Linux-ARM-Kernel Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Sudeep Holla <sudeep.holla@kernel.org>
To: arm-scmi@vger.kernel.org, linux-arm-kernel@lists.infradead.org
Cc: Cristian Marussi <cristian.marussi@arm.com>
Subject: [PATCH v3 14/17] firmware: arm_scmi: Publish channel state before mailbox request
Date: Fri, 03 Jul 2026 21:22:50 +0100	[thread overview]
Message-ID: <20260703-scmi_core_fixes-v3-14-5bae9766abfc@kernel.org> (raw)
In-Reply-To: <20260703-scmi_core_fixes-v3-0-5bae9766abfc@kernel.org>

mailbox_chan_setup() initializes smbox->cinfo only after all mailbox
channels have been requested successfully. That is too late because
mbox_request_channel() binds the client before invoking the controller
startup callback, and startup can enable interrupt delivery.

If a pending or spurious mailbox interrupt fires during that window,
mbox_chan_received_data() can call the SCMI mailbox rx_callback() before
smbox->cinfo is set. The callback dereferences smbox->cinfo on both the
spurious IRQ path and the normal RX path, so this can crash before
channel setup has completed.

Publishing only the mailbox transport pointers is not sufficient because
an early mailbox callback can enter the SCMI core before scmi_chan_setup()
has assigned cinfo->handle. The core derives scmi_info from cinfo->handle
in the RX path, so a NULL handle can still fault even though smbox->cinfo
is valid.

Publish cinfo->transport_info, smbox->cinfo, and cinfo->handle before
requesting any mailbox channel. Also initialize the chan_lock before the
request, and clear the early published transport pointers again on setup
failure so later cleanup does not see a half-initialized transport.

Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>
---
 drivers/firmware/arm_scmi/driver.c             |  2 +-
 drivers/firmware/arm_scmi/transports/mailbox.c | 14 +++++++++-----
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
index ddd026b05300..df574961875c 100644
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@@ -2785,6 +2785,7 @@ static int scmi_chan_setup(struct scmi_info *info, struct device_node *of_node,
 
 	cinfo->id = prot_id;
 	cinfo->dev = &tdev->dev;
+	cinfo->handle = &info->handle;
 	ret = info->desc->ops->chan_setup(cinfo, info->dev, tx);
 	if (ret) {
 		scmi_device_destroy(info->dev, prot_id, name);
@@ -2816,7 +2817,6 @@ static int scmi_chan_setup(struct scmi_info *info, struct device_node *of_node,
 		return ret;
 	}
 
-	cinfo->handle = &info->handle;
 	return 0;
 }
 
diff --git a/drivers/firmware/arm_scmi/transports/mailbox.c b/drivers/firmware/arm_scmi/transports/mailbox.c
index d41b8451bd21..4c9d1e4abd85 100644
--- a/drivers/firmware/arm_scmi/transports/mailbox.c
+++ b/drivers/firmware/arm_scmi/transports/mailbox.c
@@ -211,13 +211,18 @@ static int mailbox_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
 	cl->tx_block = false;
 	cl->knows_txdone = tx;
 
+	cinfo->transport_info = smbox;
+	smbox->cinfo = cinfo;
+	mutex_init(&smbox->chan_lock);
+
 	smbox->chan = mbox_request_channel(cl, tx ? 0 : p2a_chan);
 	if (IS_ERR(smbox->chan)) {
 		ret = PTR_ERR(smbox->chan);
+		smbox->chan = NULL;
 		if (ret != -EPROBE_DEFER)
 			dev_err(cdev,
 				"failed to request SCMI %s mailbox\n", desc);
-		return ret;
+		goto err_clear_cinfo;
 	}
 
 	/* Additional unidirectional channel for TX if needed */
@@ -243,14 +248,13 @@ static int mailbox_chan_setup(struct scmi_chan_info *cinfo, struct device *dev,
 		}
 	}
 
-	cinfo->transport_info = smbox;
-	smbox->cinfo = cinfo;
-	mutex_init(&smbox->chan_lock);
-
 	return 0;
 
 err_free_chan:
 	mbox_free_channel(smbox->chan);
+err_clear_cinfo:
+	cinfo->transport_info = NULL;
+	smbox->cinfo = NULL;
 	return ret;
 }
 

-- 
2.43.0



  parent reply	other threads:[~2026-07-03 20:57 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 20:22 [PATCH v3 00/17] firmware: arm_scmi: Fix SCMI core cleanup paths Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 01/17] firmware: arm_scmi: Fix OF node reference handling Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 02/17] firmware: arm_scmi: Fix transport device teardown lookup Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 03/17] firmware: arm_scmi: Clean up channels on setup failure Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 04/17] firmware: arm_scmi: Fix SCMI device destroy lifetimes Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 05/17] firmware: arm_scmi: Free transport channel on IDR failure Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 06/17] firmware: arm_scmi: Unregister device notifier before IDR teardown Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 07/17] firmware: arm_scmi: Unwind TX receiver mailbox setup failure Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 08/17] firmware: arm_scmi: Unwind P2A " Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 09/17] firmware: arm_scmi: Protect device request lookup with RCU Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 10/17] firmware: arm_scmi: Avoid IDR updates while cleaning channels Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 11/17] firmware: arm_scmi: Clear SystemPower flag on create failure Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 12/17] firmware: arm_scmi: Reject out of range DT protocol IDs Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 13/17] firmware: arm_scmi: Stop channels before notification teardown Sudeep Holla
2026-07-03 20:22 ` Sudeep Holla [this message]
2026-07-03 20:22 ` [PATCH v3 15/17] firmware: arm_scmi: Use channel ID for transport teardown Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 16/17] firmware: arm_scmi: Drop handle on protocol bind failures Sudeep Holla
2026-07-03 20:22 ` [PATCH v3 17/17] firmware: arm_scmi: Clear virtio channel lists on free Sudeep Holla

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703-scmi_core_fixes-v3-14-5bae9766abfc@kernel.org \
    --to=sudeep.holla@kernel.org \
    --cc=arm-scmi@vger.kernel.org \
    --cc=cristian.marussi@arm.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox