From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 21A8619E81F; Mon, 4 Aug 2025 00:31:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754267507; cv=none; b=ju3OfXkuKZgHVAIaA8W9zMu/2kpB20BDsDQBfQYlu9byYPA+bYbzpuw+HF64lZ4FKj86ve+T9zV86ecqcaWd1JOV065pkK7e//B2sJJT6bRL192oMxlFbOIgOiXgcLgSkqlb4DcnSB7bm87A4WnTn+QC9DG3p+y/VVnb874Ph20= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1754267507; c=relaxed/simple; bh=xPY2yaaA7s79lgArkJ7FbbAPp8QZM05dlvF1s3pt+Sk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ctmQg8C1Xn6QhXBHYGbNBAO92LdE4RSzwyESdHp2c+1RcWGGCEkZEIrWKN5/FoQoSJkTTJGwEBb7zDP/5x2HvX3WAeB/n6wV37B7J6vsEQrD/Ke+XYxwZwBDpo8GA4n9MWbPdagtFa3M8x8jWpWyjjG6KyGGdYq5uADWc3BDFXs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=KFPJSuC7; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="KFPJSuC7" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A2B01C4CEF8; Mon, 4 Aug 2025 00:31:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1754267507; bh=xPY2yaaA7s79lgArkJ7FbbAPp8QZM05dlvF1s3pt+Sk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KFPJSuC79zKj5ppG4pAKb8GqowJm0ji2JEK9ydx4ODpbMwWHij2amcBm149Wfxac0 swJCmWYDvLNvvCFAvTr8ZbHcdDTKKErjKsFG8N4Y0vmFUXfgusJRqtAZHKhxlvDD6c DQrc3rmYsIsfuOLseMghUiEQAIqVQGQHdRXro9Be3+e3n1EOIjRbv3xzpzjB86VdOr cSw94QMICjDW4NDv1eeIh0ejn6R1SaYkzJ4FsVshgmuKPF5uTLLN5RiaCouEjLwByY o90gBBAlOL0X70q5kJUqabCkoqqdqvr7DSMuBuiaqtgtQihJgddcTDNxL4Hiw7Xfvb 7IQULjG4pcGFg== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Bartosz Golaszewski , Johan Hovold , Bjorn Andersson , Sasha Levin , konradybcio@kernel.org, linux-arm-msm@vger.kernel.org Subject: [PATCH AUTOSEL 6.12 10/69] firmware: qcom: scm: initialize tzmem before marking SCM as available Date: Sun, 3 Aug 2025 20:30:20 -0400 Message-Id: <20250804003119.3620476-10-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250804003119.3620476-1-sashal@kernel.org> References: <20250804003119.3620476-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.12.41 Content-Transfer-Encoding: 8bit From: Bartosz Golaszewski [ Upstream commit 87be3e7a2d0030cda6314d2ec96b37991f636ccd ] Now that qcom_scm_shm_bridge_enable() uses the struct device passed to it as argument to make the QCOM_SCM_MP_SHM_BRIDGE_ENABLE SCM call, we can move the TZMem initialization before the assignment of the __scm pointer in the SCM driver (which marks SCM as ready to users) thus fixing the potential race between consumer calls and the memory pool initialization. Reported-by: Johan Hovold Closes: https://lore.kernel.org/all/20250120151000.13870-1-johan+linaro@kernel.org/ Signed-off-by: Bartosz Golaszewski Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-3-fa3851c98611@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin --- LLM Generated explanations, may be completely bogus: YES This commit should be backported to stable kernel trees. The commit fixes a critical race condition in the Qualcomm SCM (Secure Channel Manager) driver that can lead to system crashes. **Analysis of the race condition:** Looking at the code changes, the commit moves the TrustZone memory (TZMem) pool initialization from **after** the SCM is marked as available (line 2254 in the original code: `smp_store_release(&__scm, scm)`) to **before** it. This is a critical ordering fix because: 1. **The race window**: Once `__scm` is assigned via `smp_store_release(&__scm, scm)` at line 2254, the SCM API becomes available to all kernel consumers through `qcom_scm_is_available()` which checks this pointer. 2. **The problem**: Between lines 2254-2298 in the original code, the SCM is marked as available but the TZMem pool (`__scm->mempool`) hasn't been initialized yet. If any SCM consumer makes an API call during this window that requires memory allocation from the TZMem pool, it will access an uninitialized pointer, causing a crash. 3. **The fix**: The commit moves the TZMem initialization (lines 2286-2298 in original) to lines 2253-2277 in the patched version, ensuring the memory pool is fully initialized before marking SCM as available. **Why this qualifies for stable backport:** 1. **Fixes a real bug**: This addresses a genuine race condition that can cause kernel crashes, as reported by Johan Hovold. 2. **Security-critical subsystem**: The SCM driver handles secure communication with TrustZone firmware on Qualcomm platforms, making stability crucial. 3. **Small, contained fix**: The change is minimal - it simply reorders initialization steps without changing functionality or adding features. 4. **No architectural changes**: This is purely a bug fix that corrects initialization ordering. 5. **Clear problem and solution**: The race condition is well-defined, and the fix is straightforward and obvious. 6. **Minimal regression risk**: Moving initialization earlier in the probe sequence is a safe change that doesn't affect the driver's operation once initialized. The commit message also references a specific bug report, indicating this is a real issue encountered in production, not a theoretical problem. For stable kernel trees supporting Qualcomm platforms, this fix prevents potential crashes during system initialization. drivers/firmware/qcom/qcom_scm.c | 53 ++++++++++++++++---------------- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/drivers/firmware/qcom/qcom_scm.c b/drivers/firmware/qcom/qcom_scm.c index 23aefbf6fca5..88f3ae652a87 100644 --- a/drivers/firmware/qcom/qcom_scm.c +++ b/drivers/firmware/qcom/qcom_scm.c @@ -2000,7 +2000,32 @@ static int qcom_scm_probe(struct platform_device *pdev) if (ret) return ret; - /* Paired with smp_load_acquire() in qcom_scm_is_available(). */ + ret = of_reserved_mem_device_init(scm->dev); + if (ret && ret != -ENODEV) + return dev_err_probe(scm->dev, ret, + "Failed to setup the reserved memory region for TZ mem\n"); + + ret = qcom_tzmem_enable(scm->dev); + if (ret) + return dev_err_probe(scm->dev, ret, + "Failed to enable the TrustZone memory allocator\n"); + + memset(&pool_config, 0, sizeof(pool_config)); + pool_config.initial_size = 0; + pool_config.policy = QCOM_TZMEM_POLICY_ON_DEMAND; + pool_config.max_size = SZ_256K; + + scm->mempool = devm_qcom_tzmem_pool_new(scm->dev, &pool_config); + if (IS_ERR(scm->mempool)) + return dev_err_probe(scm->dev, PTR_ERR(scm->mempool), + "Failed to create the SCM memory pool\n"); + + /* + * Paired with smp_load_acquire() in qcom_scm_is_available(). + * + * This marks the SCM API as ready to accept user calls and can only + * be called after the TrustZone memory pool is initialized. + */ smp_store_release(&__scm, scm); irq = platform_get_irq_optional(pdev, 0); @@ -2033,32 +2058,6 @@ static int qcom_scm_probe(struct platform_device *pdev) if (of_property_read_bool(pdev->dev.of_node, "qcom,sdi-enabled") || !download_mode) qcom_scm_disable_sdi(); - ret = of_reserved_mem_device_init(__scm->dev); - if (ret && ret != -ENODEV) { - dev_err_probe(__scm->dev, ret, - "Failed to setup the reserved memory region for TZ mem\n"); - goto err; - } - - ret = qcom_tzmem_enable(__scm->dev); - if (ret) { - dev_err_probe(__scm->dev, ret, - "Failed to enable the TrustZone memory allocator\n"); - goto err; - } - - memset(&pool_config, 0, sizeof(pool_config)); - pool_config.initial_size = 0; - pool_config.policy = QCOM_TZMEM_POLICY_ON_DEMAND; - pool_config.max_size = SZ_256K; - - __scm->mempool = devm_qcom_tzmem_pool_new(__scm->dev, &pool_config); - if (IS_ERR(__scm->mempool)) { - ret = dev_err_probe(__scm->dev, PTR_ERR(__scm->mempool), - "Failed to create the SCM memory pool\n"); - goto err; - } - /* * Initialize the QSEECOM interface. * -- 2.39.5