[PATCH v3 11/15] firmware: arm_scmi: Fix bound iterators returning too many items

public inbox for linux-arm-kernel@lists.infradead.org
 help / color / mirror / Atom feed

From: Cristian Marussi <cristian.marussi@arm.com>
To: linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, arm-scmi@vger.kernel.org,
	linux-clk@vger.kernel.org, linux-renesas-soc@vger.kernel.org
Cc: sudeep.holla@arm.com, philip.radford@arm.com,
	james.quinlan@broadcom.com, f.fainelli@gmail.com,
	vincent.guittot@linaro.org, etienne.carriere@foss.st.com,
	peng.fan@oss.nxp.com, michal.simek@amd.com,
	geert+renesas@glider.be, kuninori.morimoto.gx@renesas.com,
	marek.vasut+renesas@gmail.com,
	Cristian Marussi <cristian.marussi@arm.com>
Subject: [PATCH v3 11/15] firmware: arm_scmi: Fix bound iterators returning too many items
Date: Tue, 28 Apr 2026 21:15:18 +0100	[thread overview]
Message-ID: <20260428201522.903875-12-cristian.marussi@arm.com> (raw)
In-Reply-To: <20260428201522.903875-1-cristian.marussi@arm.com>

From: Geert Uytterhoeven <geert+renesas@glider.be>

When using a bound-iterator with an upper bound, commands are sent, and
responses are received, until the upper bound is reached.  However, it
is up to the SCMI provider implementation to decide how many rates are
returned in response to a single CLOCK_DESCRIBE_RATES command.  If the
last response contains rates beyond the specified upper bound, they are
still passed up for further processing.  This may lead to buffer
overflows in unprepared callsites.

While the imprecise bound handling may have been intentional (it was
mentioned in the commit message introducing the code), it is still
confusing for users, and may cause hard to debug crashes.  Fix this by
strictly enforcing the upper bound.

Note that this may cause an increase in the number of
CLOCK_DESCRIBE_RATES commands issued, as retrieving the last rate may no
longer be done inadvertentently, but require its own command.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
[Cristian: removed Fixed tag referring the same series]
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
---
 drivers/firmware/arm_scmi/driver.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
index cb4865fd8af2..fd031a8d40df 100644
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@@ -1820,6 +1820,7 @@ static int __scmi_iterator_run(void *iter, unsigned int *start, unsigned int *en
 	const struct scmi_protocol_handle *ph;
 	struct scmi_iterator_state *st;
 	struct scmi_iterator *i;
+	unsigned int n;
 
 	if (!iter)
 		return -EINVAL;
@@ -1852,13 +1853,17 @@ static int __scmi_iterator_run(void *iter, unsigned int *start, unsigned int *en
 			return -EINVAL;
 		}
 
-		for (st->loop_idx = 0; st->loop_idx < st->num_returned; st->loop_idx++) {
+		if (end)
+			n = min(st->num_returned, *end - st->desc_index + 1);
+		else
+			n = st->num_returned;
+		for (st->loop_idx = 0; st->loop_idx < n; st->loop_idx++) {
 			ret = iops->process_response(ph, i->resp, st, i->priv);
 			if (ret)
 				return ret;
 		}
 
-		st->desc_index += st->num_returned;
+		st->desc_index += n;
 		ph->xops->reset_rx_to_maxsz(ph, i->t);
 		/*
 		 * check for both returned and remaining to avoid infinite
-- 
2.53.0

next prev parent reply	other threads:[~2026-04-28 20:17 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-28 20:15 [PATCH v3 00/15] SCMI Clock rates discovery rework Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 01/15] clk: scmi: Fix clock rate rounding Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 02/15] firmware: arm_scmi: Add clock determine_rate operation Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 03/15] clk: scmi: Use new determine_rate clock operation Cristian Marussi
2026-04-28 20:33   ` Brian Masney
2026-04-28 22:20     ` Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 04/15] firmware: arm_scmi: Simplify clock rates exposed interface Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 05/15] clk: scmi: Use new simplified per-clock rate properties Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 06/15] firmware: arm_scmi: Drop unused clock rate interfaces Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 07/15] firmware: arm_scmi: Make clock rates allocation dynamic Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 08/15] firmware: arm_scmi: Harden clock parents discovery Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 09/15] firmware: arm_scmi: Refactor iterators internal allocation Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 10/15] firmware: arm_scmi: Add bound iterators support Cristian Marussi
2026-04-28 20:15 ` Cristian Marussi [this message]
2026-04-28 20:15 ` [PATCH v3 12/15] firmware: arm_scmi: Use proper iter_response_bound_cleanup() name Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 13/15] firmware: arm_scmi: Use bound iterators to minimize discovered rates Cristian Marussi
2026-05-05  9:59   ` Geert Uytterhoeven
2026-04-28 20:15 ` [PATCH v3 14/15] firmware: arm_scmi: Fix OOB in scmi_clock_describe_rates_get_lazy() Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 15/15] firmware: arm_scmi: Introduce all_rates_get clock operation Cristian Marussi
2026-04-29 15:39 ` [PATCH v3 00/15] SCMI Clock rates discovery rework Florian Fainelli

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cb4865fd8af dfblob:fd031a8d40d )
 OR (
bs:"[PATCH v3 11/15] firmware: arm_scmi: Fix bound iterators returning too many items" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260428201522.903875-12-cristian.marussi@arm.com \
    --to=cristian.marussi@arm.com \
    --cc=arm-scmi@vger.kernel.org \
    --cc=etienne.carriere@foss.st.com \
    --cc=f.fainelli@gmail.com \
    --cc=geert+renesas@glider.be \
    --cc=james.quinlan@broadcom.com \
    --cc=kuninori.morimoto.gx@renesas.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-clk@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-renesas-soc@vger.kernel.org \
    --cc=marek.vasut+renesas@gmail.com \
    --cc=michal.simek@amd.com \
    --cc=peng.fan@oss.nxp.com \
    --cc=philip.radford@arm.com \
    --cc=sudeep.holla@arm.com \
    --cc=vincent.guittot@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox