This is a note to let you know that I've just added the patch titled
firmware: arm_scmi: Fix device node validation for mailbox transport
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
firmware-arm_scmi-fix-device-node-validation-for-mailbox-transport.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 2ab4f4018cb6b8010ca5002c3bdc37783b5d28c2 Mon Sep 17 00:00:00 2001
From: Cristian Marussi <cristian.marussi@xxxxxxx>
Date: Tue, 7 Mar 2023 16:23:24 +0000
Subject: firmware: arm_scmi: Fix device node validation for mailbox transport
From: Cristian Marussi <cristian.marussi@xxxxxxx>
commit 2ab4f4018cb6b8010ca5002c3bdc37783b5d28c2 upstream.
When mailboxes are used as a transport it is possible to setup the SCMI
transport layer, depending on the underlying channels configuration, to use
one or two mailboxes, associated, respectively, to one or two, distinct,
shared memory areas: any other combination should be treated as invalid.
Add more strict checking of SCMI mailbox transport device node descriptors.
Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type")
Cc: <stable@xxxxxxxxxxxxxxx> # 4.19
Signed-off-by: Cristian Marussi <cristian.marussi@xxxxxxx>
Link: https://lore.kernel.org/r/20230307162324.891866-1-cristian.marussi@xxxxxxx
Signed-off-by: Sudeep Holla <sudeep.holla@xxxxxxx>
[Cristian: backported to v5.4]
Signed-off-by: Cristian Marussi <cristian.marussi@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/firmware/arm_scmi/driver.c | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@@ -737,6 +737,39 @@ static int scmi_mailbox_check(struct dev
idx, NULL);
}
+static int scmi_mailbox_chan_validate(struct device *cdev)
+{
+ int num_mb, num_sh, ret = 0;
+ struct device_node *np = cdev->of_node;
+
+ num_mb = of_count_phandle_with_args(np, "mboxes", "#mbox-cells");
+ num_sh = of_count_phandle_with_args(np, "shmem", NULL);
+ /* Bail out if mboxes and shmem descriptors are inconsistent */
+ if (num_mb <= 0 || num_sh > 2 || num_mb != num_sh) {
+ dev_warn(cdev, "Invalid channel descriptor for '%s'\n",
+ of_node_full_name(np));
+ return -EINVAL;
+ }
+
+ if (num_sh > 1) {
+ struct device_node *np_tx, *np_rx;
+
+ np_tx = of_parse_phandle(np, "shmem", 0);
+ np_rx = of_parse_phandle(np, "shmem", 1);
+ /* SCMI Tx and Rx shared mem areas have to be distinct */
+ if (!np_tx || !np_rx || np_tx == np_rx) {
+ dev_warn(cdev, "Invalid shmem descriptor for '%s'\n",
+ of_node_full_name(np));
+ ret = -EINVAL;
+ }
+
+ of_node_put(np_tx);
+ of_node_put(np_rx);
+ }
+
+ return ret;
+}
+
static int scmi_mbox_chan_setup(struct scmi_info *info, struct device *dev,
int prot_id, bool tx)
{
@@ -760,6 +793,10 @@ static int scmi_mbox_chan_setup(struct s
goto idr_alloc;
}
+ ret = scmi_mailbox_chan_validate(dev);
+ if (ret)
+ return ret;
+
cinfo = devm_kzalloc(info->dev, sizeof(*cinfo), GFP_KERNEL);
if (!cinfo)
return -ENOMEM;
Patches currently in stable-queue which might be from cristian.marussi@xxxxxxx are
queue-5.4/firmware-arm_scmi-fix-device-node-validation-for-mailbox-transport.patch
