From nobody Sat Jun 13 21:24:18 2026
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7197643C059
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 13:13:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777986835; cv=none;
 b=SZjnc2dlvyvsZZMcsRh2SkVRe00XiHO4AzhzzY3yPyCeSjZ/lMk9/Fulse9yVf8cLdJt7dgA4s6VggRrE5Bg9fCNvIVPb/b4gFX/8u28OJL6iAhQSTqxGLKXBjGf1oJy92r65OXLuHgamL++8RkwIbMOQyz9VfTx76RuOvVHsIY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777986835; c=relaxed/simple;
	bh=qp5oWm/4Ss+UIi29K/90SMb4FE1TJkPmkKkrbZErN7s=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=BS9u2P6lTddJJrtrmqo9gilq+Mpscw+ylykH8i98TIFXEeCpqqHvkNEObXIviHoAs2Db7qvnmMCcv3DwRQHmYUsS1CQmVVgzDrnQP4NpIqOe9oAfOYPxzrSWmubJhqEZdtyFhEIhg3YussuQnGXkAm1Og5ZoNZlaeMXzz6129/k=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org;
 spf=pass smtp.mailfrom=linaro.org;
 dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b=pZ2I/YcN; arc=none smtp.client-ip=209.85.128.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b="pZ2I/YcN"
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-488ab2db91aso62624485e9.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 05 May 2026 06:13:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1777986832; x=1778591632;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=FHmLifVz2AA9OJl2Yh6Eb2RS6GSmns6VuIWZDbFoB8c=;
        b=pZ2I/YcNkG8R8nq8Y979yNgR61m8Fmi7YtAUz768sYSqu11IoNzZIKeXlhWe7yrHvl
         4koG8YPJAi1wR9ekdTGYEtuR4n7puUe2309aj5qRm/0ghL8nLVcR5TfOpzzWpJ3eOoys
         x3mdbj5HL8bTytlUHyAtkuxoU62/mDXOij4qN4fMpR+YwYI6q+6m2JOLUrCnPdZEI8HU
         jsGMlh+wgUMpRWyDW2CzvTDjAtU3fM98mPSNUKOHKi1T5s0sJyUJuvuAWjnwEYcxWq8H
         7BRgNK+0UY1Nw+OkAELGgbNMJZTG4e6haXILdbf8Gm6biqWNLfRbw51/v6OF/MXBHY5e
         PEOw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777986832; x=1778591632;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=FHmLifVz2AA9OJl2Yh6Eb2RS6GSmns6VuIWZDbFoB8c=;
        b=VE4Ie2UtNCuTtASueGjhfYU8ffWeiPZgTlBJE2dJ08ezQCxT9/0AfMLfFx6kMPcDdJ
         NRSZwtTR7HaNyIek5EKY3VvzHEQG4KSSNz7xvWF5uIfiPNQYaj8KcpHeyGytff03Qjyt
         Kn7pQkyb7zCauzQUW8M3Vdc+zI7fPhN2VyFPeenTdgAXS1TaINer4jIOg4cITVJc6B7R
         JK3bEVgvf19jiUW1RDRvvLj/8hjJmnz8toVZBdQXlDr8BJ2K+fwzyRhk+hjI3lWGhuRa
         c+xhedjmrIAJLETay0OeC3/37fdfbg3AOVGjkGPnFGessPN8Lh+X8dJEaaK12PLuTQ1x
         j3Pw==
X-Gm-Message-State: AOJu0YyFwXSrvvVC6IB2awjAVGth7CU5DmjNTVLKTSCRyABCWsrxbr+y
	UcvL1T0HthpTI8HOjwWISA/IaqtL4lalm97o8hr6jIAv29fVP9PYOuz3fYEhzXLD9S0=
X-Gm-Gg: AeBDieucV2rMPN27kDYMDEBBZCLe3hh2S3bckNJSAPMJ41lIC2fA1uPmbzXlDFp8mLi
	23npMSlMHpKKQqcEhLPYJgmkA3jPk1eUcx1HqHABsnrjXLGBQ9xZJwd8PhSsNXO407XzNTKAKpF
	ZQye2N1/E4+Hz3oIFdUf/rTb43bhHhnLyhNIqqXizN/C3LFG7ezEFM58Nk4fGUJtOvVwNAeIQf5
	hNqFCltz8x3511axjtXxc5qBBhvtMaWuH6hes5nO6HF+zLLX2ufJhCpPKRjL5RgaM4p6bEbDhBF
	FCBI1GiknfMFpfLsUbTyn1Xa0DggIb5bmf0Lkj9b9KVHvnAzprvlyEOttFJOc1+81WKeKU3Qfch
	DbkTOQfNPxpHBvBt9dMboeGwoqNrCRBg1+rX3dSl9hvwJ1E5plSnRJY+YCm0FLRunwUWWDv58g6
	Jpn65lW8dHGg4fY4ge6KiaQVKE9OJyVxJdhCfdw7ZsOyaMUlp0EhumLMK3H/PPijb+a83Ya7x3u
	bgonlVTKY5beMqb0g==
X-Received: by 2002:a05:600c:4450:b0:487:4eb:d125 with SMTP id
 5b1f17b1804b1-48a98639086mr210514245e9.9.1777986831930;
        Tue, 05 May 2026 06:13:51 -0700 (PDT)
Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com.
 [104.155.83.17])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a8eb72a17sm366599525e9.6.2026.05.05.06.13.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 06:13:51 -0700 (PDT)
From: Tudor Ambarus <tudor.ambarus@linaro.org>
Date: Tue, 05 May 2026 13:12:58 +0000
Subject: [PATCH v5 1/7] firmware: samsung: acpm: Fix cross-thread RX length
 corruption
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260505-acpm-fixes-sashiko-reports-v5-1-43b5ee7f1674@linaro.org>
References: <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
In-Reply-To: 
 <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
To: Krzysztof Kozlowski <krzk@kernel.org>,
 Alim Akhtar <alim.akhtar@samsung.com>
Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
 linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org,
 andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com,
 Tudor Ambarus <tudor.ambarus@linaro.org>, stable@vger.kernel.org,
 Titouan Ameline <titouan.ameline@gmail.com>
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1777986831; l=4462;
 i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id;
 bh=qp5oWm/4Ss+UIi29K/90SMb4FE1TJkPmkKkrbZErN7s=;
 b=M+zBRspfuC3hFP0WDaqmOFPc0NnPrbZ2+1IaK4wuqxMQOcglC63RdXe0nS80HpV3ih/G2NfvM
 MBqt0hibBmPBT47Q2PG68Gb21e5PHlh/x567ppjMiJkpeNfby4EGFdk
X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519;
 pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI=

Sashiko identified a cross-thread RX length corruption bug when
reviewing the thermal addition to ACPM [1].

When multiple threads concurrently send IPC requests, the ACPM polling
mechanism can encounter responses belonging to other threads. To drain
the queue, the driver saves these concurrent responses into an internal
cache (`rx_data->cmd`) to be retrieved later by the owning thread.

Previously, the driver incorrectly used `xfer->rxcnt` (the expected
receive length of the *current* polling thread) when copying data for
*other* threads into this cache. If the threads expected responses of
different lengths, this resulted in buffer underflows (leading to reads
of uninitialized memory) or potential buffer overflows.

Fix this by replacing the boolean `response` flag in
`struct acpm_rx_data` with `rxcnt`, caching the exact expected receive
length for each specific transaction during transfer preparation. Use
this cached length when saving concurrent responses.

Consequently, ensure that `xfer->rxcnt` is explicitly zeroed in driver
helpers (e.g., `acpm_dvfs_set_xfer`) for fire-and-forget messages to
prevent uninitialized stack garbage from being interpreted as a massive
expected receive length.

Cc: stable@vger.kernel.org
Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Reported-by: Titouan Ameline <titouan.ameline@gmail.com>
Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%=
40linaro.org [1]
Closes: https://lore.kernel.org/r/20260426210255.73674-1-titouan.ameline@gm=
ail.com/
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
---
 drivers/firmware/samsung/exynos-acpm-dvfs.c |  3 +++
 drivers/firmware/samsung/exynos-acpm.c      | 15 ++++++++-------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/drivers/firmware/samsung/exynos-acpm-dvfs.c b/drivers/firmware=
/samsung/exynos-acpm-dvfs.c
index 06bdf62dea1f..fdea7aa24ca0 100644
--- a/drivers/firmware/samsung/exynos-acpm-dvfs.c
+++ b/drivers/firmware/samsung/exynos-acpm-dvfs.c
@@ -31,6 +31,9 @@ static void acpm_dvfs_set_xfer(struct acpm_xfer *xfer, u3=
2 *cmd, size_t cmdlen,
 	if (response) {
 		xfer->rxcnt =3D cmdlen;
 		xfer->rxd =3D cmd;
+	} else {
+		xfer->rxcnt =3D 0;
+		xfer->rxd =3D NULL;
 	}
 }
=20
diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams=
ung/exynos-acpm.c
index 16c46ed60837..e95edc350efa 100644
--- a/drivers/firmware/samsung/exynos-acpm.c
+++ b/drivers/firmware/samsung/exynos-acpm.c
@@ -104,12 +104,12 @@ struct acpm_queue {
  *
  * @cmd:	pointer to where the data shall be saved.
  * @n_cmd:	number of 32-bit commands.
- * @response:	true if the client expects the RX data.
+ * @rxcnt:	expected length of the response in 32-bit words.
  */
 struct acpm_rx_data {
 	u32 *cmd;
 	size_t n_cmd;
-	bool response;
+	size_t rxcnt;
 };
=20
 #define ACPM_SEQNUM_MAX    64
@@ -199,7 +199,7 @@ static void acpm_get_saved_rx(struct acpm_chan *achan,
 	const struct acpm_rx_data *rx_data =3D &achan->rx_data[tx_seqnum - 1];
 	u32 rx_seqnum;
=20
-	if (!rx_data->response)
+	if (!rx_data->rxcnt)
 		return;
=20
 	rx_seqnum =3D FIELD_GET(ACPM_PROTOCOL_SEQNUM, rx_data->cmd[0]);
@@ -256,7 +256,7 @@ static int acpm_get_rx(struct acpm_chan *achan, const s=
truct acpm_xfer *xfer)
 		seqnum =3D rx_seqnum - 1;
 		rx_data =3D &achan->rx_data[seqnum];
=20
-		if (rx_data->response) {
+		if (rx_data->rxcnt) {
 			if (rx_seqnum =3D=3D tx_seqnum) {
 				__ioread32_copy(xfer->rxd, addr, xfer->rxcnt);
 				rx_set =3D true;
@@ -268,7 +268,8 @@ static int acpm_get_rx(struct acpm_chan *achan, const s=
truct acpm_xfer *xfer)
 				 * clear yet the bitmap. It will be cleared
 				 * after the response is copied to the request.
 				 */
-				__ioread32_copy(rx_data->cmd, addr, xfer->rxcnt);
+				__ioread32_copy(rx_data->cmd, addr,
+						rx_data->rxcnt);
 			}
 		} else {
 			clear_bit(seqnum, achan->bitmap_seqnum);
@@ -380,8 +381,8 @@ static void acpm_prepare_xfer(struct acpm_chan *achan,
 	/* Clear data for upcoming responses */
 	rx_data =3D &achan->rx_data[achan->seqnum - 1];
 	memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd);
-	if (xfer->rxd)
-		rx_data->response =3D true;
+	/* zero means no response expected */
+	rx_data->rxcnt =3D xfer->rxcnt;
=20
 	/* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */
 	set_bit(achan->seqnum - 1, achan->bitmap_seqnum);

--=20
2.54.0.545.g6539524ca2-goog
From nobody Sat Jun 13 21:24:18 2026
Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com
 [209.85.128.46])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A91B478869
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 13:13:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.46
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777986836; cv=none;
 b=ZNM4W1AnzhMlDL0TUdOwXoxzpUQJTA/isREv5g9Cyh6SGnKaSQ8wthT8IfEz4l01kkTLc/fiE29u63LNjbOwhus7KEUZ10Tm2nKOxVipnb5mRnDNValOWoCup+j/m5kseEc2C5+JiD0ZHxVuZw6inUCW05Rx89yg4iJwJagmH0w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777986836; c=relaxed/simple;
	bh=d7vm0U9qdAXbH4NbIyamvNnVpjWmz6WguBCwDQ3CBjQ=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=anTW9BbxIrblZ2eW9BEHHwafgqTHu4FiHPXv9QidL38KlWY3NUgrKgdkWUBtRlsbJKyg5/7EozzzhVSg+nIn15j92jZ7CQrQq0Ykm2eK7ihSFbL3sWISVEJvft5IHByG7n7203SyI8bN4aH7U6LSpQ+JSnN3njP2lS+MCj5B5rQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org;
 spf=pass smtp.mailfrom=linaro.org;
 dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b=mRiYpGEs; arc=none smtp.client-ip=209.85.128.46
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b="mRiYpGEs"
Received: by mail-wm1-f46.google.com with SMTP id
 5b1f17b1804b1-488af9fdaa7so27214725e9.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 05 May 2026 06:13:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1777986833; x=1778591633;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=7zXNbcb1r2bmykw+LmN/b7BGBlvkjjNT8szr48jA7Sk=;
        b=mRiYpGEs9OyD0fQXYakYqpq+TWwvf+7E/5U0eqHe3Vk60i1xiOjt09M0Z/WYNCC9nL
         ySuvj6j8IELZ1PPaVYqDN8D9nBdg97P4GXIKput02+/AnxSDFLMkDYelqsP0PSeXP066
         ysPlnSP+SUtOTUYrAncX8tNcMSLzrPI/i/sTn60AkdewqQK6MRAkgIqzc7O7/cWND4Ld
         dXRCttF5u3uUm8C0pEDN2zJuUmhcfPavqR8gZzDS5qH66cz48wlH7/TH59rlQvlerZGt
         YnjtiDJ97tbmlLjKhyutJyB0xAkB7ONVayh/MNIdRFinw/tb12PPBjwp/jUg0T1QtrzF
         gMPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777986833; x=1778591633;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=7zXNbcb1r2bmykw+LmN/b7BGBlvkjjNT8szr48jA7Sk=;
        b=UgDXkzrRERKQA9Nep13FZ+NW2rOPNTntKvv26+FUFPnG94y5kmXZlsyFujuUovkvm/
         b7y0QkaMoALlFp3NDDwObALUPlCf1Ma7mMHDxCNwsU1JosDdY1uUxzfecS6adPOyQUvf
         rsgyYs5O3ypM6vbOlfaHfjBL006D5WCJYpPGQeFcD2xXDXGI4/TGnAdntpvxYrxOxUuZ
         CaXGJIDL3YJv9J76M0HVmT/+pkchT8xEbwWvqP2XCFxdZyZE7oJhOUTdtvtkcOfgRlCW
         u5RS6RnXm5mi7kvE31pRKuoZsfUvjhuYjtkTVzfyocBCesLm0Cg1oIDUkm7MX4xhHFa+
         nhhg==
X-Gm-Message-State: AOJu0YzcDZBIAEDAde7ETekJYZ7igz3VToovb4ZFPyVoqRo/SjbjfttK
	nexMpdCUKLkR861RonxsuRY0+fp5xIds9VRrWJwBj9ikOiMrn5XBLLLBMuNZ3H5TPYU=
X-Gm-Gg: AeBDiesJI9bb0YwB3YYp8ykw1klJl6m6uRyt9w/JMuEs8WNT7PM+is1ipPE6MNGmotu
	+czUPdmVlLwcQrJXqe3zbbF3rUJZtK5KfBJUDmucL4DGJeoas7HULfOUi+YuAYfp7eu0vV4rj+I
	UCJTh90cSS+jFazjTeSEQwnsVAyLHKXqV8WahxJidUNE02Mdb9dZRQXh7n6jF/1jbD1WFKzTOHX
	6lqfGZfL4E4Dir7sblBsAj8IP2WrZOFbuLx3fH2fpvppO4g721m/xYBRio1skBjqI3e9ro4a3Wq
	sBUqaxCjdLUCJPOX6fLYZWtniFwRK5XcS+eTA0WahAKA4Ztjx2jPxLz3dSsGhioSSXEIwbe0ZJg
	fxPKcovel2J9pYioVePk47X+V4Yn8IOfJRtVwcKWPXzYO6fWHKJGAzqPh1LgKAzZrGYzf5q5sb6
	OFVm9tS0Yu1blBgHnnnxYs602ddviQepvXRHmGd1Wp1UWfKFz31tKE+HecF3bRx4DCfkkKd7sVp
	mNhOmZGgNfJdujdFw==
X-Received: by 2002:a05:600d:8451:b0:488:ffb1:494c with SMTP id
 5b1f17b1804b1-48d187d9883mr36909545e9.12.1777986832495;
        Tue, 05 May 2026 06:13:52 -0700 (PDT)
Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com.
 [104.155.83.17])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a8eb72a17sm366599525e9.6.2026.05.05.06.13.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 06:13:52 -0700 (PDT)
From: Tudor Ambarus <tudor.ambarus@linaro.org>
Date: Tue, 05 May 2026 13:12:59 +0000
Subject: [PATCH v5 2/7] firmware: samsung: acpm: Fix mailbox channel leak
 on probe error
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260505-acpm-fixes-sashiko-reports-v5-2-43b5ee7f1674@linaro.org>
References: <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
In-Reply-To: 
 <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
To: Krzysztof Kozlowski <krzk@kernel.org>,
 Alim Akhtar <alim.akhtar@samsung.com>
Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
 linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org,
 andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com,
 Tudor Ambarus <tudor.ambarus@linaro.org>, stable@vger.kernel.org
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1777986831; l=2402;
 i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id;
 bh=d7vm0U9qdAXbH4NbIyamvNnVpjWmz6WguBCwDQ3CBjQ=;
 b=M+kZzEMj6dEoppNgvMWoO2zl4Mo+sei7crymfmwR16IvDgC0ez/YRXM/jUFit87zge5NsxBVd
 uPFQNsQWkvDD4wbmvIOaokkFfSWZApxlZ2CSlu0/KocvS/iEc6DU5Az
X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519;
 pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI=

Sashiko identified the leak at [1].

The ACPM driver allocates hardware mailbox channels using
`mbox_request_channel()` during `acpm_channels_init()`. However, the
driver lacked a `.remove` callback and did not free these channels on
subsequent error paths inside `acpm_probe()`.

Additionally, if `acpm_achan_alloc_cmds()` failed during the channel
initialization loop, the function returned immediately, bypassing the
manual cleanup and permanently leaking any channels successfully
requested in previous loop iterations.

Fix this by modifying `acpm_free_mbox_chans()` to match the `devres`
action signature and registering it via `devm_add_action_or_reset()`.

Cc: stable@vger.kernel.org
Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%=
40linaro.org [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
---
 drivers/firmware/samsung/exynos-acpm.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams=
ung/exynos-acpm.c
index e95edc350efa..9766425a44ab 100644
--- a/drivers/firmware/samsung/exynos-acpm.c
+++ b/drivers/firmware/samsung/exynos-acpm.c
@@ -527,10 +527,11 @@ static int acpm_achan_alloc_cmds(struct acpm_chan *ac=
han)
=20
 /**
  * acpm_free_mbox_chans() - free mailbox channels.
- * @acpm:	pointer to driver data.
+ * @data:	pointer to driver data.
  */
-static void acpm_free_mbox_chans(struct acpm_info *acpm)
+static void acpm_free_mbox_chans(void *data)
 {
+	struct acpm_info *acpm =3D data;
 	int i;
=20
 	for (i =3D 0; i < acpm->num_chans; i++)
@@ -558,6 +559,10 @@ static int acpm_channels_init(struct acpm_info *acpm)
 	if (!acpm->chans)
 		return -ENOMEM;
=20
+	ret =3D devm_add_action_or_reset(dev, acpm_free_mbox_chans, acpm);
+	if (ret)
+		return dev_err_probe(dev, ret, "Failed to add mbox free action.\n");
+
 	chans_shmem =3D acpm->sram_base + readl(&shmem->chans);
=20
 	for (i =3D 0; i < acpm->num_chans; i++) {
@@ -579,10 +584,8 @@ static int acpm_channels_init(struct acpm_info *acpm)
 		cl->dev =3D dev;
=20
 		achan->chan =3D mbox_request_channel(cl, 0);
-		if (IS_ERR(achan->chan)) {
-			acpm_free_mbox_chans(acpm);
+		if (IS_ERR(achan->chan))
 			return PTR_ERR(achan->chan);
-		}
 	}
=20
 	return 0;

--=20
2.54.0.545.g6539524ca2-goog
From nobody Sat Jun 13 21:24:18 2026
Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com
 [209.85.128.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4FEA3242A9
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 13:13:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777986837; cv=none;
 b=pBkbH2z4UknHOXKrAhWQReUbgznjIgZ9Uzfd0iureODIHb8NozittdGBmJFuHfY29LscO69A7OtBr9+UGsZh5PugPPkJqLIEL8ayV3tnm0bx/l8UPgDKKRIOgo1KVLt6djp64WlHV4T4R9F7KjdgQZDhPshOEgh4PB+BpCc54IA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777986837; c=relaxed/simple;
	bh=TrETAIBRtr5BpleipM5VXU32aMTdlU394IStlNmAoNo=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=eO+2N4bWxUWa1QzsLS3lo9l5Ej2JAmNBEYswKuOpBcQAy4NoMKHx47YM6tljXklX2GOsZQ22iTuxkxMowtncXGqiAVwufxvDO4VkCMHjycP/cuq3jxZ2ziL31TnHVLwXWqx0PYYUc2iwq98c12iZkgO2qlwR36v2lcbeQW//JlE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org;
 spf=pass smtp.mailfrom=linaro.org;
 dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b=GLSZ7wAE; arc=none smtp.client-ip=209.85.128.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b="GLSZ7wAE"
Received: by mail-wm1-f50.google.com with SMTP id
 5b1f17b1804b1-488b0046078so45220905e9.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 05 May 2026 06:13:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1777986833; x=1778591633;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=+Mo2IeU/AaXoLyUW0cqRpgQJYVfBlAhtHpp2oMUPg6A=;
        b=GLSZ7wAEqzrE4C2LGFZSEGbYaGUjUlpYYk/a22kkXpsYhLEOSbFpfyE5q/YtiHwm7y
         OjwGWaaaEJnZAvAhzdJ8JL4XMe8YrJNmNmrKSoFjGI3eKU7wYcIBliSnHIJa5l+Ca9GM
         kKuJMPM8MmvlOnap9QDolXSAu4j3XFVfEr5G+xUhX+Gk1cR48PZArpBEiJ63GvS4LqXF
         6L7dSleodrJES07ejvwnJYbWLT40clQez2WpJn0K7ZqDu+13xYbRTRlIfm94Ggb4UNmJ
         1WOmvdJ+p1KjafsB7n2/qB879i5tRnMHI8vRsKD5wDPdMCsF1uxY3hB+jEX//dBThR+l
         hlLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777986833; x=1778591633;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=+Mo2IeU/AaXoLyUW0cqRpgQJYVfBlAhtHpp2oMUPg6A=;
        b=qan7K8kS+0lyDJHcwVycumQZt+CE6GNjpI7sYGUjMjHCdzb2VXjW9g5q3ePuaUK1Fg
         qYPgWP46GbxEjxLyhoG0jOmqf3F35tW5IR6x2fG1+EJKu/shu85vLrBSOGIuzgnZjG95
         XukJLb5x6P562dZ4nJPbVT9U5EgpphA/XsJGdzZGJ/f6m/dM/p9uqm+3ppQePEK3PZCn
         ldpjrKQtH9/qtILFZacn1yKpii8QesaS5IqXa8SVDRyF5Ec+jZscCU5B8/P1tMbzAS74
         NGVc78a8xR79q9L0pLn23qLpn2UScgHryyB9Ll9sKDdyeRJqpbzqOnxaLUiCppk3M5fV
         95XA==
X-Gm-Message-State: AOJu0YyIzk2dgK8I3iCIuDcGJSq10lNOfN+xmSTrhGzhayp/EqD8rHes
	/ax6Mg0wH1f0Jgugp2fLLDcLhy/yrJkWjcTBKJiogBWPrZR59Yy8UlbO0tINu1RAChu6So6Dg97
	lDl2hjS4=
X-Gm-Gg: AeBDiet/1sjMJX3PAtxmN2Ypg2BqinPcE2nbfnT0BFpQbzneerTkkqT4eeXe+6cdCU1
	guMIgPstD43vXH9alyk7BLKaOSz1pXvLrP+Okf8J22hpnq+r7ZdvWbSjFGfOywF6KWCewm2xPjS
	tGXKmxI16UztCf4vjoQ18MYOzW1ZD6NrrJ9kcBe8R4lEWlgFbH7HiyCk8hiVdx/H/zxu8vfgJwV
	RYs9hd+bLnXYY2R2hD4cN76kRtDYdqsKfLlTbIEzhOgrqHNdQk8Uee57XyBqwQr1X5P0/QSd9tn
	k83Q+9nM7CGojMTiCS6uVgqD62LgAHr42I2+EyuU1UC4HIWgGobGr2bcSeR0TZAWSAgmPsCn27A
	Vwjszvs9BCkgNb/BAIuCKNFgkTsWmASbGpvhUaDpQklTuOtk9Cryz0tM1AkQvgvnSsuwS04m5nj
	+QeIReIWI6kDHpm77cGPpVaSyxNIwmeDWC/gBAefbyXPNe0fnegJBtypDzmM3/7Hw4Jnq99TsaE
	82CJyt40/pGGH2ek757kwQoDLEN
X-Received: by 2002:a05:600c:c0c2:b0:48a:76a3:2b9b with SMTP id
 5b1f17b1804b1-48a9865ea56mr172953595e9.17.1777986832975;
        Tue, 05 May 2026 06:13:52 -0700 (PDT)
Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com.
 [104.155.83.17])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a8eb72a17sm366599525e9.6.2026.05.05.06.13.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 06:13:52 -0700 (PDT)
From: Tudor Ambarus <tudor.ambarus@linaro.org>
Date: Tue, 05 May 2026 13:13:00 +0000
Subject: [PATCH v5 3/7] firmware: samsung: acpm: Fix dummy stubs to return
 ERR_PTR
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260505-acpm-fixes-sashiko-reports-v5-3-43b5ee7f1674@linaro.org>
References: <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
In-Reply-To: 
 <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
To: Krzysztof Kozlowski <krzk@kernel.org>,
 Alim Akhtar <alim.akhtar@samsung.com>
Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
 linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org,
 andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com,
 Tudor Ambarus <tudor.ambarus@linaro.org>, stable@vger.kernel.org
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1777986831; l=1843;
 i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id;
 bh=TrETAIBRtr5BpleipM5VXU32aMTdlU394IStlNmAoNo=;
 b=okAA+Mks+tiZ1s4Jc4QBMMHkSt6NGOv/LwbI22GhCddZCxVtABSB/BDAqOsUu9MonRPBBkxDN
 jHgz8DkXtR2AxY0TqFa7j6ljCUuvR6o7fs+Un23tC7Mas+3rVYEJtuK
X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519;
 pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI=

Sashiko identified a potential NULL pointer dereference [1].

The dummy stub implementation for devm_acpm_get_by_node() returns NULL
when CONFIG_EXYNOS_ACPM_PROTOCOL is disabled.

However, the active implementation of this function returns an ERR_PTR
on failure, and the consumer driver checks the return value using
IS_ERR(). Because IS_ERR(NULL) evaluates to false, returning NULL from
the stub tricks consumer drivers into treating the NULL return as a
valid handle. Subsequent attempts to access handle->ops result in a
fatal NULL pointer dereference.

Fix this by returning ERR_PTR(-ENODEV) in the disabled configuration
to correctly propagate the disabled state and match the API contract.

Cc: stable@vger.kernel.org
Fixes: 6837c006d4e7 ("firmware: exynos-acpm: add empty method to allow comp=
ile test")
Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%=
40linaro.org [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
---
 include/linux/firmware/samsung/exynos-acpm-protocol.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/linux/firmware/samsung/exynos-acpm-protocol.h b/includ=
e/linux/firmware/samsung/exynos-acpm-protocol.h
index 13f17dc4443b..d4db2796a6fb 100644
--- a/include/linux/firmware/samsung/exynos-acpm-protocol.h
+++ b/include/linux/firmware/samsung/exynos-acpm-protocol.h
@@ -8,6 +8,7 @@
 #ifndef __EXYNOS_ACPM_PROTOCOL_H
 #define __EXYNOS_ACPM_PROTOCOL_H
=20
+#include <linux/err.h>
 #include <linux/types.h>
=20
 struct acpm_handle;
@@ -57,7 +58,7 @@ struct acpm_handle *devm_acpm_get_by_node(struct device *=
dev,
 static inline struct acpm_handle *devm_acpm_get_by_node(struct device *dev,
 							struct device_node *np)
 {
-	return NULL;
+	return ERR_PTR(-ENODEV);
 }
 #endif
=20

--=20
2.54.0.545.g6539524ca2-goog
From nobody Sat Jun 13 21:24:18 2026
Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com
 [209.85.128.49])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4001D478E41
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 13:13:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.49
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777986837; cv=none;
 b=m52HfuUsP3rfjFFwhTA5hP2MGXAcYp3VR8hXzprQ4z/da74bp//jldRvkVodfCgfOazeIvcip+uBZ3/kF2yRuOXejBLgk5u0bD2Wk6HKT8Jal9ExsN/5Iy5zwBiuufmnXoJ/8ZCyV8wOr7XVkbfIGzISPGkRfW3U/VvAXWHcBgw=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777986837; c=relaxed/simple;
	bh=wZGIg1WvrcZuYhDQpreZS8xozMJIsonW/o4iqtdaJ6c=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=oiAwf1NbbSIkOhyNWrg7INJaFvD44FzzKDEnSo6XLTSV50Ak7aoTBuju955AB1miBpJQRxr8hyBHLxqfnrvNcRUCfwTeHqpAyLn65KgmYSIiT0oix8ISjUxt+llFkHCot5XwH9DJhjYbzmuDYmbPcW+DUocUJHULKA1Qq5g3X8c=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org;
 spf=pass smtp.mailfrom=linaro.org;
 dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b=XXkWU+aW; arc=none smtp.client-ip=209.85.128.49
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b="XXkWU+aW"
Received: by mail-wm1-f49.google.com with SMTP id
 5b1f17b1804b1-488b8bc6bc9so33268645e9.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 05 May 2026 06:13:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1777986834; x=1778591634;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=4AFkvwk1yHFeeDLYag5Oi8EMMsCVOXTu0Co6nMK2/h4=;
        b=XXkWU+aW+daHNNqDIsHjJ3uyxbDzWRwtswENztA6dDymG4WzW+n/ZifxLiG+3t7Qh+
         rIOVZoexAMo2HhZNouA5f8Nn3F+d1gnPzgn3qbEAXkbY4ilKIVjoyWWE32SxVcTualRT
         oRPxQlLKyutDpHkLb8fQBTvG1WDdZi1wyDvBsfwPTNra2XrWK+dilMqBUOU77nZM4XEn
         acBBvoLuIl7uPLkjCnLYX3cy4wEtWHl5xfFr1oWShWsCtXQ4aYStAHI7EPxc6EeFurnA
         0A8PjfiAkyhNRJeIsBfzmhjiGr6bV1dVv9cZkHJ4FDw72bB78gKAUzmCGg2duAvMoYb+
         yY2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777986834; x=1778591634;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=4AFkvwk1yHFeeDLYag5Oi8EMMsCVOXTu0Co6nMK2/h4=;
        b=W3IpLESP4I+wnlkqZsN9bs0NV9moARdymi6DpFmcBAEASIhFPnYdgDXHItbQgX9iRi
         1hlYn5Me3CcsOTV6QDaTxBqDbPs/8iCo/m/kNJLY/X+ODjPlof0O4I1SWinDNvuDmOfJ
         RZtflPCehwqwCgnA8jl2A5LDs2AAGSg0C6mETeFwKsWdI4f7YpM0xOcNrHGfAX+eHIaf
         y4iS2vkffLHskweZWk3yu1zKpC01m9c/qwDVKhFH4odd9mzKGEHYGEGcrNvKDv3kYLtU
         NaAynRCOGyaRYHHyiPisrXzGTvq9uz4T3GJUgCDV1TZQ4zUw7RCLHZMwV2dX/qAfQmmV
         jAWA==
X-Gm-Message-State: AOJu0Yxh5uAlYKX4qlX5v+pqoYUs2m6ts46TxcTfMrnVG0V7l0HXXZG/
	2I6zmiHqZGTs4Dwt4wHjOqYhqW4MwwZ3N8u7Lt0UjzuyyVt+HmFsYa1Ds0EPNe7e0RU=
X-Gm-Gg: AeBDietH9uSORqWAJjv/F4jmDbg+stBbZbd/OmLINAJgqO5GFnkz3QCg3DOHeEphozC
	NLImwSVKpLtF8wjQJV7p78fNyClynBkIVhFPox+zjq34++MUEaRoY3Me77CIuUACiqac/c31Pws
	6BPbBP/Otm3oyETsXsOEfUJ6mAkcC+Tc/UNPVGuXm7VYPFEzWokG4nRaW5JP67WLvjzTmG1HUwy
	ueY+7yByfgc0oARQjdIkiR+G+4h/jQ8OL3W+P6Ue8xJjPe75idI38zhA0uR1cQUJWf6z7/UY64C
	6K15xmo57zGte3hfzJpU0eEYEWSiFhHp7/1F8Hm7Jb9eBOq2gGNBmjmITC0O+8O7jBNwf/8TzZt
	OSWopdCE+JWqrxlv8NQx1Z+X26y8D3dGCylPy5Donhi2X6Gk4TZ+LXGRNTKJkbOmfyWK5hBKF+u
	0svllWmseBtOe/NlNAJSgn27xLRiemFRt71hlsm6uSIipYx3dguVYMSnc8ho48kvBV5ieXpryhr
	ZxeLxXfljFX+HPwyFWwIrjzapqU
X-Received: by 2002:a05:600c:5296:b0:488:8bdd:cfcc with SMTP id
 5b1f17b1804b1-48d17fe008emr47062135e9.0.1777986833570;
        Tue, 05 May 2026 06:13:53 -0700 (PDT)
Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com.
 [104.155.83.17])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a8eb72a17sm366599525e9.6.2026.05.05.06.13.53
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 06:13:53 -0700 (PDT)
From: Tudor Ambarus <tudor.ambarus@linaro.org>
Date: Tue, 05 May 2026 13:13:01 +0000
Subject: [PATCH v5 4/7] firmware: samsung: acpm: Add memory barrier before
 advancing RX pointer
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260505-acpm-fixes-sashiko-reports-v5-4-43b5ee7f1674@linaro.org>
References: <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
In-Reply-To: 
 <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
To: Krzysztof Kozlowski <krzk@kernel.org>,
 Alim Akhtar <alim.akhtar@samsung.com>
Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
 linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org,
 andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com,
 Tudor Ambarus <tudor.ambarus@linaro.org>, stable@vger.kernel.org
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1777986831; l=2113;
 i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id;
 bh=wZGIg1WvrcZuYhDQpreZS8xozMJIsonW/o4iqtdaJ6c=;
 b=vzW22Fo9gyaBKn9uKemzB9qhAaJduQL/9Ushx5qlHjwMWCJOJHUz+8hJn8xmalmTzQus8kfYn
 MCGqMwi9nOYByz3EpsQutQNfFuol5X6gMNNK0rl0Glzn7AHBpqYO299
X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519;
 pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI=

Sashiko identified a silent data corruption in [1].

In acpm_get_rx(), the driver reads the response payload from SRAM using
__ioread32_copy() and subsequently updates the hardware RX rear pointer
via writel().

On weakly ordered architectures like ARM64, writel() provides a write
memory barrier (wmb()), which strictly orders prior writes against
subsequent writes. However, it does not order prior reads against
subsequent writes. Consequently, the CPU is permitted to reorder the
writel() store to become globally visible before the payload reads
have completed.

If this reordering occurs, the firmware may observe the updated rear
pointer, assume the queue slot is available, and overwrite the SRAM
payload while the kernel is still actively reading from it, leading
to silent data corruption.

Fix this by inserting a full memory barrier (mb()) before the writel()
to guarantee that all payload reads have completed before the hardware
queue pointer is advanced.

Cc: stable@vger.kernel.org
Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Closes: https://sashiko.dev/#/patchset/20260429-acpm-fixes-sashiko-reports-=
v3-0-47cf74ab09ad%40linaro.org
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
---
 drivers/firmware/samsung/exynos-acpm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams=
ung/exynos-acpm.c
index 9766425a44ab..a9449bc33bd0 100644
--- a/drivers/firmware/samsung/exynos-acpm.c
+++ b/drivers/firmware/samsung/exynos-acpm.c
@@ -5,6 +5,7 @@
  * Copyright 2024 Linaro Ltd.
  */
=20
+#include <asm/barrier.h>
 #include <linux/bitfield.h>
 #include <linux/bitmap.h>
 #include <linux/bits.h>
@@ -278,6 +279,9 @@ static int acpm_get_rx(struct acpm_chan *achan, const s=
truct acpm_xfer *xfer)
 		i =3D (i + 1) % achan->qlen;
 	} while (i !=3D rx_front);
=20
+	/* Ensure all payload reads complete before advancing the rear pointer */
+	mb();
+
 	/* We saved all responses, mark RX empty. */
 	writel(rx_front, achan->rx.rear);
=20

--=20
2.54.0.545.g6539524ca2-goog
From nobody Sat Jun 13 21:24:18 2026
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com
 [209.85.128.45])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 46B4B47887A
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 13:13:55 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.45
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777986840; cv=none;
 b=krRA1ImVL5i6zdLkANMbS3Vzy3kfkznCHhR96t9ytlnzM/RMguI5gQwCUUT+zS77BTpUAOLkfp/QVLnLn5Zqo6CeeOyCEGDAZbdHvyTf44blrdvWDEMZs5zKWYzuBD6mPT6HNyjS2S7MYDmVI26IiUSdy3ufPbbBpLd3slqybxE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777986840; c=relaxed/simple;
	bh=y3CzFzYBC79FHo60Bgq3OAMyWY2i8lL9XzUZoMqVK/U=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=IQicfCHRCz8EWLdOJ/x8wyR879CSEBaWnLbqJunPm6htRsvWFSVP9b2UQiqYo/8NJPADTKyzrbebn7nQG8KggLLc8s8ITtiuZjSckzOyBo/i9zdoAZsM7+rQukI9PGPJieC0J+EGgxtkyB38eIISdaZ1R0Mf6bmruowMF/IP22U=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org;
 spf=pass smtp.mailfrom=linaro.org;
 dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b=OOvstt5I; arc=none smtp.client-ip=209.85.128.45
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b="OOvstt5I"
Received: by mail-wm1-f45.google.com with SMTP id
 5b1f17b1804b1-488b0e1b870so83101825e9.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 05 May 2026 06:13:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1777986834; x=1778591634;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=pr+MxyFx7bMkGaeeMjkJNvF3dfsBwvJKWr4lu6sjRpo=;
        b=OOvstt5I++shryBnY4nSxXOj668i27YIEMsAPeKjy4AlhSzIUQDJ1XJy+MD84hyMUM
         w4Sn5VySnZbibX0bbinj5xdXaBQqD+BCgIXp1nx9olNY3cV46HbR/CCA+g6l1xsoZYEX
         F1D5aErWk/WqsNKMe9QcNDYNhqVkXuPKnR/3fW69GfPhl8hVAMBHYPLWI4cmiBZMHWE1
         HMzzrUGncHxCnnK+KRxHhYqXzV8YBTi4AIoJfPJwCe6zoXuwXDbYAXpuvl13MebMhOzK
         yu58Zx7clIF0MHQxZSxBbRWWGK4KABxZhe7zJmSjz7iMuylC6V9EfVyNmR1ThTP0hJMz
         +qVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777986834; x=1778591634;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=pr+MxyFx7bMkGaeeMjkJNvF3dfsBwvJKWr4lu6sjRpo=;
        b=RBGffX8uJM0csDfzv2p1nDAdVKcbUDfsKYvWgXMfCb2z+jTPBdCZwCfe+Fa/bpL+kO
         U97pEJrgPMrVHBerpFni9R6Risd6kjQfM+hspPoOrs/EjOO/W2almhtsj8gDeto6QYzm
         BD9p6XnAzRbdhDoKjOgO79iemNpf2klyk9fjDUQrTzHiVAp6/Xn0Xi88wAI5ThDa2DfN
         2vUfMeeeFFNAN6Kgz9/2r2DQUuUNjUHaSLXeUyzcwtixaWNkcNthYmu/B9nvC8ByqeY7
         mCl8avZtNkio4u2ASloaVD97UXMVyAlnb8qM4OPAhCS7ePLBXu6ZUpBplgFKoT/2+Squ
         3N3w==
X-Gm-Message-State: AOJu0Ywzkj2GWU55v1eRPWqoPriEU4Gi1edKmU80XRC8aaB/QsVjypJH
	SxvEns++jikdXgCfaqrWJQ4D/FcO72Ep/KojVQsMuQUGVkidRvz23JmIx3zjkMSKo+U=
X-Gm-Gg: AeBDievOoaICfnQqGw0LMhFBEESpCWHlJskxctzzujB375c3/lbC4F3OcncmEJHwWqR
	ADIDoMLPsDsJRcFNvB6z94GqOy5qDBFm0nEq8uV5Ss9/lbAT+p97HiqMCImdgxlDWVgVOMdx8qi
	r71GaDE9IaG6SyinNY1KZYStemIlXLklRC5widCKFqopqp9aqkPqnECtn+r07r+AT+p/QMtwk2y
	R45RS/ZX38MlO8bQSjGRfH1rH03jXZ0gqx/haELTikMALzU8+wyhQ18q6ILHrsA2ZrpP6KcO08q
	jFtMuu6uuExL0OuIdw5XVzpXpRtqg7ZU0Tnh1LaEAf3u/j606PQ4S37prReF+1fEzzsnUu5ThWN
	wzK40E0NN1e5BZZgdO+ig9Xb/25ycvRiOzrOQEq/OwH7JFNhEPa9iWXfktTmbcyNWvfZPWlwxI9
	i9JDBSO2lMz9mmVJMdEEdGinzNrRRJCSdl2Z+TD07Vz9okiB4NEI3hfhkBPfsqh+KnkuzpwJfFw
	/yBRDWusAIt7hoHk7lHjKsbVR4Z
X-Received: by 2002:a05:600c:42d5:b0:48d:c0a:3813 with SMTP id
 5b1f17b1804b1-48d0c0a38e7mr74267125e9.3.1777986834145;
        Tue, 05 May 2026 06:13:54 -0700 (PDT)
Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com.
 [104.155.83.17])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a8eb72a17sm366599525e9.6.2026.05.05.06.13.53
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 06:13:53 -0700 (PDT)
From: Tudor Ambarus <tudor.ambarus@linaro.org>
Date: Tue, 05 May 2026 13:13:02 +0000
Subject: [PATCH v5 5/7] firmware: samsung: acpm: Fix false timeouts and
 Use-After-Free in polling
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260505-acpm-fixes-sashiko-reports-v5-5-43b5ee7f1674@linaro.org>
References: <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
In-Reply-To: 
 <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
To: Krzysztof Kozlowski <krzk@kernel.org>,
 Alim Akhtar <alim.akhtar@samsung.com>
Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
 linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org,
 andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com,
 Tudor Ambarus <tudor.ambarus@linaro.org>, stable@vger.kernel.org
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1777986831; l=8240;
 i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id;
 bh=y3CzFzYBC79FHo60Bgq3OAMyWY2i8lL9XzUZoMqVK/U=;
 b=PEYKzv2ZhBQp/FxhrFEHzZLE4K2AoV5DdiBbO1toNYl3zeHv+9j10qVqVimuouZYidiSb6fz9
 t8l+thgFTWRAD4tryh4vFbkUaSH2Mq7ngIppD+z3HyTjP0ZT+2U/JPM
X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519;
 pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI=

Sashiko identified severe races in the polling state machine [1].

In the ACPM driver's polling mode, threads waited for responses by
monitoring the globally shared 'bitmap_seqnum'. This caused false
timeouts because if a thread processed its response and freed the
sequence number, a concurrent TX thread could immediately reallocate
it before the polling thread woke up.

Additionally, the driver suffered from a cross-thread Use-After-Free
(UAF) preemption race. Previously, acpm_get_rx() cleared the sequence
number of whichever RX message it drained from the hardware queue. This
meant Thread A could globally free Thread B's sequence slot while
Thread B was asleep. A new Thread C could then steal the slot,
overwrite the buffer, and leave Thread B to wake up to corrupted state
or a timeout.

Fix this by rewriting the polling state machine:
1. Decouple polling from the global allocator by introducing a per-slot
   'completed' flag, synchronized via smp_store_release() and
   smp_load_acquire().
2. Strip acpm_get_saved_rx() out of acpm_get_rx() to make it a pure
   queue-draining function. Introduce a 'native_match' boolean argument
   which evaluates to true only if the thread natively processed its
   own sequence number during the call. This explicitly informs the
   polling loop whether it must retrieve its payload from the
   cross-thread cache.
3. Centralize the cache fallback and sequence number free (clear_bit)
   inside the polling loop. Crucially, the free operation now strictly
   targets the thread's own TX sequence number (xfer->txd[0]), rather
   than the drained RX sequence number. This enforces strict ownership:
   a thread only ever frees its own allocated sequence slot, and only
   at the exact moment it completes its poll, eliminating the UAF
   window.

Furthermore, explicitly guard the 'native_match' assignment with an
if (rx_seqnum =3D=3D tx_seqnum) check, even for zero-length (no payload)
responses. While an unguarded assignment wouldn't crash (because the
cache fallback acpm_get_saved_rx() safely returns early on zero-length
transfers) doing so would "lie" to the state machine. If a thread
drained the queue and found another thread's zero-length message,
setting native_match =3D true would falsely convince the polling loop
that it natively handled its own response. Maintaining a rigorous state
machine requires that native_match is only set when a thread explicitly
processes its own sequence number.

Cc: stable@vger.kernel.org
Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Closes: https://sashiko.dev/#/patchset/20260429-acpm-fixes-sashiko-reports-=
v3-0-47cf74ab09ad%40linaro.org [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
---
 drivers/firmware/samsung/exynos-acpm.c | 68 ++++++++++++++++++++++++------=
----
 1 file changed, 48 insertions(+), 20 deletions(-)

diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams=
ung/exynos-acpm.c
index a9449bc33bd0..2dea9b7bfe91 100644
--- a/drivers/firmware/samsung/exynos-acpm.c
+++ b/drivers/firmware/samsung/exynos-acpm.c
@@ -106,11 +106,14 @@ struct acpm_queue {
  * @cmd:	pointer to where the data shall be saved.
  * @n_cmd:	number of 32-bit commands.
  * @rxcnt:	expected length of the response in 32-bit words.
+ * @completed:	flag indicating if the firmware response has been fully
+ *		processed.
  */
 struct acpm_rx_data {
 	u32 *cmd;
 	size_t n_cmd;
 	size_t rxcnt;
+	bool completed;
 };
=20
 #define ACPM_SEQNUM_MAX    64
@@ -205,26 +208,28 @@ static void acpm_get_saved_rx(struct acpm_chan *achan,
=20
 	rx_seqnum =3D FIELD_GET(ACPM_PROTOCOL_SEQNUM, rx_data->cmd[0]);
=20
-	if (rx_seqnum =3D=3D tx_seqnum) {
+	if (rx_seqnum =3D=3D tx_seqnum)
 		memcpy(xfer->rxd, rx_data->cmd, xfer->rxcnt * sizeof(*xfer->rxd));
-		clear_bit(rx_seqnum - 1, achan->bitmap_seqnum);
-	}
 }
=20
 /**
  * acpm_get_rx() - get response from RX queue.
  * @achan:	ACPM channel info.
  * @xfer:	reference to the transfer to get response for.
+ * @native_match: pointer to a boolean set to true if the thread natively
+ *                processed its own sequence number during this call.
  *
  * Return: 0 on success, -errno otherwise.
  */
-static int acpm_get_rx(struct acpm_chan *achan, const struct acpm_xfer *xf=
er)
+static int acpm_get_rx(struct acpm_chan *achan, const struct acpm_xfer *xf=
er,
+		       bool *native_match)
 {
 	u32 rx_front, rx_seqnum, tx_seqnum, seqnum;
 	const void __iomem *base, *addr;
 	struct acpm_rx_data *rx_data;
 	u32 i, val, mlen;
-	bool rx_set =3D false;
+
+	*native_match =3D false;
=20
 	guard(mutex)(&achan->rx_lock);
=20
@@ -233,10 +238,8 @@ static int acpm_get_rx(struct acpm_chan *achan, const =
struct acpm_xfer *xfer)
=20
 	tx_seqnum =3D FIELD_GET(ACPM_PROTOCOL_SEQNUM, xfer->txd[0]);
=20
-	if (i =3D=3D rx_front) {
-		acpm_get_saved_rx(achan, xfer, tx_seqnum);
+	if (i =3D=3D rx_front)
 		return 0;
-	}
=20
 	base =3D achan->rx.base;
 	mlen =3D achan->mlen;
@@ -260,8 +263,13 @@ static int acpm_get_rx(struct acpm_chan *achan, const =
struct acpm_xfer *xfer)
 		if (rx_data->rxcnt) {
 			if (rx_seqnum =3D=3D tx_seqnum) {
 				__ioread32_copy(xfer->rxd, addr, xfer->rxcnt);
-				rx_set =3D true;
-				clear_bit(seqnum, achan->bitmap_seqnum);
+				/*
+				 * Signal completion to the polling thread.
+				 * Pairs with smp_load_acquire() in polling
+				 * loop.
+				 */
+				smp_store_release(&rx_data->completed, true);
+				*native_match =3D true;
 			} else {
 				/*
 				 * The RX data corresponds to another request.
@@ -271,9 +279,21 @@ static int acpm_get_rx(struct acpm_chan *achan, const =
struct acpm_xfer *xfer)
 				 */
 				__ioread32_copy(rx_data->cmd, addr,
 						rx_data->rxcnt);
+				/*
+				 * Signal completion to the polling thread.
+				 * Pairs with smp_load_acquire() in polling
+				 * loop.
+				 */
+				smp_store_release(&rx_data->completed, true);
 			}
 		} else {
-			clear_bit(seqnum, achan->bitmap_seqnum);
+			/*
+			 * Signal completion to the polling thread.
+			 * Pairs with smp_load_acquire() in polling loop.
+			 */
+			smp_store_release(&rx_data->completed, true);
+			if (rx_seqnum =3D=3D tx_seqnum)
+				*native_match =3D true;
 		}
=20
 		i =3D (i + 1) % achan->qlen;
@@ -285,13 +305,6 @@ static int acpm_get_rx(struct acpm_chan *achan, const =
struct acpm_xfer *xfer)
 	/* We saved all responses, mark RX empty. */
 	writel(rx_front, achan->rx.rear);
=20
-	/*
-	 * If the response was not in this iteration of the queue, check if the
-	 * RX data was previously saved.
-	 */
-	if (!rx_set)
-		acpm_get_saved_rx(achan, xfer, tx_seqnum);
-
 	return 0;
 }
=20
@@ -306,6 +319,7 @@ static int acpm_dequeue_by_polling(struct acpm_chan *ac=
han,
 				   const struct acpm_xfer *xfer)
 {
 	struct device *dev =3D achan->acpm->dev;
+	bool native_match;
 	ktime_t timeout;
 	u32 seqnum;
 	int ret;
@@ -314,12 +328,25 @@ static int acpm_dequeue_by_polling(struct acpm_chan *=
achan,
=20
 	timeout =3D ktime_add_us(ktime_get(), ACPM_POLL_TIMEOUT_US);
 	do {
-		ret =3D acpm_get_rx(achan, xfer);
+		ret =3D acpm_get_rx(achan, xfer, &native_match);
 		if (ret)
 			return ret;
=20
-		if (!test_bit(seqnum - 1, achan->bitmap_seqnum))
+		/*
+		 * Safely check if our specific transaction has been processed.
+		 * smp_load_acquire prevents the CPU from speculatively
+		 * executing subsequent instructions before the transaction is
+		 * synchronized.
+		 */
+		if (smp_load_acquire(&achan->rx_data[seqnum - 1].completed)) {
+			/* Retrieve payload if another thread cached it for us */
+			if (!native_match)
+				acpm_get_saved_rx(achan, xfer, seqnum);
+
+			/* Relinquish ownership of the sequence slot */
+			clear_bit(seqnum - 1, achan->bitmap_seqnum);
 			return 0;
+		}
=20
 		/* Determined experimentally. */
 		udelay(20);
@@ -384,6 +411,7 @@ static void acpm_prepare_xfer(struct acpm_chan *achan,
=20
 	/* Clear data for upcoming responses */
 	rx_data =3D &achan->rx_data[achan->seqnum - 1];
+	rx_data->completed =3D false;
 	memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd);
 	/* zero means no response expected */
 	rx_data->rxcnt =3D xfer->rxcnt;

--=20
2.54.0.545.g6539524ca2-goog
From nobody Sat Jun 13 21:24:18 2026
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 90B9C47CC70
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 13:13:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.43
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777986842; cv=none;
 b=FW+SoZDURqG4F9w4F6BgSzacwBePAkais1TUrKcULTseJV3E603gRIYG4K9iGatCqRmsfJ0AS6RFP+LzxMo62OR7Hth2PZMkNEwbNrXnUXjcmCEph0eHOqvnh5TvIRM8BT6XkIXhrB53JZI6cnn8dNj9LkXrXADwSb1mqNpBBW4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777986842; c=relaxed/simple;
	bh=PCWsEmI/WUR42uueqaiei2Cmh0aP35hqHHvduAG7Yz0=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=uxLjShIvlBLOqi/p9Er5Wnkpy73J3OKi/pL4hCeZb7ftSxfkJ/9lTyISlK26xMqI5wdi5zZUfQZPc8yANnYmXAqZaRXk8cuGQHVk5cfR9CWhPJpnADXYQx4yirGAJfZtIW0IQA59nHTL49GmqgxVaok5fj29RsK1gQeGSpRRlOE=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org;
 spf=pass smtp.mailfrom=linaro.org;
 dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b=ldYT3nXZ; arc=none smtp.client-ip=209.85.128.43
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b="ldYT3nXZ"
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-488b150559bso36097135e9.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 05 May 2026 06:13:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1777986835; x=1778591635;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=XbpOUBhAHisNgJxpl8N8vXVEUriSOoMRSDM7NHjdJoU=;
        b=ldYT3nXZK26hstoHaQTnGll9VN+sMEgmaw7fzna9+7XVwjrK9Yhw7oSunsJqAYQbN8
         cL0P1u36dSfEjvhNu8FnCIeckQnVJJjtGU450Ctl9JSJsxnjBv92ihxcUlB88GFMnMhf
         p7E/zO8jz1PtZWWy26inyoU1NOeUGeulxln2Nq9VWfls3Fvflv43g93sODanqiinCWmN
         DkNRdGX4ymV3mYVeB0Nl90PnDentQvWseroyaWOZ+fjbHexH55p9UuTntavgT9RLjz/I
         ROk4fetj7Jwue18VStiDPswYl5tMuJAH/g497KkWclRSSwMOkl8GoPUwC17LMbwH30/S
         iQcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777986835; x=1778591635;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=XbpOUBhAHisNgJxpl8N8vXVEUriSOoMRSDM7NHjdJoU=;
        b=ElQImTa0AIaPMsk5ZZM093WiQF0RNR01AGb2Eio87GXLyaEk43PJYFI3GwYBbEy/ot
         EeTGzB+3v7xmK/rbUYvttwOqXuc1wxP1u/aBEK2w/Ge9AJQzWmTmnfmlKnw8VinHtKZr
         2jAd8UsqQZz4Pd2PHADEGoVEPKaCDoyPcrjzCxIPIRv7m0lwJS4WgJBlFkIxMTKVtBU/
         o+Ripfv/hvUm2Vm4hpShw7yX2QfJCuJuClIVjUwQRfwJsA+MTumftk7iaTZm7JhOZPnH
         h5FXZZ6ZeWkZnqa9aX/AgzikaKdDmvftSJDIuz9qs3CbodBL1cIB1HfHlHAps7bzjdo1
         JWkQ==
X-Gm-Message-State: AOJu0YzXEg2dYn3ecFtGvGtyeR4Pn3lcQINQiCGuXFzopm8y9xLgPKBb
	MpF/2ySi2n/M+L36bewF9D2yHSMnqN9ytrwGeufyG8R0pR7A11Vxe64SC5uN9Mat8AI=
X-Gm-Gg: AeBDiesMCi4oJti/RFSmFhAJSAUHu3d1vvx7qU6mW+hrwMIsgW1nsKKdqUe8cZoJlgb
	AbzXStlHmt3sIpHnUYqTfJB8tTTAcIcVmknjNyW6pfSB1SbksKE4Wz9+05NN9vQtrkkomOifFTA
	YG204kkgSD4FO56wcztcgTbDvA7B1Q0Xj4r5rxbQtvvkV+XhLD3hhhqr3N1Rcs7cfKnKin7hLK/
	Vmp0hozPjFq82YA2gtv+5erqY0EKA5b+iWWaIZklttYauz7O8IzxMjwgJ+0bHmTSzXK88aTbD6l
	o/ga9laHE3FaePF2zvWQJeQ5pmITQY8O1t92Ylezl8hNDpLZ2292rsAWEUIjpE3em8ElxUM6mf2
	JsKp5hZQ5sthgJZIjnlGZHKgz3Zx3/R8Oz8AxniK5fTgqx5wkd/BC6V/GU10CQ0brIUu+cStvob
	4qYH417+9gEd4GlWKzgINPpMsaPSn12ptg5LAQGjdLwbf7eQv0arrB2wqjoFYLnkAiTFWGccDVv
	IY3gLu5n60jSb0mow==
X-Received: by 2002:a05:600c:828a:b0:489:5022:39a4 with SMTP id
 5b1f17b1804b1-48a98638119mr230594515e9.9.1777986834642;
        Tue, 05 May 2026 06:13:54 -0700 (PDT)
Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com.
 [104.155.83.17])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a8eb72a17sm366599525e9.6.2026.05.05.06.13.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 06:13:54 -0700 (PDT)
From: Tudor Ambarus <tudor.ambarus@linaro.org>
Date: Tue, 05 May 2026 13:13:03 +0000
Subject: [PATCH v5 6/7] firmware: samsung: acpm: Fix missing LKMM barriers
 in sequence allocator
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260505-acpm-fixes-sashiko-reports-v5-6-43b5ee7f1674@linaro.org>
References: <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
In-Reply-To: 
 <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
To: Krzysztof Kozlowski <krzk@kernel.org>,
 Alim Akhtar <alim.akhtar@samsung.com>
Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
 linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org,
 andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com,
 Tudor Ambarus <tudor.ambarus@linaro.org>, stable@vger.kernel.org
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1777986831; l=3932;
 i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id;
 bh=PCWsEmI/WUR42uueqaiei2Cmh0aP35hqHHvduAG7Yz0=;
 b=6xEALCsBvLgFLhQqxJE6EKeqjKKLMRa/BgZwjSGhuyo/8qCLag5h9khWX13dP5jGqQFFSnkGf
 zLyzE9iH3B9AXvc8+kToq57C7FccRBTmsZom4GoFmepT6jQmeA5ZBD1
X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519;
 pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI=

Sashiko identified memory ordering races in [1].

The ACPM driver uses a globally shared 'bitmap_seqnum' to track
available sequence numbers. Even though threads now strictly free their
own sequence numbers, the allocation and freeing of these bits across
concurrent threads are effectively lockless operations and require
explicit LKMM memory barriers.

Previously, the driver used plain bitwise operators (test_bit, set_bit,
clear_bit), which lack ordering guarantees. This creates two race
conditions on weakly ordered architectures like ARM64:

1. Polling Release Violation: The polling thread copies its payload and
   calls clear_bit(). Without a release barrier, the CPU can reorder
   the memory operations, making the cleared bit globally visible
   before the payload reads have fully completed.
2. TX Acquire Violation: The TX thread loops on test_bit(), calls
   set_bit(), and then wipes the payload buffer via memset(). Without
   an acquire barrier, the CPU can speculatively execute the memset()
   before the bit is safely and formally claimed.

If these reorderings overlap, a new TX thread can claim the sequence
number and overwrite the buffer while the original polling thread is
still actively reading from it.

Fix this by upgrading the bitwise operators. Wrap the TX allocation in
test_and_set_bit_lock() to establish formal LKMM Acquire semantics, and
pair it with clear_bit_unlock() in the polling path to enforce Release
semantics.

Cc: stable@vger.kernel.org
Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Closes: https://sashiko.dev/#/patchset/20260423-acpm-fixes-sashiko-reports-=
v1-0-2217b790925e%40linaro.org [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
---
 drivers/firmware/samsung/exynos-acpm.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams=
ung/exynos-acpm.c
index 2dea9b7bfe91..fd2e46e9f7e9 100644
--- a/drivers/firmware/samsung/exynos-acpm.c
+++ b/drivers/firmware/samsung/exynos-acpm.c
@@ -8,7 +8,7 @@
 #include <asm/barrier.h>
 #include <linux/bitfield.h>
 #include <linux/bitmap.h>
-#include <linux/bits.h>
+#include <linux/bitops.h>
 #include <linux/cleanup.h>
 #include <linux/container_of.h>
 #include <linux/delay.h>
@@ -344,7 +344,7 @@ static int acpm_dequeue_by_polling(struct acpm_chan *ac=
han,
 				acpm_get_saved_rx(achan, xfer, seqnum);
=20
 			/* Relinquish ownership of the sequence slot */
-			clear_bit(seqnum - 1, achan->bitmap_seqnum);
+			clear_bit_unlock(seqnum - 1, achan->bitmap_seqnum);
 			return 0;
 		}
=20
@@ -401,11 +401,18 @@ static void acpm_prepare_xfer(struct acpm_chan *achan,
 	struct acpm_rx_data *rx_data;
 	u32 *txd =3D (u32 *)xfer->txd;
=20
-	/* Prevent chan->seqnum from being re-used */
+	/*
+	 * Prevent chan->seqnum from being re-used.
+	 * test_and_set_bit_lock() provides formal LKMM Acquire semantics.
+	 * It pairs with the RX thread's clear_bit_unlock() to ensure the CPU
+	 * does not speculatively execute the rx_data buffer wipe (memset)
+	 * before the sequence number is safely claimed.
+	 */
 	do {
 		if (++achan->seqnum =3D=3D ACPM_SEQNUM_MAX)
 			achan->seqnum =3D 1;
-	} while (test_bit(achan->seqnum - 1, achan->bitmap_seqnum));
+		/* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */
+	} while (test_and_set_bit_lock(achan->seqnum - 1, achan->bitmap_seqnum));
=20
 	txd[0] |=3D FIELD_PREP(ACPM_PROTOCOL_SEQNUM, achan->seqnum);
=20
@@ -415,9 +422,6 @@ static void acpm_prepare_xfer(struct acpm_chan *achan,
 	memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd);
 	/* zero means no response expected */
 	rx_data->rxcnt =3D xfer->rxcnt;
-
-	/* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */
-	set_bit(achan->seqnum - 1, achan->bitmap_seqnum);
 }
=20
 /**

--=20
2.54.0.545.g6539524ca2-goog
From nobody Sat Jun 13 21:24:18 2026
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com
 [209.85.128.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 57D3B242D72
	for <linux-kernel@vger.kernel.org>; Tue,  5 May 2026 13:13:58 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777986843; cv=none;
 b=NscPNmqUfvyO6dyuKpLVBJGMUAT0xKvBb4EFDGx+nb1YUN05GhsX5Tm3tv6rVEar482HQ4md6qXbjELE21Ifw+zWsQt8yHWTts+6C4Fc+RKmZsqzsK70FOrWCcOhwYm9eJT1nSxU1j/bndkt5IBSDR0JidE1EnEjO+UdLSCCKMA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777986843; c=relaxed/simple;
	bh=EiurrGkcahcx7sI65l5a7ioyNgZJtrM8vsswXoseAMM=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=bwzkDkvSdtKzfAiOdW2q6rwx27F7m23h9FS1OXEWTo5BwAjJ+vnhHSb1qKFJAa96EHrU8llRFRf9nANaNmrA3hud5KRF1gcGv5Jy6Z6xlVPpCckMCFEmgk7HylEuCkQLDsQV3ywMzJUntK46AsCSZAYzfFCM/OHko9Jx6cFDcHw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org;
 spf=pass smtp.mailfrom=linaro.org;
 dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b=q0Yf3+hw; arc=none smtp.client-ip=209.85.128.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=linaro.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org
 header.b="q0Yf3+hw"
Received: by mail-wm1-f47.google.com with SMTP id
 5b1f17b1804b1-4891c00e7aeso44323215e9.2
        for <linux-kernel@vger.kernel.org>;
 Tue, 05 May 2026 06:13:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google; t=1777986835; x=1778591635;
 darn=vger.kernel.org;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:from:to:cc:subject:date:message-id
         :reply-to;
        bh=q59EG8r8mRnPm4MFGBHxIdCjMVDqVdWUq04J9T41SAY=;
        b=q0Yf3+hwWa6y0jOO57CFZ2Mz7J9hOJmUHQR6qoz+3LhofbrEaO4f9GiVxghIXrscGq
         fd7HU2P68kzb/g5gM9jKrpC6qEoM4oSDT7yTE+70PGn+2HpOKfn38IOqC4/qZXn0eGZa
         BdV5io+z6hpvT5QtDdamVjC3ZDDxwiAy7yGw1rBJe/RWbJ717Upk11HJvBIkxz5IMAF5
         mTMdYrFsRpM044K7tMszeeNV7oh84dCROlfaT4W4R7EI75vBk6R1Qlv7ntASjm8Atlpp
         urC+EIXLSuq3lsCjKn5lqyvrwRZiY8jcPYVDGwyHw9NvGoPWOGDeHZhdqipMBzZd90Bj
         8Xcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777986835; x=1778591635;
        h=cc:to:in-reply-to:references:message-id:content-transfer-encoding
         :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to
         :cc:subject:date:message-id:reply-to;
        bh=q59EG8r8mRnPm4MFGBHxIdCjMVDqVdWUq04J9T41SAY=;
        b=bsjrWHhxhqUySq5r0sU+zeokJRS4N2szbc4fBbRaEw3HKYEHGcSXhCyy3yvQfxCap+
         cMepIhkwsAxFO8HJhVUCegpmdqG3mV6sLrjbd6mPdoImdnnAB7h0uIrQkcJYl7V5XU5y
         Fk17J7DTt5+auUdiHjEdWijP+IPZlDu3UaTfzNVGnk6ly8KNrm6nP1IvQBorlQZDrs9X
         YnZM/pR6nN1f4z/lfwFGFvBgJZ5BQvmjlSX2MjuMzJmeqAKlZF/mFd/7+h32zGh6DrS1
         rOcjXbDim+0w8DLl6koF3b3RDURbmzcHB83hM1Kd4fAtcHrn/uC5zvbz2LP9B0OQ46Na
         fsyQ==
X-Gm-Message-State: AOJu0Yw3OR4g21UpWEK5l2NvAFyZoO1ok0kduSocN+ln49RKhT4rRS6Y
	AH39kKx+q3xkM4c/ud8x+mxDB5kepP0Y0e1N/2C3GQvMvLAloyxM65H4HsXkn1Yxdzo=
X-Gm-Gg: AeBDievQLguwBpGgpUOPwOFGqzwdskA23nLTnVKlAYpPdjvSn0tJms7Zdcsis2czo51
	MwbVoIuilgYzYn1e0mxSbtJrHDXDwNf3/CDdsi8zpwfRn+qHaGLxyIEsipnK8UWduhngbg+ZkVj
	5tAVXw7f4Ba0nGrEAOgtCFdugvU+ta4cXKW9XegK8GFeTwyVQXe2Q6rpO9hr9bKDKUhcl/gzNcB
	dMM8lV8gx/ok03iYeIoytRsbl+NLQR0rueyweAlME19dLr9L3WbRxe7iHAUfz7YMgBHGH3BA24y
	2YLuJoZMnA3aHja9uHMWWJiu3dt/Es+kugeNVmiFWfJjAhuccXUZqscbGssUDnVCwnFFI5RnNTk
	Uryb/nxMPNgxW3THWLgfRQBhzjb4JYS9bT6cJ6kbGpsBlxljK5g3aenVyho5H0WqwNnl5jBAX+i
	HmnDJ/vd27akao8ifKl9cxp4fvsNnZxdBadC5nzt9H0HBZTQNH1lWlVPFVgtfdHqbo4XR8ZvglM
	1i5fEwsUlROpVKnyA==
X-Received: by 2002:a05:600c:859a:b0:48a:8b02:ae91 with SMTP id
 5b1f17b1804b1-48d188d4786mr36585875e9.11.1777986835218;
        Tue, 05 May 2026 06:13:55 -0700 (PDT)
Received: from ta2.c.googlers.com (17.83.155.104.bc.googleusercontent.com.
 [104.155.83.17])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48a8eb72a17sm366599525e9.6.2026.05.05.06.13.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 05 May 2026 06:13:54 -0700 (PDT)
From: Tudor Ambarus <tudor.ambarus@linaro.org>
Date: Tue, 05 May 2026 13:13:04 +0000
Subject: [PATCH v5 7/7] firmware: samsung: acpm: Fix infinite loop on
 sequence number exhaustion
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20260505-acpm-fixes-sashiko-reports-v5-7-43b5ee7f1674@linaro.org>
References: <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
In-Reply-To: 
 <20260505-acpm-fixes-sashiko-reports-v5-0-43b5ee7f1674@linaro.org>
To: Krzysztof Kozlowski <krzk@kernel.org>,
 Alim Akhtar <alim.akhtar@samsung.com>
Cc: linux-kernel@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
 linux-arm-kernel@lists.infradead.org, peter.griffin@linaro.org,
 andre.draszik@linaro.org, jyescas@google.com, kernel-team@android.com,
 Tudor Ambarus <tudor.ambarus@linaro.org>, stable@vger.kernel.org
X-Mailer: b4 0.14.3
X-Developer-Signature: v=1; a=ed25519-sha256; t=1777986831; l=4772;
 i=tudor.ambarus@linaro.org; s=20241212; h=from:subject:message-id;
 bh=EiurrGkcahcx7sI65l5a7ioyNgZJtrM8vsswXoseAMM=;
 b=sGgiYQ0Fj7h0fIetimStE6LYB8Eka6DrbBPLMswMbcYUjNNUFgRR3HOJv91qVm6vem/Uz2Haf
 s2y+X1fAmfYAg6+Az1ciaJJlGHJlRB+5Ax/53p9VNTk8SnnbcnIuAmF
X-Developer-Key: i=tudor.ambarus@linaro.org; a=ed25519;
 pk=uQzE0NXo3dIjeowMTOPCpIiPHEz12IA/MbyzrZVh9WI=

Sashiko identified a possible infinite loop [1].

ACPM IPC sequence numbers are tracked via a 64-bit bitmap. Previously,
acpm_prepare_xfer() used a do...while loop to search for a free
sequence number.

If all 63 available sequence numbers are leaked due to transient
hardware timeouts or mailbox failures, the bitmap becomes full.
The next call to acpm_prepare_xfer() would enter an infinite loop.

Fix this by utilizing the kernel's optimized bitmap search functions
(find_next_zero_bit / find_first_zero_bit). If the pool is completely
exhausted, log the failure and return -EBUSY to allow the kernel to
fail gracefully instead of hanging.

Furthermore, drop the allocation loop entirely. Because
acpm_prepare_xfer() is strictly called under the 'tx_lock' mutex,
sequence number allocations are perfectly serialized. If
find_next_zero_bit() locates a free bit, a single
test_and_set_bit_lock() is mathematically guaranteed to succeed.

To enforce this locking invariant, wrap the allocation in a
WARN_ON_ONCE. If the atomic set fails, it indicates the driver's
mutex serialization is fundamentally broken. The warning generates a
stack trace for debugging, while returning -EIO immediately aborts the
transfer to prevent silent payload corruption.

Cc: stable@vger.kernel.org
Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Closes: https://sashiko.dev/#/patchset/20260420-acpm-tmu-v3-0-3dc8e93f0b26%=
40linaro.org [1]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
---
 drivers/firmware/samsung/exynos-acpm.c | 45 +++++++++++++++++++++++-------=
----
 1 file changed, 31 insertions(+), 14 deletions(-)

diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/sams=
ung/exynos-acpm.c
index fd2e46e9f7e9..a2cac913b2bd 100644
--- a/drivers/firmware/samsung/exynos-acpm.c
+++ b/drivers/firmware/samsung/exynos-acpm.c
@@ -13,6 +13,7 @@
 #include <linux/container_of.h>
 #include <linux/delay.h>
 #include <linux/device.h>
+#include <linux/find.h>
 #include <linux/firmware/samsung/exynos-acpm-protocol.h>
 #include <linux/io.h>
 #include <linux/iopoll.h>
@@ -394,34 +395,48 @@ static int acpm_wait_for_queue_slots(struct acpm_chan=
 *achan, u32 next_tx_front)
  * TX queue.
  * @achan:	ACPM channel info.
  * @xfer:	reference to the transfer being prepared.
+ *
+ * Return: 0 on success, -errno otherwise.
  */
-static void acpm_prepare_xfer(struct acpm_chan *achan,
-			      const struct acpm_xfer *xfer)
+static int acpm_prepare_xfer(struct acpm_chan *achan,
+			     const struct acpm_xfer *xfer)
 {
 	struct acpm_rx_data *rx_data;
 	u32 *txd =3D (u32 *)xfer->txd;
+	unsigned long size =3D ACPM_SEQNUM_MAX - 1;
+	unsigned long bit =3D achan->seqnum;
+
+	bit =3D find_next_zero_bit(achan->bitmap_seqnum, size, bit);
+	if (bit >=3D size) {
+		bit =3D find_first_zero_bit(achan->bitmap_seqnum, size);
+		if (bit >=3D size) {
+			dev_err_ratelimited(achan->acpm->dev,
+					    "ACPM sequence number pool exhausted\n");
+			return -EBUSY;
+		}
+	}
=20
 	/*
-	 * Prevent chan->seqnum from being re-used.
-	 * test_and_set_bit_lock() provides formal LKMM Acquire semantics.
-	 * It pairs with the RX thread's clear_bit_unlock() to ensure the CPU
-	 * does not speculatively execute the rx_data buffer wipe (memset)
-	 * before the sequence number is safely claimed.
+	 * Execute the atomic set to formally claim the bit and establish
+	 * LKMM Acquire semantics against the RX thread's clear_bit_unlock().
+	 * A loop is unnecessary because allocations are strictly serialized
+	 * by tx_lock.
 	 */
-	do {
-		if (++achan->seqnum =3D=3D ACPM_SEQNUM_MAX)
-			achan->seqnum =3D 1;
-		/* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */
-	} while (test_and_set_bit_lock(achan->seqnum - 1, achan->bitmap_seqnum));
+	if (WARN_ON_ONCE(test_and_set_bit_lock(bit, achan->bitmap_seqnum)))
+		return -EIO;
=20
+	/* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */
+	achan->seqnum =3D bit + 1;
 	txd[0] |=3D FIELD_PREP(ACPM_PROTOCOL_SEQNUM, achan->seqnum);
=20
 	/* Clear data for upcoming responses */
-	rx_data =3D &achan->rx_data[achan->seqnum - 1];
+	rx_data =3D &achan->rx_data[bit];
 	rx_data->completed =3D false;
 	memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd);
 	/* zero means no response expected */
 	rx_data->rxcnt =3D xfer->rxcnt;
+
+	return 0;
 }
=20
 /**
@@ -481,7 +496,9 @@ int acpm_do_xfer(struct acpm_handle *handle, const stru=
ct acpm_xfer *xfer)
 		if (ret)
 			return ret;
=20
-		acpm_prepare_xfer(achan, xfer);
+		ret =3D acpm_prepare_xfer(achan, xfer);
+		if (ret)
+			return ret;
=20
 		/* Write TX command. */
 		__iowrite32_copy(achan->tx.base + achan->mlen * tx_front,

--=20
2.54.0.545.g6539524ca2-goog