[PATCH v4 11/15] firmware: arm_scmi: Fix bound iterators returning too many items

Linux-ARM-Kernel Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Cristian Marussi <cristian.marussi@arm.com>
To: linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, arm-scmi@vger.kernel.org,
	linux-clk@vger.kernel.org, linux-renesas-soc@vger.kernel.org
Cc: sudeep.holla@arm.com, philip.radford@arm.com,
	james.quinlan@broadcom.com, f.fainelli@gmail.com,
	vincent.guittot@linaro.org, etienne.carriere@foss.st.com,
	peng.fan@oss.nxp.com, michal.simek@amd.com,
	geert+renesas@glider.be, kuninori.morimoto.gx@renesas.com,
	marek.vasut+renesas@gmail.com,
	Cristian Marussi <cristian.marussi@arm.com>
Subject: [PATCH v4 11/15] firmware: arm_scmi: Fix bound iterators returning too many items
Date: Fri,  8 May 2026 16:32:56 +0100	[thread overview]
Message-ID: <20260508153300.2224715-12-cristian.marussi@arm.com> (raw)
In-Reply-To: <20260508153300.2224715-1-cristian.marussi@arm.com>

From: Geert Uytterhoeven <geert+renesas@glider.be>

When using a bound-iterator with an upper bound, commands are sent, and
responses are received, until the upper bound is reached.  However, it
is up to the SCMI provider implementation to decide how many rates are
returned in response to a single CLOCK_DESCRIBE_RATES command.  If the
last response contains rates beyond the specified upper bound, they are
still passed up for further processing.  This may lead to buffer
overflows in unprepared callsites.

While the imprecise bound handling may have been intentional (it was
mentioned in the commit message introducing the code), it is still
confusing for users, and may cause hard to debug crashes.  Fix this by
strictly enforcing the upper bound.

Note that this may cause an increase in the number of
CLOCK_DESCRIBE_RATES commands issued, as retrieving the last rate may no
longer be done inadvertentently, but require its own command.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
---
 drivers/firmware/arm_scmi/driver.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
index cb4865fd8af2..fd031a8d40df 100644
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@@ -1820,6 +1820,7 @@ static int __scmi_iterator_run(void *iter, unsigned int *start, unsigned int *en
 	const struct scmi_protocol_handle *ph;
 	struct scmi_iterator_state *st;
 	struct scmi_iterator *i;
+	unsigned int n;
 
 	if (!iter)
 		return -EINVAL;
@@ -1852,13 +1853,17 @@ static int __scmi_iterator_run(void *iter, unsigned int *start, unsigned int *en
 			return -EINVAL;
 		}
 
-		for (st->loop_idx = 0; st->loop_idx < st->num_returned; st->loop_idx++) {
+		if (end)
+			n = min(st->num_returned, *end - st->desc_index + 1);
+		else
+			n = st->num_returned;
+		for (st->loop_idx = 0; st->loop_idx < n; st->loop_idx++) {
 			ret = iops->process_response(ph, i->resp, st, i->priv);
 			if (ret)
 				return ret;
 		}
 
-		st->desc_index += st->num_returned;
+		st->desc_index += n;
 		ph->xops->reset_rx_to_maxsz(ph, i->t);
 		/*
 		 * check for both returned and remaining to avoid infinite
-- 
2.53.0

next prev parent reply	other threads:[~2026-05-08 15:34 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-08 15:32 [PATCH v4 00/15] SCMI Clock rates discovery rework Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 01/15] clk: scmi: Fix clock rate rounding Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 02/15] firmware: arm_scmi: Add clock determine_rate operation Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 03/15] clk: scmi: Use new determine_rate clock operation Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 04/15] firmware: arm_scmi: Simplify clock rates exposed interface Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 05/15] clk: scmi: Use new simplified per-clock rate properties Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 06/15] firmware: arm_scmi: Drop unused clock rate interfaces Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 07/15] firmware: arm_scmi: Make clock rates allocation dynamic Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 08/15] firmware: arm_scmi: Harden clock parents discovery Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 09/15] firmware: arm_scmi: Refactor iterators internal allocation Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 10/15] firmware: arm_scmi: Add bound iterators support Cristian Marussi
2026-05-08 15:32 ` Cristian Marussi [this message]
2026-05-08 15:32 ` [PATCH v4 12/15] firmware: arm_scmi: Use proper iter_response_bound_cleanup() name Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 13/15] firmware: arm_scmi: Use bound iterators to minimize discovered rates Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 14/15] firmware: arm_scmi: Fix OOB in scmi_clock_describe_rates_get_lazy() Cristian Marussi
2026-05-08 15:33 ` [PATCH v4 15/15] firmware: arm_scmi: Introduce all_rates_get clock operation Cristian Marussi
2026-05-08 17:25 ` [PATCH v4 00/15] SCMI Clock rates discovery rework Geert Uytterhoeven

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cb4865fd8af dfblob:fd031a8d40d )
 OR (
bs:"[PATCH v4 11/15] firmware: arm_scmi: Fix bound iterators returning too many items" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260508153300.2224715-12-cristian.marussi@arm.com \
    --to=cristian.marussi@arm.com \
    --cc=arm-scmi@vger.kernel.org \
    --cc=etienne.carriere@foss.st.com \
    --cc=f.fainelli@gmail.com \
    --cc=geert+renesas@glider.be \
    --cc=james.quinlan@broadcom.com \
    --cc=kuninori.morimoto.gx@renesas.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-clk@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-renesas-soc@vger.kernel.org \
    --cc=marek.vasut+renesas@gmail.com \
    --cc=michal.simek@amd.com \
    --cc=peng.fan@oss.nxp.com \
    --cc=philip.radford@arm.com \
    --cc=sudeep.holla@arm.com \
    --cc=vincent.guittot@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox