNYk; arc=none smtp.client-ip=209.85.221.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="YmeEFNYk" Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-44c350a5b87so758994f8f.3 for ; Mon, 04 May 2026 03:15:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777889750; x=1778494550; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=4AFkvwk1yHFeeDLYag5Oi8EMMsCVOXTu0Co6nMK2/h4=; b=YmeEFNYkpQ5ZiugV3nwtJOP2UoMso1zydTxoSDFOcOiPwSBJK1A2qgm9oAZKs4y2Su Gqdpt5/YOUSDMlua2l8AwgRNQBs8QxynZF4Ctk+svYENr9qcbV5J04wErinafvucUJYM fSeTpEeiLZ+oGj2SdCT5C74/UZmIrvxG1eIFAej9LAX9tlxD2mk7QvEIrrdOZpgLX8+W ZzEZQwkzpPVdCJ8zY/wYRrP1tfrwyg9CFchN4FYOFlq2JpLIGU+skG4dQ5LT3g49Be2S tcttLuf0S2q1k/mm+1+ckdsGc8Jy/O5YKFh2JcC4ib0hQN8rYXk1itSq8dv4Aco3oRHr JLsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777889750; x=1778494550; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=4AFkvwk1yHFeeDLYag5Oi8EMMsCVOXTu0Co6nMK2/h4=; b=REfqM70y4O9JonoK/8mBsbVAzQ1D2CuzPL3WpLsBleCcm+q3/hEoj3E5VEaBXV/FnD R3da5ZvVFezNTMcuR09sDVnF1KlR3iAhnmIVerAMkfa3JSLldxzeVqn+6TZPlwuW9SFk LEZOwxaq8jjFpJdLRpD1zweUJP0aGHgJFKfnMrpOMwVFklWmzWBKSvDjfP6NOvZy2ANz Gz8qRgpPrNTNnbJbnZWNtMam1AU3yxHhX1jOVYeN7/rSTz57GsSL4hA6fppByCO2KLpW 1M13QgTyX2TIJclQXh8doT2O43LeH8OIBpqQ14pWXZRQHXF0dRewXBlzifPMtqaOw8ie sc9A== X-Gm-Message-State: AOJu0YwhBUGz3htVTWJkja1GOEM+FIobEjnfpv/7cNkCU5H24bUEhqGh T6YdrFJgvrs+OBvJDPPtB3bse5Af1tKul/xcpKRIN0mIc6lcHMgr3pMJS/e2eTKvJxI= X-Gm-Gg: AeBDietG4NXRgYxND6EBlRp47AEscX+dwsIIj+eFvuSF0FMmkgUTo4LRjgAWdNGIlLT ivsbhbxP1aLVxdEYO6V93e0mdw/ePNjk7Ml6wqaYUYT5xk8kKAu/HMwrrnwT5UFTEp3AK4kJCJS V/ayLTMBOFe69NH2IrhmijDWjhcak9eO62hBX96gTEjYS20ASeNSNdEUNaGhCR8BgjyPlpLKoiT /Vojys5XR/xCBHURAONTlPnPireRCAyx1xvRtnkss5LaKHMEfjiILEwKhKWjd3RUYo2Fhtme83r 1JFzkFkE/OeXdTb7iI1Fkliy0BPbYQk0vcuEaim2DitIH3w/d0bobl3jJ8utxPjk69np7TxAZWh nVXbhp93dIp8NTYDLealM02YsX3BIoOBToaGv0CD9N1Ybte3TpCDZVyClgwS6C3jEilHymJr4GX MpGzX8bPgjxmfOSqcV4RstwI+ohZv9Hm6BAv3s8LBXQh9zHZa4nh6t5dhLHywG6XdWdZhGwbBpr QH7xPqvUhPc5pKdlg== X-Received: by 2002:a05:6000:2906:b0:44d:4898:7ed9 with SMTP id ffacd0b85a97d-44d489881bbmr8562220f8f.23.1777889749744; Mon, 04 May 2026 03:15:49 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-44a9879ef89sm28545366f8f.30.2026.05.04.03.15.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 03:15:49 -0700 (PDT) From: Tudor Ambarus Date: Mon, 04 May 2026 10:15:47 +0000 Subject: [PATCH v4 4/7] firmware: samsung: acpm: Add memory barrier before advancing RX pointer Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-acpm-fixes-sashiko-reports-v4-4-529246be6b2b@linaro.org> References: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> In-Reply-To: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777889746; l=2113; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=wZGIg1WvrcZuYhDQpreZS8xozMJIsonW/o4iqtdaJ6c=; b=suLmSOE+T23wbkQEcy8h90SPyQuIK637mI8IZ9Ruc7euPvI2vIZ2kHtS6x9sSzy80sumoELUw twf0j7bUtcvCZwZaVcYPk8Znt+FJlyLRxilXSSdTe46SYqdAH2SzCha X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a silent data corruption in [1]. In acpm_get_rx(), the driver reads the response payload from SRAM using __ioread32_copy() and subsequently updates the hardware RX rear pointer via writel(). On weakly ordered architectures like ARM64, writel() provides a write memory barrier (wmb()), which strictly orders prior writes against subsequent writes. However, it does not order prior reads against subsequent writes. Consequently, the CPU is permitted to reorder the writel() store to become globally visible before the payload reads have completed. If this reordering occurs, the firmware may observe the updated rear pointer, assume the queue slot is available, and overwrite the SRAM payload while the kernel is still actively reading from it, leading to silent data corruption. Fix this by inserting a full memory barrier (mb()) before the writel() to guarantee that all payload reads have completed before the hardware queue pointer is advanced. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260429-acpm-fixes-sashiko-reports-= v3-0-47cf74ab09ad%40linaro.org Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index 9766425a44ab..a9449bc33bd0 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -5,6 +5,7 @@ * Copyright 2024 Linaro Ltd. */ =20 +#include #include #include #include @@ -278,6 +279,9 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) i =3D (i + 1) % achan->qlen; } while (i !=3D rx_front); =20 + /* Ensure all payload reads complete before advancing the rear pointer */ + mb(); + /* We saved all responses, mark RX empty. */ writel(rx_front, achan->rx.rear); =20 --=20 2.54.0.545.g6539524ca2-goog From nobody Mon May 4 13:06:47 2026 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B8CA339A805 for ; Mon, 4 May 2026 10:15:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889753; cv=none; b=EvZcwmx0UdaKjCnJuwjrCGECiJso6QHgquig0HuT1IGQvC1o8+maIdsYcY2eTSsuLwXUWunIM/ygEik7USiDlXQJOPG+v2GUNHSMN00LMJGdpAm//o/dPRMj4bf2oeRAyjd/3jJxwCew6DlKlZQeAK2IcI0yHhmtIvBl5kzohfU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889753; c=relaxed/simple; bh=tcFrmEcYu2tzuwg42FiZIub27Jmrw6YPYJg6B/kafic=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=eI6zL8ODsCcZm5C8KqcaLGy1NMQ6W5/ytzCN7/sdYr0TydtvF+mP/HQZ4+G28pHdXQz2n0dIMNtXW/LjsIuHzSSym2bPtmtCnQ0djmQcIirYXV6nWIf5xC7Zqg2twxVqJUW66Db72Pg5Y0+tMRhwlHAO21kFmEcEnhmFUcwqyvw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=L4nCdkCH; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="L4nCdkCH" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4891c0620bcso27147705e9.1 for ; Mon, 04 May 2026 03:15:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777889750; x=1778494550; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=yeMW31xh2IrRZGJdOFJPgh5TF/3iY7D9q0BMKHUqLFA=; b=L4nCdkCHEkKnnSoaNFynUCHf8bKZgoyV5BGM50zZV1uRdyJNP1kCsQqaoXoXISyzaO GKcmdpGcydYeiIWJcceoSCJjv6tvs/0Uel8QK/ZJk2PoaFhFwW1o3H2pP2mEI8GogqkG pPdus302M1aqCLfN2aJ2hkkPAg4j4KV30oXi1uCjACiSZQNgx9TqfTniMHcIf+9+KpEg TfMw7zUoBya6PgX762QH56ta43VPXVjBOFzun1YjB8xFLLJVlOpYOzlgdmLT9iKaXojl dRBu1DwusTe7/D/LWPr8xD19R5l09mtiaigespV1KnGNgykwCHg9BNv2zlcQB9htHTXt GYcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777889750; x=1778494550; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=yeMW31xh2IrRZGJdOFJPgh5TF/3iY7D9q0BMKHUqLFA=; b=nqAZna9BUtfdSpRXxJJz5RANaXjJQh9C+nxW59AJ2FvyOd1Ddz1zul95j8ezcIMnKr P8xX+ZBYKXfNwDiviry3Fx4Z/BNx2TWfjCKP+JQ7SmqeXNM/5uWLhTOhJrceG4pB3WLB utvd4l8f3juY4lAmlkSj0FZ6WOn6pXl6pKflbGZzFTeLl+rO/XzelwBm4DozJ9oc27k7 JydI7Y9iCQSOaorcJj9dKmN/eeTjkDlJXA3Khvl+JWesgT767mnKqxNu1wz6H5Pul2R1 j7QKTln/43fnqmQ9oz43lPyQ756zSdAvt9LDCizQdAop7VsJf56zJ1n611IaecLl50j0 4sXg== X-Gm-Message-State: AOJu0YwIiruGREO5dbcH/xi7tVO9m752jeVpY+6Ut6J9U1Gyq5dnZ8uH nEYDnVDTwEYfkSIAzN3XA8XY0WMwZTZg943PtptdYyv15xOTT7RAk2ZyDqlNVBUY2iQ= X-Gm-Gg: AeBDieuQFXHVBZTCMrUFYRUWoS75pqphofogF/0f5Ei4N8Upj8k/uN3X18h+tOElD87 auK3Vggvh+6fPPCUzg8apTOiw8mGkTkYvfb+CQLWvPvW9pO103eRgV2IRoWpfFrautPytQ2RzV2 1po/YVMijNVNbdbCyoMjX9itNO9nLPC/wCIGZRDkJV88POTL8sIuRse1A2eY6/hoFu8eLKQC5id qHOVcpkfA3co5ZMiHDFQxImn7XkMZpYGUu5VBKDw8KpbMmmnig8PJghK4BbY0pTa00ZwrEkXPv5 0KI8I+m2IvUqzcTPrrPqHwhsmFEYAzjhbtDphUJKZIOrRjO5usPSvu+54djGPE0ilqIrOHLujnA yAGtzLNPn7fb2ko50I/CGFupZWVgrq4ZjuHTE66xVZVPTLFmHu6IlBMR1NwaYiOXfQ1Fk+rE1Qy RlYRL3myQ1QBgIZNzIT04FAw4fX+3ASKwVmQZzKN3jG2zHJ1tiD9uMnHsjrp3K6zfQ9I2a3Ku1r w0/2qkeF878mQMZkw== X-Received: by 2002:a05:600c:4450:b0:489:fec9:a17e with SMTP id 5b1f17b1804b1-48a98874d1emr142393595e9.12.1777889750219; Mon, 04 May 2026 03:15:50 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-44a9879ef89sm28545366f8f.30.2026.05.04.03.15.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 03:15:49 -0700 (PDT) From: Tudor Ambarus Date: Mon, 04 May 2026 10:15:48 +0000 Subject: [PATCH v4 5/7] firmware: samsung: acpm: Fix false timeouts in polling path Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-acpm-fixes-sashiko-reports-v4-5-529246be6b2b@linaro.org> References: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> In-Reply-To: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777889746; l=3926; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=tcFrmEcYu2tzuwg42FiZIub27Jmrw6YPYJg6B/kafic=; b=byoTnQZ9OiajgkE1qADTMGG6v0P5Fdr56zuMUYOg3Q5Dhm6jmJ3RlDch4Q8PEZoRRi3hYRceW mdaoebfXMCoDO432C7dm4UjTiQdSX8QI2aM9laroHWs4R/gnxYG+MEt X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified the bug in [1]. In the ACPM driver's polling mode, the polling thread waits for a response by monitoring the globally shared 'bitmap_seqnum' using test_bit(). This creates a severe bit-reuse race condition. If the RX thread successfully processes the response and frees the sequence number, a concurrent TX thread can immediately reallocate that same sequence number and set the bit back to 1. The original polling thread will wake up from its udelay, observe the bit is 1, falsely assume its transaction is still pending, and eventually timeout (-ETIME). Fix this by decoupling the polling completion signal from the global sequence allocator. Introduce a dedicated 'bool completed' flag per sequence number slot. The RX thread sets this flag using smp_store_release() once the data is safely copied, and the polling thread waits on it using smp_load_acquire(). Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260429-acpm-fixes-sashiko-reports-= v3-0-47cf74ab09ad%40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index a9449bc33bd0..ad677962d10b 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -106,11 +106,14 @@ struct acpm_queue { * @cmd: pointer to where the data shall be saved. * @n_cmd: number of 32-bit commands. * @rxcnt: expected length of the response in 32-bit words. + * @completed: flag indicating if the firmware response has been fully + * processed. */ struct acpm_rx_data { u32 *cmd; size_t n_cmd; size_t rxcnt; + bool completed; }; =20 #define ACPM_SEQNUM_MAX 64 @@ -261,6 +264,12 @@ static int acpm_get_rx(struct acpm_chan *achan, const = struct acpm_xfer *xfer) if (rx_seqnum =3D=3D tx_seqnum) { __ioread32_copy(xfer->rxd, addr, xfer->rxcnt); rx_set =3D true; + /* + * Signal completion to the polling thread. + * Pairs with smp_load_acquire() in polling + * loop. + */ + smp_store_release(&rx_data->completed, true); clear_bit(seqnum, achan->bitmap_seqnum); } else { /* @@ -271,8 +280,19 @@ static int acpm_get_rx(struct acpm_chan *achan, const = struct acpm_xfer *xfer) */ __ioread32_copy(rx_data->cmd, addr, rx_data->rxcnt); + /* + * Signal completion to the polling thread. + * Pairs with smp_load_acquire() in polling + * loop. + */ + smp_store_release(&rx_data->completed, true); } } else { + /* + * Signal completion to the polling thread. + * Pairs with smp_load_acquire() in polling loop. + */ + smp_store_release(&rx_data->completed, true); clear_bit(seqnum, achan->bitmap_seqnum); } =20 @@ -318,7 +338,13 @@ static int acpm_dequeue_by_polling(struct acpm_chan *a= chan, if (ret) return ret; =20 - if (!test_bit(seqnum - 1, achan->bitmap_seqnum)) + /* + * Safely check if our specific transaction has been processed. + * smp_load_acquire prevents the CPU from speculatively + * executing subsequent instructions before the transaction is + * synchronized. + */ + if (smp_load_acquire(&achan->rx_data[seqnum - 1].completed)) return 0; =20 /* Determined experimentally. */ @@ -384,6 +410,7 @@ static void acpm_prepare_xfer(struct acpm_chan *achan, =20 /* Clear data for upcoming responses */ rx_data =3D &achan->rx_data[achan->seqnum - 1]; + rx_data->completed =3D false; memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd); /* zero means no response expected */ rx_data->rxcnt =3D xfer->rxcnt; --=20 2.54.0.545.g6539524ca2-goog From nobody Mon May 4 13:06:47 2026 Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F29538CFE7 for ; Mon, 4 May 2026 10:15:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889754; cv=none; b=foOW77zsa8tQVRNBgN89jg0jR6dVsohk+glujm4PCdEKvlf4P8lQE6zdtvG23aZIg1SB6kX8o6e8WFQCHAOstkK9EoEQSX9mn2CsO0tBllNwdCT2XSvP86uwVa17hc5HHz6AihxMgKbgwUoKlhddGPWZAW9sWliBuPGjrfe+EQs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889754; c=relaxed/simple; bh=S69mcWVdJW47YZsriq5gOrBQLK0ksV3oXVdlIgpsiSo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=LavBqYcXnCFfJiVHAnjRtxwpKVCx5zG+HkUp8gYscWNZTOLsLmmHcd4KMF3f4WP1eAKnNf9bjR23Nz14GpNI6YVgrqqkAR2T7KmiuZ5+4b7tPtSj1Tj3qD6rDNZlHN+fQ55rwo4rJasbPJwo4ob65egyPy09676DPWp6bP/KTOs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=sCOUUjzp; arc=none smtp.client-ip=209.85.221.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="sCOUUjzp" Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-43d64313c39so2767322f8f.3 for ; Mon, 04 May 2026 03:15:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777889751; x=1778494551; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=nTcuuyPM1STHES+1Gqa4UfN+n+nje0Qh2APGzRVoQg0=; b=sCOUUjzpDEB3+xEWZGtObzI7nBL1chkkPZxpkDaPjMa6rlyXFru106GYixchFQ0zJ1 BV+BRKZ861o+0AciceXHs39sxDTm7sPbGKlqzoVPAG14sk/RIk2bEw/UTtKv4MxL9eBE p1Opq3ZL9ME92Bs37AcJywiZ3YSaCUAnFHI+wCXrTQub/sng630TkaryXUpv4+1OQUGL CSN1i+lWJOCAM0vuY5B3OO9WhrsWwRm3MyHcvILMwUVnRCx5C6mfSGQc6WBmz0XpxWo3 qY/maMx3WlfubaNpObgBq7J1OF+Uz1+sQ2aLHblK/8jdKXASRorM/3CXAGeNkYDJX0j6 XpdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777889751; x=1778494551; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=nTcuuyPM1STHES+1Gqa4UfN+n+nje0Qh2APGzRVoQg0=; b=lcnO4MTfY+3ukMadfVzWTloczAdh7D6YrJCS7o2QV/EhZU8RJY+WBQkPA/qImLP950 nxdTXkFDB9Vvsp4zAOwD0XU6FSTSasnVXxd8Kw4AL9QzVHrKNwPv1cs4JsDjfvHOUO6V ZMcBxr+Lt/N1oIB+jPLMbK8AZ0nK6Bv/nT75ZHDjl44JTWZtTpO0Ttr2N2FyePlkI+KB LsDcvqXhy9q68yoxWbpo3xrpfd0hHg0ysRHtqj++UPZ9z6Jh1aJUmovYDt0T31Uf/3Xn z/EL0AvcgwmSt38e2p2izUYa9UTS6IsEfO3X5ZtWyQQtnvsRcYQRF0l+niUkUfc24NYJ mwDA== X-Gm-Message-State: AOJu0YygWXwURvbNdaVM2wkuZ6aqeJ0MewMciwWr1rp5T7N/pmGRexT3 2t3/WLlFa7CrQbf0Wal6fUCp36LWvkeP/ChU2w1T2xLIiLXgVgLho3+TP4Wferbwws0= X-Gm-Gg: AeBDietT3GB4rpJBuhvAiJGA5zvmZlWhrkm86s2oIknl27qQEhZrtTeb7TZkHS8qp9R fBDXObq1mJ4s4kLtpQzK2ow762qbd900/o53100V1+42Tkca/SJTgMYccAWciB74FEoIhln42FO I9QNQU8TZlN7znBSgVT92Tg/A2ee4yiPASCR2BUhw8BUPVyT+sD3BVHtEl0raFurqxUKwEYWCCB IdyR4rxnYZYaj7BTY65IbefzyNHWQYWXcVcHqNYRQgdwEJG59XtdeFKXhz0UHAGOlP/Gb4IHo8I SBRpJIKggH6wfPiaa13SHXuhaQpkIABdLznxIYyTGldePcC0eVt5/MhgLQC+ZfrwbXKcDNQFVep fYDHXc6qPzXfmRn23Hq7TzDhwOKb3rkoP5O2albjNrvv6xGxnrocL/SPeMhHjZGqIlSLb/LiSWB X+qtGZk0ghUOQyazTRw/1hXzgCqk2TiKzvXwvDc/BwgonJEoVFFUYYt0D+G+j9vJdRJQ5HaGifV J2EJGb5dJAmi0mf+g== X-Received: by 2002:a05:6000:2909:b0:43d:7a08:a5f8 with SMTP id ffacd0b85a97d-44bb716f0c1mr14231907f8f.35.1777889750758; Mon, 04 May 2026 03:15:50 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-44a9879ef89sm28545366f8f.30.2026.05.04.03.15.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 03:15:50 -0700 (PDT) From: Tudor Ambarus Date: Mon, 04 May 2026 10:15:49 +0000 Subject: [PATCH v4 6/7] firmware: samsung: acpm: Fix missing LKMM barriers in RX and TX paths Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-acpm-fixes-sashiko-reports-v4-6-529246be6b2b@linaro.org> References: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> In-Reply-To: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777889746; l=4822; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=S69mcWVdJW47YZsriq5gOrBQLK0ksV3oXVdlIgpsiSo=; b=aU0EI1Y314zHAtNas0QYLUH/hfpwP3SCJGJfFc2yuOk2ibOlWMkcTfPdNUELSV9TnyxJXuHQO XXPyGVIV0+RCdG6SnrRIXTl/fC/wZ0LIKWwb5d/1//ymnkDUo353pBx X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified memory ordering races in [1]. The ACPM driver relies on a globally shared 'bitmap_seqnum' to synchronize sequence number allocations across the TX and RX lock domains. The TX thread allocates bits, while the RX thread frees them. Because these operations cross lock domains, they are effectively lockless and require explicit memory barriers. Previously, the driver used plain bitwise operators (test_bit, set_bit, clear_bit), which lack LKMM ordering guarantees. This creates two severe race conditions on weakly ordered architectures like ARM64: 1. RX Release Violation: The RX thread reads the response payload and calls clear_bit(). Without a release barrier, the CPU can make the cleared bit globally visible before the memory reads complete. 2. TX Acquire Violation: The TX thread loops on test_bit() and then writes to the payload buffer. Without an acquire barrier, the CPU can speculatively execute the buffer wipe (memset) before the sequence number is safely claimed. If these reorderings overlap, a TX thread can overwrite the buffer while the RX thread is still actively reading from it. Fix this by upgrading the bitwise operators. Wrap the TX allocation in test_and_set_bit_lock() to establish formal LKMM Acquire semantics, and pair it with clear_bit_unlock() in the RX path to enforce Release semantics. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260423-acpm-fixes-sashiko-reports-= v1-0-2217b790925e%40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index ad677962d10b..6fc6175b8924 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -8,7 +8,7 @@ #include #include #include -#include +#include #include #include #include @@ -210,7 +210,12 @@ static void acpm_get_saved_rx(struct acpm_chan *achan, =20 if (rx_seqnum =3D=3D tx_seqnum) { memcpy(xfer->rxd, rx_data->cmd, xfer->rxcnt * sizeof(*xfer->rxd)); - clear_bit(rx_seqnum - 1, achan->bitmap_seqnum); + /* + * Enforce release semantics. Ensures the payload memcpy + * completes before the sequence number is globally visible as + * free. + */ + clear_bit_unlock(rx_seqnum - 1, achan->bitmap_seqnum); } } =20 @@ -270,7 +275,8 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) * loop. */ smp_store_release(&rx_data->completed, true); - clear_bit(seqnum, achan->bitmap_seqnum); + /* Enforce Release semantics for payload reads */ + clear_bit_unlock(seqnum, achan->bitmap_seqnum); } else { /* * The RX data corresponds to another request. @@ -293,7 +299,8 @@ static int acpm_get_rx(struct acpm_chan *achan, const s= truct acpm_xfer *xfer) * Pairs with smp_load_acquire() in polling loop. */ smp_store_release(&rx_data->completed, true); - clear_bit(seqnum, achan->bitmap_seqnum); + /* Enforce Release semantics when dropping unneeded payloads */ + clear_bit_unlock(seqnum, achan->bitmap_seqnum); } =20 i =3D (i + 1) % achan->qlen; @@ -400,11 +407,18 @@ static void acpm_prepare_xfer(struct acpm_chan *achan, struct acpm_rx_data *rx_data; u32 *txd =3D (u32 *)xfer->txd; =20 - /* Prevent chan->seqnum from being re-used */ + /* + * Prevent chan->seqnum from being re-used. + * test_and_set_bit_lock() provides formal LKMM Acquire semantics. + * It pairs with the RX thread's clear_bit_unlock() to ensure the CPU + * does not speculatively execute the rx_data buffer wipe (memset) + * before the sequence number is safely claimed. + */ do { if (++achan->seqnum =3D=3D ACPM_SEQNUM_MAX) achan->seqnum =3D 1; - } while (test_bit(achan->seqnum - 1, achan->bitmap_seqnum)); + /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ + } while (test_and_set_bit_lock(achan->seqnum - 1, achan->bitmap_seqnum)); =20 txd[0] |=3D FIELD_PREP(ACPM_PROTOCOL_SEQNUM, achan->seqnum); =20 @@ -414,9 +428,6 @@ static void acpm_prepare_xfer(struct acpm_chan *achan, memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd); /* zero means no response expected */ rx_data->rxcnt =3D xfer->rxcnt; - - /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ - set_bit(achan->seqnum - 1, achan->bitmap_seqnum); } =20 /** --=20 2.54.0.545.g6539524ca2-goog From nobody Mon May 4 13:06:47 2026 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1BB4C39C645 for ; Mon, 4 May 2026 10:15:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889755; cv=none; b=iVDoEfSi69LXeFNtdlZ2Ys9nPkHWiiIYLR8PTX9kkzsFY8klaf1d6sFuKHKe6OnOcIIw0YN6EFsPOMwuvO3NyyvPl+EVy5Lc7NlFHyyVLZlPbEs0KZKCt1tdypCrv3SWcFizxn65kYrgoZnOb7vdl2aaUCu/IFazWBUiAGyCarw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777889755; c=relaxed/simple; bh=fDS0JpnSnl+5Js3iBpG8K3eo2zfUH/0qtj2UHYu+zRQ=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=rG1/XYJUm7v26qObcIHnxwnAbGTTPM3DPjGqzv64KclZucC4vXsNVmuXImhmDa6UOle/ikuX8trfzr0Cdlck3XBANVxUBGpu2kXjKb2V2ikki3qWWeZ2iUatVeBGDctYRGvvPiqGjGyYYXvu+NpiT0DKOfJj83YRTT9N1bWSatQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=ytJPAyHK; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="ytJPAyHK" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4852b81c73aso26861785e9.3 for ; Mon, 04 May 2026 03:15:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1777889751; x=1778494551; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=L0EVyq5EhiXQLJCeHZ7MP6twyErqWEjaRaq7xPSg8wE=; b=ytJPAyHK8wX9XQ1P01wDVXpp/yXfRWBXC2JqnAD9VcpKhiyuRZYgjYJEI+QRbCB3IM ZakmrmHzazjcNsp7dbLfRUS8xtAYkbj7vqYCl6346LmthAv/zDo8WxY2sa80BeYeYPrh Q0x8tkdHNjEDeU5nZAeH/n80MAG/ttkjY9BTUxSRjpwIJuG7EeV48Jz/4d5ck9QRgzw+ tP9EKF7qGsWOVrG6Kpk4zsSJ+hL910UXfrWnAllCZjiqaJ1ImaWj8GJ93KPyq/E7q63d A+EzpJCBNMEmYHyT1ClCJBlpbAD01h01Irsf9jK1SPLuEl5GfLw+Bc71MdFosOKh+/BC VztQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777889751; x=1778494551; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=L0EVyq5EhiXQLJCeHZ7MP6twyErqWEjaRaq7xPSg8wE=; b=oPtoZ+XbdGxUfw1GESGKgRvepW5FmdSM3EK6KI+hHl+O3IYPSoEEpeawRZN+j7b6XV tudmInzSTDPTNtCaaFESEP65fgUKTaSq1PRheruS1TS/OvqOIX41/Usfj+M/nfGXHb+h a1QoxXV/JeptrOlfwN+aJcMYQPDtzfYkjbKGCP6byLYrzc2F26WS4flVAJhig7NStwYM FYlzC9kDgPMFAfA3skShlCdsHPA4dnCfK+blgBoIVkSWrj4iWo79DwMc4htX8I8NnaGK M1wks9uNj3pctQUs2Ifp+DDgv6q0OpfbIlcnPvA/nNk6V8bKMXRmY0v6JakTDhAM9hno JriQ== X-Gm-Message-State: AOJu0YweifL1z3BhMju24l9NfSt+6Lo7x9TGxm9ytt4CUNHXiz8uFFOf woZfvzz/qXN0bpcgsFt1ps9q134rELcOFf/wpDE1EMeNDcrwBIAu8S8magmM4hOAj/0= X-Gm-Gg: AeBDietrx/H+Rth3o4n0PPo2PwKllMm6Jxnj3bOHwUvTh4VhxRnFJTZfn6MwNSLasx6 V5PycIwwcQoA2Nd17KIotRbwYB5uQ0Jh4df33iRw7cM5pO5blGRQl1hWgJfkc75f5ftaPP9h55C rknHANMt26St5j8a49Vxy/313fbG2uUftZ2Klca7nno97OEFr8QSLmzRCKMxoIvj8bHeT2uLapJ AW4oI5gHzKAmW+51OBFqBoDLSCTzyU9TTDcaP0x0rGNCZhYidQ8PRAKvGt+TMLg2FSmX/1gHGug Hf4niu9CAl4izmqY0ov015T/8qhEe/eC1guat4PYULz4bSbb4EhJslzfgiNzPv658tUdif5wp/A zYswP7a6AXkn14qy+vb1aW6nKbjK/rYiqt6LvngSnwMBqtcStESyzv6XviBtF1VIylIRgTrlg3v c/HBCKTFjI6wQpmqVwAZxXwo4Gew9dRtkxAdEZEgex8eCwh4jWkvQbTCyQSjvANGINLuNyEmmUy nFJzYflBrlOw/Zgxg== X-Received: by 2002:a05:600c:3f06:b0:485:3abe:ab86 with SMTP id 5b1f17b1804b1-48a9852cc0bmr154515165e9.4.1777889751256; Mon, 04 May 2026 03:15:51 -0700 (PDT) Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com. [104.155.83.17]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-44a9879ef89sm28545366f8f.30.2026.05.04.03.15.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 03:15:50 -0700 (PDT) From: Tudor Ambarus Date: Mon, 04 May 2026 10:15:50 +0000 Subject: [PATCH v4 7/7] firmware: samsung: acpm: Fix infinite loop on sequence number exhaustion Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260504-acpm-fixes-sashiko-reports-v4-7-529246be6b2b@linaro.org> References: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> In-Reply-To: <20260504-acpm-fixes-sashiko-reports-v4-0-529246be6b2b@linaro.org> To: Krzysztof Kozlowski , Alim Akhtar Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org, linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org, andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com, Tudor Ambarus , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1777889746; l=4772; i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id; bh=fDS0JpnSnl+5Js3iBpG8K3eo2zfUH/0qtj2UHYu+zRQ=; b=et8FDig/iX24q+66VwgJtip7dWRrdghXCQvxyY2KUGVWF5Oq9JbEmfl/MKYHq0HlKvtRufdd8 j9tiPLh/skeDLaQo318hWVNn8p0C8tDZeD642tBjGcnJEULMcw1LtCz X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519; pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI= Sashiko identified a possible infinite loop [1]. ACPM IPC sequence numbers are tracked via a 64-bit bitmap. Previously, acpm_prepare_xfer() used a do...while loop to search for a free sequence number. If all 63 available sequence numbers are leaked due to transient hardware timeouts or mailbox failures, the bitmap becomes full. The next call to acpm_prepare_xfer() would enter an infinite loop. Fix this by utilizing the kernel's optimized bitmap search functions (find_next_zero_bit / find_first_zero_bit). If the pool is completely exhausted, log the failure and return -EBUSY to allow the kernel to fail gracefully instead of hanging. Furthermore, drop the allocation loop entirely. Because acpm_prepare_xfer() is strictly called under the 'tx_lock' mutex, sequence number allocations are perfectly serialized. If find_next_zero_bit() locates a free bit, a single test_and_set_bit_lock() is mathematically guaranteed to succeed. To enforce this locking invariant, wrap the allocation in a WARN_ON_ONCE. If the atomic set fails, it indicates the driver's mutex serialization is fundamentally broken. The warning generates a stack trace for debugging, while returning -EIO immediately aborts the transfer to prevent silent payload corruption. Cc: stable@vger.kernel.org Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver") Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%= 40linaro.org [1] Signed-off-by: Tudor Ambarus --- drivers/firmware/samsung/exynos-acpm.c | 45 +++++++++++++++++++++++-------= ---- 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams= ung/exynos-acpm.c index 6fc6175b8924..e31a1b616391 100644 --- a/drivers/firmware/samsung/exynos-acpm.c +++ b/drivers/firmware/samsung/exynos-acpm.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -400,34 +401,48 @@ static int acpm_wait_for_queue_slots(struct acpm_chan= *achan, u32 next_tx_front) * TX queue. * @achan: ACPM channel info. * @xfer: reference to the transfer being prepared. + * + * Return: 0 on success, -errno otherwise. */ -static void acpm_prepare_xfer(struct acpm_chan *achan, - const struct acpm_xfer *xfer) +static int acpm_prepare_xfer(struct acpm_chan *achan, + const struct acpm_xfer *xfer) { struct acpm_rx_data *rx_data; u32 *txd =3D (u32 *)xfer->txd; + unsigned long size =3D ACPM_SEQNUM_MAX - 1; + unsigned long bit =3D achan->seqnum; + + bit =3D find_next_zero_bit(achan->bitmap_seqnum, size, bit); + if (bit >=3D size) { + bit =3D find_first_zero_bit(achan->bitmap_seqnum, size); + if (bit >=3D size) { + dev_err_ratelimited(achan->acpm->dev, + "ACPM sequence number pool exhausted\n"); + return -EBUSY; + } + } =20 /* - * Prevent chan->seqnum from being re-used. - * test_and_set_bit_lock() provides formal LKMM Acquire semantics. - * It pairs with the RX thread's clear_bit_unlock() to ensure the CPU - * does not speculatively execute the rx_data buffer wipe (memset) - * before the sequence number is safely claimed. + * Execute the atomic set to formally claim the bit and establish + * LKMM Acquire semantics against the RX thread's clear_bit_unlock(). + * A loop is unnecessary because allocations are strictly serialized + * by tx_lock. */ - do { - if (++achan->seqnum =3D=3D ACPM_SEQNUM_MAX) - achan->seqnum =3D 1; - /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ - } while (test_and_set_bit_lock(achan->seqnum - 1, achan->bitmap_seqnum)); + if (WARN_ON_ONCE(test_and_set_bit_lock(bit, achan->bitmap_seqnum))) + return -EIO; =20 + /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */ + achan->seqnum =3D bit + 1; txd[0] |=3D FIELD_PREP(ACPM_PROTOCOL_SEQNUM, achan->seqnum); =20 /* Clear data for upcoming responses */ - rx_data =3D &achan->rx_data[achan->seqnum - 1]; + rx_data =3D &achan->rx_data[bit]; rx_data->completed =3D false; memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd); /* zero means no response expected */ rx_data->rxcnt =3D xfer->rxcnt; + + return 0; } =20 /** @@ -487,7 +502,9 @@ int acpm_do_xfer(struct acpm_handle *handle, const stru= ct acpm_xfer *xfer) if (ret) return ret; =20 - acpm_prepare_xfer(achan, xfer); + ret =3D acpm_prepare_xfer(achan, xfer); + if (ret) + return ret; =20 /* Write TX command. */ __iowrite32_copy(achan->tx.base + achan->mlen * tx_front, --=20 2.54.0.545.g6539524ca2-goog