[PATCH v3 14/15] firmware: arm_scmi: Fix OOB in scmi_clock_describe_rates_get_lazy()

public inbox for linux-arm-kernel@lists.infradead.org
 help / color / mirror / Atom feed

From: Cristian Marussi <cristian.marussi@arm.com>
To: linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, arm-scmi@vger.kernel.org,
	linux-clk@vger.kernel.org, linux-renesas-soc@vger.kernel.org
Cc: sudeep.holla@arm.com, philip.radford@arm.com,
	james.quinlan@broadcom.com, f.fainelli@gmail.com,
	vincent.guittot@linaro.org, etienne.carriere@foss.st.com,
	peng.fan@oss.nxp.com, michal.simek@amd.com,
	geert+renesas@glider.be, kuninori.morimoto.gx@renesas.com,
	marek.vasut+renesas@gmail.com,
	Cristian Marussi <cristian.marussi@arm.com>
Subject: [PATCH v3 14/15] firmware: arm_scmi: Fix OOB in scmi_clock_describe_rates_get_lazy()
Date: Tue, 28 Apr 2026 21:15:21 +0100	[thread overview]
Message-ID: <20260428201522.903875-15-cristian.marussi@arm.com> (raw)
In-Reply-To: <20260428201522.903875-1-cristian.marussi@arm.com>

From: Geert Uytterhoeven <geert+renesas@glider.be>

Lazy discovery of discrete rates works as follows:
  A. Grab the first three rates,
  B. Grab the last rate, if there are more than three rates.

It is up to the SCMI provider implementation to decide how many rates
are returned in response to a single CLOCK_DESCRIBE_RATES command.  Each
rate received is stored in the scmi_clock_rates.rates[] array, and
.num_rates is updated accordingly.

When more than 3 rates have been received after step A, the last rate
may have been received already, and stored in scmi_clock_rates.rates[]
(which has space for scmi_clock_desc.tot_rates entries).  Hence grabbing
the last rate again will store it a second time, beyond the end of the
array.

Fix this by only grabbing the last rate when we don't already have it.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
[Cristian: removed Fixed tag referring the same series]
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
---
 drivers/firmware/arm_scmi/clock.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c
index 15a963b1edb9..ba25a9c6d3ae 100644
--- a/drivers/firmware/arm_scmi/clock.c
+++ b/drivers/firmware/arm_scmi/clock.c
@@ -582,15 +582,18 @@ scmi_clock_describe_rates_get_lazy(const struct scmi_protocol_handle *ph,
 	if (ret)
 		goto out;
 
-	/* If discrete grab the last value, which should be the max */
-	if (clkd->rate_discrete && clkd->tot_rates > 3) {
+	/*
+	 * If discrete and we don't already have it, grab the last value, which
+	 * should be the max
+	 */
+	if (clkd->rate_discrete && clkd->tot_rates > clkd->num_rates) {
 		first = clkd->tot_rates - 1;
 		last = clkd->tot_rates - 1;
 		ret = ph->hops->iter_response_run_bound(iter, &first, &last);
 	}
 
 out:
-	ph->hops->iter_response_cleanup(iter);
+	ph->hops->iter_response_bound_cleanup(iter);
 
 	return ret;
 }
-- 
2.53.0

next prev parent reply	other threads:[~2026-04-28 20:18 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-28 20:15 [PATCH v3 00/15] SCMI Clock rates discovery rework Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 01/15] clk: scmi: Fix clock rate rounding Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 02/15] firmware: arm_scmi: Add clock determine_rate operation Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 03/15] clk: scmi: Use new determine_rate clock operation Cristian Marussi
2026-04-28 20:33   ` Brian Masney
2026-04-28 22:20     ` Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 04/15] firmware: arm_scmi: Simplify clock rates exposed interface Cristian Marussi
2026-05-05 12:17   ` Geert Uytterhoeven
2026-05-05 14:36     ` Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 05/15] clk: scmi: Use new simplified per-clock rate properties Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 06/15] firmware: arm_scmi: Drop unused clock rate interfaces Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 07/15] firmware: arm_scmi: Make clock rates allocation dynamic Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 08/15] firmware: arm_scmi: Harden clock parents discovery Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 09/15] firmware: arm_scmi: Refactor iterators internal allocation Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 10/15] firmware: arm_scmi: Add bound iterators support Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 11/15] firmware: arm_scmi: Fix bound iterators returning too many items Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 12/15] firmware: arm_scmi: Use proper iter_response_bound_cleanup() name Cristian Marussi
2026-04-28 20:15 ` [PATCH v3 13/15] firmware: arm_scmi: Use bound iterators to minimize discovered rates Cristian Marussi
2026-05-05  9:59   ` Geert Uytterhoeven
2026-05-05 11:57     ` Geert Uytterhoeven
2026-04-28 20:15 ` Cristian Marussi [this message]
2026-04-28 20:15 ` [PATCH v3 15/15] firmware: arm_scmi: Introduce all_rates_get clock operation Cristian Marussi
2026-04-29 15:39 ` [PATCH v3 00/15] SCMI Clock rates discovery rework Florian Fainelli

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:15a963b1edb dfblob:ba25a9c6d3a )
 OR (
bs:"[PATCH v3 14/15] firmware: arm_scmi: Fix OOB in scmi_clock_describe_rates_get_lazy()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260428201522.903875-15-cristian.marussi@arm.com \
    --to=cristian.marussi@arm.com \
    --cc=arm-scmi@vger.kernel.org \
    --cc=etienne.carriere@foss.st.com \
    --cc=f.fainelli@gmail.com \
    --cc=geert+renesas@glider.be \
    --cc=james.quinlan@broadcom.com \
    --cc=kuninori.morimoto.gx@renesas.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-clk@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-renesas-soc@vger.kernel.org \
    --cc=marek.vasut+renesas@gmail.com \
    --cc=michal.simek@amd.com \
    --cc=peng.fan@oss.nxp.com \
    --cc=philip.radford@arm.com \
    --cc=sudeep.holla@arm.com \
    --cc=vincent.guittot@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox