From: Cristian Marussi <cristian.marussi@arm.com>
To: linux-arm-kernel@lists.infradead.org,
linux-rockchip@lists.infradead.org, linux-kernel@vger.kernel.org
Cc: Heiko Stuebner <heiko@sntech.de>, Liang Chen <cl@rock-chips.com>,
Kever Yang <kever.yang@rock-chips.com>,
Jeffy Chen <jeffy.chen@rock-chips.com>,
Peter Geis <pgwipeout@gmail.com>,
Cristian Marussi <cristian.marussi@arm.com>,
Nicolas Frattaroli <frattaroli.nicolas@gmail.com>,
Etienne Carriere <etienne.carriere@linaro.org>,
Sudeep Holla <sudeep.holla@arm.com>
Subject: [PATCH] firmware: arm_scmi: Relax BASE protocol sanity checks on protocol list
Date: Mon, 23 May 2022 18:15:59 +0100 [thread overview]
Message-ID: <20220523171559.472112-1-cristian.marussi@arm.com> (raw)
Even though malformed replies from firmware must be treated carefully to
avoid memory corruption Kernel side, some out-of-spec SCMI replies can
be tolerated to avoid breaking existing deployed system, as long as they
won't cause memory issues.
Reported-by: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
---
drivers/firmware/arm_scmi/base.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c
index 20fba7370f4e..d0ac96da1ddf 100644
--- a/drivers/firmware/arm_scmi/base.c
+++ b/drivers/firmware/arm_scmi/base.c
@@ -221,11 +221,17 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph,
calc_list_sz = (1 + (loop_num_ret - 1) / sizeof(u32)) *
sizeof(u32);
if (calc_list_sz != real_list_sz) {
- dev_err(dev,
- "Malformed reply - real_sz:%zd calc_sz:%u\n",
- real_list_sz, calc_list_sz);
- ret = -EPROTO;
- break;
+ dev_warn(dev,
+ "Malformed reply - real_sz:%zd calc_sz:%u (loop_num_ret:%d)\n",
+ real_list_sz, calc_list_sz, loop_num_ret);
+ /*
+ * Bail out if the expected list size is bigger than the
+ * total payload size of the received reply.
+ */
+ if (calc_list_sz > real_list_sz) {
+ ret = -EPROTO;
+ break;
+ }
}
for (loop = 0; loop < loop_num_ret; loop++)
--
2.36.1
_______________________________________________
Linux-rockchip mailing list
Linux-rockchip@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-rockchip
WARNING: multiple messages have this Message-ID (diff)
From: Cristian Marussi <cristian.marussi@arm.com>
To: linux-arm-kernel@lists.infradead.org,
linux-rockchip@lists.infradead.org, linux-kernel@vger.kernel.org
Cc: Heiko Stuebner <heiko@sntech.de>, Liang Chen <cl@rock-chips.com>,
Kever Yang <kever.yang@rock-chips.com>,
Jeffy Chen <jeffy.chen@rock-chips.com>,
Peter Geis <pgwipeout@gmail.com>,
Cristian Marussi <cristian.marussi@arm.com>,
Nicolas Frattaroli <frattaroli.nicolas@gmail.com>,
Etienne Carriere <etienne.carriere@linaro.org>,
Sudeep Holla <sudeep.holla@arm.com>
Subject: [PATCH] firmware: arm_scmi: Relax BASE protocol sanity checks on protocol list
Date: Mon, 23 May 2022 18:15:59 +0100 [thread overview]
Message-ID: <20220523171559.472112-1-cristian.marussi@arm.com> (raw)
Even though malformed replies from firmware must be treated carefully to
avoid memory corruption Kernel side, some out-of-spec SCMI replies can
be tolerated to avoid breaking existing deployed system, as long as they
won't cause memory issues.
Reported-by: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
---
drivers/firmware/arm_scmi/base.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c
index 20fba7370f4e..d0ac96da1ddf 100644
--- a/drivers/firmware/arm_scmi/base.c
+++ b/drivers/firmware/arm_scmi/base.c
@@ -221,11 +221,17 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph,
calc_list_sz = (1 + (loop_num_ret - 1) / sizeof(u32)) *
sizeof(u32);
if (calc_list_sz != real_list_sz) {
- dev_err(dev,
- "Malformed reply - real_sz:%zd calc_sz:%u\n",
- real_list_sz, calc_list_sz);
- ret = -EPROTO;
- break;
+ dev_warn(dev,
+ "Malformed reply - real_sz:%zd calc_sz:%u (loop_num_ret:%d)\n",
+ real_list_sz, calc_list_sz, loop_num_ret);
+ /*
+ * Bail out if the expected list size is bigger than the
+ * total payload size of the received reply.
+ */
+ if (calc_list_sz > real_list_sz) {
+ ret = -EPROTO;
+ break;
+ }
}
for (loop = 0; loop < loop_num_ret; loop++)
--
2.36.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Cristian Marussi <cristian.marussi@arm.com>
To: linux-arm-kernel@lists.infradead.org,
linux-rockchip@lists.infradead.org, linux-kernel@vger.kernel.org
Cc: Heiko Stuebner <heiko@sntech.de>, Liang Chen <cl@rock-chips.com>,
Kever Yang <kever.yang@rock-chips.com>,
Jeffy Chen <jeffy.chen@rock-chips.com>,
Peter Geis <pgwipeout@gmail.com>,
Cristian Marussi <cristian.marussi@arm.com>,
Nicolas Frattaroli <frattaroli.nicolas@gmail.com>,
Etienne Carriere <etienne.carriere@linaro.org>,
Sudeep Holla <sudeep.holla@arm.com>
Subject: [PATCH] firmware: arm_scmi: Relax BASE protocol sanity checks on protocol list
Date: Mon, 23 May 2022 18:15:59 +0100 [thread overview]
Message-ID: <20220523171559.472112-1-cristian.marussi@arm.com> (raw)
Even though malformed replies from firmware must be treated carefully to
avoid memory corruption Kernel side, some out-of-spec SCMI replies can
be tolerated to avoid breaking existing deployed system, as long as they
won't cause memory issues.
Reported-by: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
---
drivers/firmware/arm_scmi/base.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c
index 20fba7370f4e..d0ac96da1ddf 100644
--- a/drivers/firmware/arm_scmi/base.c
+++ b/drivers/firmware/arm_scmi/base.c
@@ -221,11 +221,17 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph,
calc_list_sz = (1 + (loop_num_ret - 1) / sizeof(u32)) *
sizeof(u32);
if (calc_list_sz != real_list_sz) {
- dev_err(dev,
- "Malformed reply - real_sz:%zd calc_sz:%u\n",
- real_list_sz, calc_list_sz);
- ret = -EPROTO;
- break;
+ dev_warn(dev,
+ "Malformed reply - real_sz:%zd calc_sz:%u (loop_num_ret:%d)\n",
+ real_list_sz, calc_list_sz, loop_num_ret);
+ /*
+ * Bail out if the expected list size is bigger than the
+ * total payload size of the received reply.
+ */
+ if (calc_list_sz > real_list_sz) {
+ ret = -EPROTO;
+ break;
+ }
}
for (loop = 0; loop < loop_num_ret; loop++)
--
2.36.1
next reply other threads:[~2022-05-23 17:17 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 17:15 Cristian Marussi [this message]
2022-05-23 17:15 ` [PATCH] firmware: arm_scmi: Relax BASE protocol sanity checks on protocol list Cristian Marussi
2022-05-23 17:15 ` Cristian Marussi
2022-05-31 14:59 ` Etienne Carriere
2022-05-31 14:59 ` Etienne Carriere
2022-05-31 14:59 ` Etienne Carriere
2022-06-06 12:59 ` Michael Riesch
2022-06-06 12:59 ` Michael Riesch
2022-06-06 12:59 ` Michael Riesch
2022-06-06 13:31 ` Cristian Marussi
2022-06-06 13:31 ` Cristian Marussi
2022-06-06 13:31 ` Cristian Marussi
2022-06-06 14:43 ` Sudeep Holla
2022-06-06 14:43 ` Sudeep Holla
2022-06-06 14:43 ` Sudeep Holla
2022-06-06 14:55 ` Heiko Stübner
2022-06-06 14:55 ` Heiko Stübner
2022-06-06 14:55 ` Heiko Stübner
2022-06-06 15:10 ` Sudeep Holla
2022-06-06 15:10 ` Sudeep Holla
2022-06-06 15:10 ` Sudeep Holla
2022-06-06 14:03 ` Aw: " Frank Wunderlich
2022-06-06 14:03 ` Frank Wunderlich
2022-06-06 14:03 ` Frank Wunderlich
2022-06-06 14:51 ` Sudeep Holla
2022-06-06 14:51 ` Sudeep Holla
2022-06-06 14:51 ` Sudeep Holla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220523171559.472112-1-cristian.marussi@arm.com \
--to=cristian.marussi@arm.com \
--cc=cl@rock-chips.com \
--cc=etienne.carriere@linaro.org \
--cc=frattaroli.nicolas@gmail.com \
--cc=heiko@sntech.de \
--cc=jeffy.chen@rock-chips.com \
--cc=kever.yang@rock-chips.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=pgwipeout@gmail.com \
--cc=sudeep.holla@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.