From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44E70184540; Mon, 4 Aug 2025 00:28:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754267308; cv=none; b=A9YmdtaWKUf1DlYysTZbEnKgV6X/FByru18HFyKuReMr2879XfPcVMcI5WAQp9yXWw7e8AsYF0pETeJJm06nnPOBmlDuVR/7MlpD20vkAKy3JrPzPedIJdxp0Edk0nZy7j/Bw/NwcBFjjhRSf2527KkqpbuHTLOK6cOqQ5eUFaE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754267308; c=relaxed/simple; bh=kgMPTGgvpBKq4tnv0e44Vzk6YYmWtDSo2sh8DcEgh4E=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ub3pqnI/bAStcfx6OWEq8vlc8skKn4DqKRrMYs5Yw3eeruqyHjjrFUy9Au1os/dN08BJANUmAfpDJilpepMqazJm2s6Wod1ZsXdRwUlkpIBgPmPm/Hyx0tSKPBVf8mR1/oOU5NUkunFO8STQx+7kMxiwAMonD9sJIfF26U04UQ8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RJ1k6C0O; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RJ1k6C0O" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AA6ACC4AF09; Mon, 4 Aug 2025 00:28:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1754267308; bh=kgMPTGgvpBKq4tnv0e44Vzk6YYmWtDSo2sh8DcEgh4E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RJ1k6C0O0hjohz3R+2LmXzpAFmHFnEp6Ds9prGo7p2RL3MZw/Ay4nhHPflfm04Lkx V/SbGEYqIPzQrhx5Hdkbdw3ESmuT2h9U1KmWgEBXiAJ3Cew/+tQGHhZqAtyr7rpHcs WqsmWZdegBSDTyx9L1OsavTvpG9MnHhQ2lt5aRDacm8mYQhMCnHCCYIg1FP833WRD3 fy/yLjL/idSnkEBjUhJ/uo6nxqUvQCxzHGW7v9blm2CyIcsd7j89Q4T4nusniAkAy+ KhF0lREmgZv+iGZ9eIe6Ri2b2Q1pFiHlFdO3plejbVrIcDqq8z8F9Om8IQfkt5GID4 eiAWZy/nvN+Aw== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Bartosz Golaszewski , Johan Hovold , Bjorn Andersson , Sasha Levin , konradybcio@kernel.org, linux-arm-msm@vger.kernel.org Subject: [PATCH AUTOSEL 6.15 13/80] firmware: qcom: scm: initialize tzmem before marking SCM as available Date: Sun, 3 Aug 2025 20:26:40 -0400 Message-Id: <20250804002747.3617039-13-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250804002747.3617039-1-sashal@kernel.org> References: <20250804002747.3617039-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.15.9 Content-Transfer-Encoding: 8bit From: Bartosz Golaszewski [ Upstream commit 87be3e7a2d0030cda6314d2ec96b37991f636ccd ] Now that qcom_scm_shm_bridge_enable() uses the struct device passed to it as argument to make the QCOM_SCM_MP_SHM_BRIDGE_ENABLE SCM call, we can move the TZMem initialization before the assignment of the __scm pointer in the SCM driver (which marks SCM as ready to users) thus fixing the potential race between consumer calls and the memory pool initialization. Reported-by: Johan Hovold Closes: https://lore.kernel.org/all/20250120151000.13870-1-johan+linaro@kernel.org/ Signed-off-by: Bartosz Golaszewski Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-3-fa3851c98611@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin --- LLM Generated explanations, may be completely bogus: YES This commit should be backported to stable kernel trees. The commit fixes a critical race condition in the Qualcomm SCM (Secure Channel Manager) driver that can lead to system crashes. **Analysis of the race condition:** Looking at the code changes, the commit moves the TrustZone memory (TZMem) pool initialization from **after** the SCM is marked as available (line 2254 in the original code: `smp_store_release(&__scm, scm)`) to **before** it. This is a critical ordering fix because: 1. **The race window**: Once `__scm` is assigned via `smp_store_release(&__scm, scm)` at line 2254, the SCM API becomes available to all kernel consumers through `qcom_scm_is_available()` which checks this pointer. 2. **The problem**: Between lines 2254-2298 in the original code, the SCM is marked as available but the TZMem pool (`__scm->mempool`) hasn't been initialized yet. If any SCM consumer makes an API call during this window that requires memory allocation from the TZMem pool, it will access an uninitialized pointer, causing a crash. 3. **The fix**: The commit moves the TZMem initialization (lines 2286-2298 in original) to lines 2253-2277 in the patched version, ensuring the memory pool is fully initialized before marking SCM as available. **Why this qualifies for stable backport:** 1. **Fixes a real bug**: This addresses a genuine race condition that can cause kernel crashes, as reported by Johan Hovold. 2. **Security-critical subsystem**: The SCM driver handles secure communication with TrustZone firmware on Qualcomm platforms, making stability crucial. 3. **Small, contained fix**: The change is minimal - it simply reorders initialization steps without changing functionality or adding features. 4. **No architectural changes**: This is purely a bug fix that corrects initialization ordering. 5. **Clear problem and solution**: The race condition is well-defined, and the fix is straightforward and obvious. 6. **Minimal regression risk**: Moving initialization earlier in the probe sequence is a safe change that doesn't affect the driver's operation once initialized. The commit message also references a specific bug report, indicating this is a real issue encountered in production, not a theoretical problem. For stable kernel trees supporting Qualcomm platforms, this fix prevents potential crashes during system initialization. drivers/firmware/qcom/qcom_scm.c | 53 ++++++++++++++++---------------- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c index fc4d67e4c4a6..9032c8a317f9 100644 --- a/drivers/firmware/qcom/qcom_scm.c +++ b/drivers/firmware/qcom/qcom_scm.c @@ -2247,7 +2247,32 @@ static int qcom_scm_probe(struct platform_device *pdev) if (ret) return ret; - /* Paired with smp_load_acquire() in qcom_scm_is_available(). */ + ret = of_reserved_mem_device_init(scm->dev); + if (ret && ret != -ENODEV) + return dev_err_probe(scm->dev, ret, + "Failed to setup the reserved memory region for TZ mem\n"); + + ret = qcom_tzmem_enable(scm->dev); + if (ret) + return dev_err_probe(scm->dev, ret, + "Failed to enable the TrustZone memory allocator\n"); + + memset(&pool_config, 0, sizeof(pool_config)); + pool_config.initial_size = 0; + pool_config.policy = QCOM_TZMEM_POLICY_ON_DEMAND; + pool_config.max_size = SZ_256K; + + scm->mempool = devm_qcom_tzmem_pool_new(scm->dev, &pool_config); + if (IS_ERR(scm->mempool)) + return dev_err_probe(scm->dev, PTR_ERR(scm->mempool), + "Failed to create the SCM memory pool\n"); + + /* + * Paired with smp_load_acquire() in qcom_scm_is_available(). + * + * This marks the SCM API as ready to accept user calls and can only + * be called after the TrustZone memory pool is initialized. + */ smp_store_release(&__scm, scm); irq = platform_get_irq_optional(pdev, 0); @@ -2280,32 +2305,6 @@ static int qcom_scm_probe(struct platform_device *pdev) if (of_property_read_bool(pdev->dev.of_node, "qcom,sdi-enabled") || !download_mode) qcom_scm_disable_sdi(); - ret = of_reserved_mem_device_init(__scm->dev); - if (ret && ret != -ENODEV) { - dev_err_probe(__scm->dev, ret, - "Failed to setup the reserved memory region for TZ mem\n"); - goto err; - } - - ret = qcom_tzmem_enable(__scm->dev); - if (ret) { - dev_err_probe(__scm->dev, ret, - "Failed to enable the TrustZone memory allocator\n"); - goto err; - } - - memset(&pool_config, 0, sizeof(pool_config)); - pool_config.initial_size = 0; - pool_config.policy = QCOM_TZMEM_POLICY_ON_DEMAND; - pool_config.max_size = SZ_256K; - - __scm->mempool = devm_qcom_tzmem_pool_new(__scm->dev, &pool_config); - if (IS_ERR(__scm->mempool)) { - ret = dev_err_probe(__scm->dev, PTR_ERR(__scm->mempool), - "Failed to create the SCM memory pool\n"); - goto err; - } - /* * Initialize the QSEECOM interface. * -- 2.39.5