From patchwork Wed Mar 25 22:00:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leonard Crestez X-Patchwork-Id: 11458751 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A327017EA for ; Wed, 25 Mar 2020 22:00:16 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 80B5F20737 for ; Wed, 25 Mar 2020 22:00:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="c/EOOvpP" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 80B5F20737 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=nxp.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=2VcMRoNBZuSk9bHHmY1QndvoYxYTlOx7I1WhVtwY8Jk=; b=c/E OOvpP5obI4gYtJWdLnxXnWeh9ZD/kJ+xyXV4h2MKrF7QMpsdAkAn4To7d6Tu9lKFG1M02BoLy1dvd 5gpgpYdEwCHzJGzsL6ZFwTSfBSwsuBrsE86lbF1dE2jTTipoXTg4XH37OjifhoafqWU5hMXkRx0nZ jiMVYu4PxgBfhByJ6c6eQh7GUjjfenijZ3t/3OP6jg530I/rQVJHfneC8UIfIHweNN4/9DeikYnfo 1tKR+9IZktyz+XFrnBvr5myRayOXf3DVHcSr2O0cEmBKGE7ltR2SljmWjk9W+EtkJwSUbfgPo1RRO 5OpYoUnQDS8PEwdHyUcCMPdOgeGxuTg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHE4K-0008BQ-AI; Wed, 25 Mar 2020 22:00:12 +0000 Received: from inva020.nxp.com ([92.121.34.13]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1jHE4H-0007tP-5h for linux-arm-kernel@lists.infradead.org; Wed, 25 Mar 2020 22:00:10 +0000 Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 51C031A06C4; Wed, 25 Mar 2020 23:00:07 +0100 (CET) Received: from inva024.eu-rdc02.nxp.com (inva024.eu-rdc02.nxp.com [134.27.226.22]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 451F81A06DE; Wed, 25 Mar 2020 23:00:07 +0100 (CET) Received: from fsr-ub1864-112.ea.freescale.net (fsr-ub1864-112.ea.freescale.net [10.171.82.98]) by inva024.eu-rdc02.nxp.com (Postfix) with ESMTP id DB23220564; Wed, 25 Mar 2020 23:00:06 +0100 (CET) From: Leonard Crestez To: Shawn Guo Subject: [PATCH v2] firmware: imx: scu: Fix corruption of header Date: Thu, 26 Mar 2020 00:00:05 +0200 Message-Id: X-Mailer: git-send-email 2.17.1 X-Virus-Scanned: ClamAV using ClamSMTP X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200325_150009_372555_54201EC5 X-CRM114-Status: GOOD ( 13.44 ) X-Spam-Score: -2.3 (--) X-Spam-Report: SpamAssassin version 3.4.4 on bombadil.infradead.org summary: Content analysis details: (-2.3 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [92.121.34.13 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dong Aisheng , Peng Fan , Franck LENORMAND , Oleksij Rempel , linux-imx@nxp.com, kernel@pengutronix.de, Fabio Estevam , linux-arm-kernel@lists.infradead.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org From: Franck LENORMAND The header of the message to send can be changed if the response is longer than the request: - 1st word, the header is sent - the remaining words of the message are sent - the response is received asynchronously during the execution of the loop, changing the size field in the header - the for loop test the termination condition using the corrupted header It is the case for the API build_info which has just a header as request but 3 words in response. This issue is fixed storing the header locally instead of using a pointer on it. Fixes: edbee095fafb (firmware: imx: add SCU firmware driver support) Signed-off-by: Franck LENORMAND Reviewed-by: Leonard Crestez Signed-off-by: Leonard Crestez Cc: stable@vger.kernel.org Reviewed-by: Dong Aisheng --- Changes since v1: * Add my signed-off-by as requested: Link to v1: https://patchwork.kernel.org/patch/11394401/ There is another longer series attempting a fix but that probably won't make it into stable: https://patchwork.kernel.org/cover/11446661/ That series implements a different imx mailbox type but still maintains the old path for DT compatibility so this fix is worth including. It fixes real boot hangs. drivers/firmware/imx/imx-scu.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/firmware/imx/imx-scu.c b/drivers/firmware/imx/imx-scu.c index f71eaa5bf52d..7119228a8059 100644 --- a/drivers/firmware/imx/imx-scu.c +++ b/drivers/firmware/imx/imx-scu.c @@ -141,24 +141,24 @@ static void imx_scu_rx_callback(struct mbox_client *c, void *msg) complete(&sc_ipc->done); } static int imx_scu_ipc_write(struct imx_sc_ipc *sc_ipc, void *msg) { - struct imx_sc_rpc_msg *hdr = msg; + struct imx_sc_rpc_msg hdr = *(struct imx_sc_rpc_msg *)msg; struct imx_sc_chan *sc_chan; u32 *data = msg; int ret; int i; /* Check size */ - if (hdr->size > IMX_SC_RPC_MAX_MSG) + if (hdr.size > IMX_SC_RPC_MAX_MSG) return -EINVAL; - dev_dbg(sc_ipc->dev, "RPC SVC %u FUNC %u SIZE %u\n", hdr->svc, - hdr->func, hdr->size); + dev_dbg(sc_ipc->dev, "RPC SVC %u FUNC %u SIZE %u\n", hdr.svc, + hdr.func, hdr.size); - for (i = 0; i < hdr->size; i++) { + for (i = 0; i < hdr.size; i++) { sc_chan = &sc_ipc->chans[i % 4]; /* * SCU requires that all messages words are written * sequentially but linux MU driver implements multiple