summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCristian Marussi <cristian.marussi@arm.com>2022-05-23 19:15:59 +0200
committerSudeep Holla <sudeep.holla@arm.com>2022-06-06 16:46:35 +0200
commit122839b58a089ff7f231759e2c8f63790724cae2 (patch)
treefa3122fc3258c9c65f64df138cb6bb1227562843
parentLinux 5.19-rc1 (diff)
downloadlinux-122839b58a089ff7f231759e2c8f63790724cae2.tar.xz
linux-122839b58a089ff7f231759e2c8f63790724cae2.zip
firmware: arm_scmi: Relax base protocol sanity checks on the protocol list
Even though malformed replies from firmware must be treated carefully to avoid memory corruption in the kernel, some out-of-spec SCMI replies can be tolerated to avoid breaking existing deployed system, as long as they won't cause memory issues. Relax the sanity checks on the recieved protocol list in the base protocol to avoid breaking one of the deployed platform whose firmware is not easily upgradable currently. Link: https://lore.kernel.org/r/20220523171559.472112-1-cristian.marussi@arm.com Cc: Etienne Carriere <etienne.carriere@linaro.org> Cc: Sudeep Holla <sudeep.holla@arm.com> Reported-by: Nicolas Frattaroli <frattaroli.nicolas@gmail.com> Tested-By: Frank Wunderlich <frank-w@public-files.de> Acked-by: Michael Riesch <michael.riesch@wolfvision.net> Acked-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Cristian Marussi <cristian.marussi@arm.com> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
-rw-r--r--drivers/firmware/arm_scmi/base.c16
1 files changed, 11 insertions, 5 deletions
diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c
index 20fba7370f4e..d0ac96da1ddf 100644
--- a/drivers/firmware/arm_scmi/base.c
+++ b/drivers/firmware/arm_scmi/base.c
@@ -221,11 +221,17 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph,
calc_list_sz = (1 + (loop_num_ret - 1) / sizeof(u32)) *
sizeof(u32);
if (calc_list_sz != real_list_sz) {
- dev_err(dev,
- "Malformed reply - real_sz:%zd calc_sz:%u\n",
- real_list_sz, calc_list_sz);
- ret = -EPROTO;
- break;
+ dev_warn(dev,
+ "Malformed reply - real_sz:%zd calc_sz:%u (loop_num_ret:%d)\n",
+ real_list_sz, calc_list_sz, loop_num_ret);
+ /*
+ * Bail out if the expected list size is bigger than the
+ * total payload size of the received reply.
+ */
+ if (calc_list_sz > real_list_sz) {
+ ret = -EPROTO;
+ break;
+ }
}
for (loop = 0; loop < loop_num_ret; loop++)