[PATCH] firmware: samsung: fix stale response flag in acpm_prepare

public inbox for linux-arm-kernel@lists.infradead.org
 help / color / mirror / Atom feed

* [PATCH] firmware: samsung: fix stale response flag in acpm_prepare_xfer()
@ 2026-04-26 21:02 Titouan Ameline de Cadeville
  2026-04-27  8:48 ` Tudor Ambarus
  0 siblings, 1 reply; 4+ messages in thread
From: Titouan Ameline de Cadeville @ 2026-04-26 21:02 UTC (permalink / raw)
  To: tudor.ambarus
  Cc: krzk, alim.akhtar, linux-kernel, linux-samsung-soc,
	linux-arm-kernel, Titouan Ameline de Cadeville

acpm_prepare_xfer() only ever set rx_data->response to true, never
false. A reused sequence number slot could therefore inherit a stale
true from a previous transfer that expected a response, causing
acpm_get_rx() to enter the response-copy path for a fire-and-forget
transfer whose rxd is NULL.

Unconditionally assign the correct boolean value so the slot is fully
reset on every reuse.

Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
Signed-off-by: Titouan Ameline de Cadeville <titouan.ameline@gmail.com>
---
 drivers/firmware/samsung/exynos-acpm.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/samsung/exynos-acpm.c
index 16c46ed60837..2fee6bb60efc 100644
--- a/drivers/firmware/samsung/exynos-acpm.c
+++ b/drivers/firmware/samsung/exynos-acpm.c
@@ -380,8 +380,7 @@ static void acpm_prepare_xfer(struct acpm_chan *achan,
 	/* Clear data for upcoming responses */
 	rx_data = &achan->rx_data[achan->seqnum - 1];
 	memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd);
-	if (xfer->rxd)
-		rx_data->response = true;
+	rx_data->response = !!xfer->rxd;
 
 	/* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */
 	set_bit(achan->seqnum - 1, achan->bitmap_seqnum);
-- 
2.44.2



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] firmware: samsung: fix stale response flag in acpm_prepare_xfer()
  2026-04-26 21:02 [PATCH] firmware: samsung: fix stale response flag in acpm_prepare_xfer() Titouan Ameline de Cadeville
@ 2026-04-27  8:48 ` Tudor Ambarus
  2026-04-27 21:37   ` Titouan Ameline
  0 siblings, 1 reply; 4+ messages in thread
From: Tudor Ambarus @ 2026-04-27  8:48 UTC (permalink / raw)
  To: Titouan Ameline de Cadeville
  Cc: krzk, alim.akhtar, linux-kernel, linux-samsung-soc,
	linux-arm-kernel

Hi,

Thanks for the patch!

On 4/27/26 12:02 AM, Titouan Ameline de Cadeville wrote:
> acpm_prepare_xfer() only ever set rx_data->response to true, never
> false. A reused sequence number slot could therefore inherit a stale
> true from a previous transfer that expected a response, causing
> acpm_get_rx() to enter the response-copy path for a fire-and-forget
> transfer whose rxd is NULL.
> 
> Unconditionally assign the correct boolean value so the slot is fully
> reset on every reuse.
> 

How did you find this?

Sashiko identified this too when reviewing the ACPM thermal patches.
I sent some fixes last week, where this bug is squashed as well:

https://lore.kernel.org/linux-samsung-soc/20260423-acpm-fixes-sashiko-reports-v1-0-2217b790925e@linaro.org/T/#m1c32aa4c84ea7e3909bc8fe7599585b71e95d8b5


Thanks!
ta

> Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
> Signed-off-by: Titouan Ameline de Cadeville <titouan.ameline@gmail.com>
> ---
>  drivers/firmware/samsung/exynos-acpm.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/samsung/exynos-acpm.c
> index 16c46ed60837..2fee6bb60efc 100644
> --- a/drivers/firmware/samsung/exynos-acpm.c
> +++ b/drivers/firmware/samsung/exynos-acpm.c
> @@ -380,8 +380,7 @@ static void acpm_prepare_xfer(struct acpm_chan *achan,
>  	/* Clear data for upcoming responses */
>  	rx_data = &achan->rx_data[achan->seqnum - 1];
>  	memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd);
> -	if (xfer->rxd)
> -		rx_data->response = true;
> +	rx_data->response = !!xfer->rxd;
>  
>  	/* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */
>  	set_bit(achan->seqnum - 1, achan->bitmap_seqnum);



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] firmware: samsung: fix stale response flag in acpm_prepare_xfer()
  2026-04-27  8:48 ` Tudor Ambarus
@ 2026-04-27 21:37   ` Titouan Ameline
  2026-04-28  9:32     ` Krzysztof Kozlowski
  0 siblings, 1 reply; 4+ messages in thread
From: Titouan Ameline @ 2026-04-27 21:37 UTC (permalink / raw)
  To: Tudor Ambarus
  Cc: krzk, alim.akhtar, linux-kernel, linux-samsung-soc,
	linux-arm-kernel

I was reading through the driver code and noticed that
acpm_prepare_xfer() only enters the

if (xfer->rxd) branch to set response = true
with no corresponding else to reset it to false.

Since seqnum slots are recycled, I traced what happens when a slot
previously used by a response-expecting transfer gets reused by a
fire-and-forget one

-> the stale true remains and the wrong branch is taken in acpm_get_rx().

Le lun. 27 avr. 2026 à 10:48, Tudor Ambarus <tudor.ambarus@linaro.org> a écrit :
>
> Hi,
>
> Thanks for the patch!
>
> On 4/27/26 12:02 AM, Titouan Ameline de Cadeville wrote:
> > acpm_prepare_xfer() only ever set rx_data->response to true, never
> > false. A reused sequence number slot could therefore inherit a stale
> > true from a previous transfer that expected a response, causing
> > acpm_get_rx() to enter the response-copy path for a fire-and-forget
> > transfer whose rxd is NULL.
> >
> > Unconditionally assign the correct boolean value so the slot is fully
> > reset on every reuse.
> >
>
> How did you find this?
>
> Sashiko identified this too when reviewing the ACPM thermal patches.
> I sent some fixes last week, where this bug is squashed as well:
>
> https://lore.kernel.org/linux-samsung-soc/20260423-acpm-fixes-sashiko-reports-v1-0-2217b790925e@linaro.org/T/#m1c32aa4c84ea7e3909bc8fe7599585b71e95d8b5
>
>
> Thanks!
> ta
>
> > Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
> > Signed-off-by: Titouan Ameline de Cadeville <titouan.ameline@gmail.com>
> > ---
> >  drivers/firmware/samsung/exynos-acpm.c | 3 +--
> >  1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/samsung/exynos-acpm.c
> > index 16c46ed60837..2fee6bb60efc 100644
> > --- a/drivers/firmware/samsung/exynos-acpm.c
> > +++ b/drivers/firmware/samsung/exynos-acpm.c
> > @@ -380,8 +380,7 @@ static void acpm_prepare_xfer(struct acpm_chan *achan,
> >       /* Clear data for upcoming responses */
> >       rx_data = &achan->rx_data[achan->seqnum - 1];
> >       memset(rx_data->cmd, 0, sizeof(*rx_data->cmd) * rx_data->n_cmd);
> > -     if (xfer->rxd)
> > -             rx_data->response = true;
> > +     rx_data->response = !!xfer->rxd;
> >
> >       /* Flag the index based on seqnum. (seqnum: 1~63, bitmap: 0~62) */
> >       set_bit(achan->seqnum - 1, achan->bitmap_seqnum);
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] firmware: samsung: fix stale response flag in acpm_prepare_xfer()
  2026-04-27 21:37   ` Titouan Ameline
@ 2026-04-28  9:32     ` Krzysztof Kozlowski
  0 siblings, 0 replies; 4+ messages in thread
From: Krzysztof Kozlowski @ 2026-04-28  9:32 UTC (permalink / raw)
  To: Titouan Ameline, Tudor Ambarus
  Cc: alim.akhtar, linux-kernel, linux-samsung-soc, linux-arm-kernel

On 27/04/2026 23:37, Titouan Ameline wrote:
> I was reading through the driver code and noticed that
> acpm_prepare_xfer() only enters the
> 
> if (xfer->rxd) branch to set response = true
> with no corresponding else to reset it to false.
> 
> Since seqnum slots are recycled, I traced what happens when a slot
> previously used by a response-expecting transfer gets reused by a
> fire-and-forget one
> 
> -> the stale true remains and the wrong branch is taken in acpm_get_rx().
> 
> Le lun. 27 avr. 2026 à 10:48, Tudor Ambarus <tudor.ambarus@linaro.org> a écrit :
>>

This seams to duplicate Tudor's earlier patches and his solution looks
more complete, so I will take his work with Reported-by credits.

Best regards,
Krzysztof


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-28  9:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-26 21:02 [PATCH] firmware: samsung: fix stale response flag in acpm_prepare_xfer() Titouan Ameline de Cadeville
2026-04-27  8:48 ` Tudor Ambarus
2026-04-27 21:37   ` Titouan Ameline
2026-04-28  9:32     ` Krzysztof Kozlowski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox