From: Cristian Marussi <cristian.marussi@arm.com>
To: linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, arm-scmi@vger.kernel.org,
linux-clk@vger.kernel.org, linux-renesas-soc@vger.kernel.org
Cc: sudeep.holla@arm.com, philip.radford@arm.com,
james.quinlan@broadcom.com, f.fainelli@gmail.com,
vincent.guittot@linaro.org, etienne.carriere@foss.st.com,
peng.fan@oss.nxp.com, michal.simek@amd.com,
geert+renesas@glider.be, kuninori.morimoto.gx@renesas.com,
marek.vasut+renesas@gmail.com,
Cristian Marussi <cristian.marussi@arm.com>
Subject: [PATCH v4 14/15] firmware: arm_scmi: Fix OOB in scmi_clock_describe_rates_get_lazy()
Date: Fri, 8 May 2026 16:32:59 +0100 [thread overview]
Message-ID: <20260508153300.2224715-15-cristian.marussi@arm.com> (raw)
In-Reply-To: <20260508153300.2224715-1-cristian.marussi@arm.com>
From: Geert Uytterhoeven <geert+renesas@glider.be>
Lazy discovery of discrete rates works as follows:
A. Grab the first three rates,
B. Grab the last rate, if there are more than three rates.
It is up to the SCMI provider implementation to decide how many rates
are returned in response to a single CLOCK_DESCRIBE_RATES command. Each
rate received is stored in the scmi_clock_rates.rates[] array, and
.num_rates is updated accordingly.
When more than 3 rates have been received after step A, the last rate
may have been received already, and stored in scmi_clock_rates.rates[]
(which has space for scmi_clock_desc.tot_rates entries). Hence grabbing
the last rate again will store it a second time, beyond the end of the
array.
Fix this by only grabbing the last rate when we don't already have it.
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
---
drivers/firmware/arm_scmi/clock.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c
index 955bb9565ce3..ab8c65ed785a 100644
--- a/drivers/firmware/arm_scmi/clock.c
+++ b/drivers/firmware/arm_scmi/clock.c
@@ -582,8 +582,11 @@ scmi_clock_describe_rates_get_lazy(const struct scmi_protocol_handle *ph,
if (ret)
goto out;
- /* If discrete grab the last value, which should be the max */
- if (clkd->rate_discrete && clkd->tot_rates > 3) {
+ /*
+ * If discrete and we don't already have it, grab the last value, which
+ * should be the max
+ */
+ if (clkd->rate_discrete && clkd->tot_rates > clkd->num_rates) {
first = clkd->tot_rates - 1;
last = clkd->tot_rates - 1;
ret = ph->hops->iter_response_run_bound(iter, &first, &last);
--
2.53.0
next prev parent reply other threads:[~2026-05-08 15:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 15:32 [PATCH v4 00/15] SCMI Clock rates discovery rework Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 01/15] clk: scmi: Fix clock rate rounding Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 02/15] firmware: arm_scmi: Add clock determine_rate operation Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 03/15] clk: scmi: Use new determine_rate clock operation Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 04/15] firmware: arm_scmi: Simplify clock rates exposed interface Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 05/15] clk: scmi: Use new simplified per-clock rate properties Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 06/15] firmware: arm_scmi: Drop unused clock rate interfaces Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 07/15] firmware: arm_scmi: Make clock rates allocation dynamic Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 08/15] firmware: arm_scmi: Harden clock parents discovery Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 09/15] firmware: arm_scmi: Refactor iterators internal allocation Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 10/15] firmware: arm_scmi: Add bound iterators support Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 11/15] firmware: arm_scmi: Fix bound iterators returning too many items Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 12/15] firmware: arm_scmi: Use proper iter_response_bound_cleanup() name Cristian Marussi
2026-05-08 15:32 ` [PATCH v4 13/15] firmware: arm_scmi: Use bound iterators to minimize discovered rates Cristian Marussi
2026-05-08 15:32 ` Cristian Marussi [this message]
2026-05-08 15:33 ` [PATCH v4 15/15] firmware: arm_scmi: Introduce all_rates_get clock operation Cristian Marussi
2026-05-08 17:25 ` [PATCH v4 00/15] SCMI Clock rates discovery rework Geert Uytterhoeven
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508153300.2224715-15-cristian.marussi@arm.com \
--to=cristian.marussi@arm.com \
--cc=arm-scmi@vger.kernel.org \
--cc=etienne.carriere@foss.st.com \
--cc=f.fainelli@gmail.com \
--cc=geert+renesas@glider.be \
--cc=james.quinlan@broadcom.com \
--cc=kuninori.morimoto.gx@renesas.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-clk@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-renesas-soc@vger.kernel.org \
--cc=marek.vasut+renesas@gmail.com \
--cc=michal.simek@amd.com \
--cc=peng.fan@oss.nxp.com \
--cc=philip.radford@arm.com \
--cc=sudeep.holla@arm.com \
--cc=vincent.guittot@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox