diff mbox series

firmware: arm_scmi: Relax CLOCK_DESCRIBE_RATES out-of-spec checks

Message ID 20220616170347.2800771-1-cristian.marussi@arm.com (mailing list archive)
State New, archived
Headers show
Series firmware: arm_scmi: Relax CLOCK_DESCRIBE_RATES out-of-spec checks | expand

Commit Message

Cristian Marussi June 16, 2022, 5:03 p.m. UTC 
A reply to CLOCK_DESCRIBE_RATES issued against a non rate-discrete clock
should be composed of a triplet of rates descriptors (min/max/step)
returned all in one reply message.

This is not always the case when dealing with some SCMI server deployed in
the wild: relax such constraint while maintaining memory safety by checking
carefully the returned payload size.

While at that cleanup a stale debug printout.

Fixes: 7bc7caafe6b1 ("firmware: arm_scmi: Use common iterators in the clock protocol")
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
---
 drivers/firmware/arm_scmi/clock.c     | 26 +++++++++++++++++++++++++-
 drivers/firmware/arm_scmi/driver.c    |  1 +
 drivers/firmware/arm_scmi/protocols.h |  3 +++
 3 files changed, 29 insertions(+), 1 deletion(-)

Comments

Robin Murphy June 16, 2022, 6:02 p.m. UTC | #1 
On 2022-06-16 18:03, Cristian Marussi wrote:
> A reply to CLOCK_DESCRIBE_RATES issued against a non rate-discrete clock
> should be composed of a triplet of rates descriptors (min/max/step)
> returned all in one reply message.
> 
> This is not always the case when dealing with some SCMI server deployed in
> the wild: relax such constraint while maintaining memory safety by checking
> carefully the returned payload size.
> 
> While at that cleanup a stale debug printout.

I know we're testing on the same platform so it's of limited value, but 
for the record this does indeed make my display work again, so FWIW:

Tested-by: Robin Murphy <robin.murphy@arm.com>

Thanks for the quick turnaround!
Robin.

> Fixes: 7bc7caafe6b1 ("firmware: arm_scmi: Use common iterators in the clock protocol")
> Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
> ---
>   drivers/firmware/arm_scmi/clock.c     | 26 +++++++++++++++++++++++++-
>   drivers/firmware/arm_scmi/driver.c    |  1 +
>   drivers/firmware/arm_scmi/protocols.h |  3 +++
>   3 files changed, 29 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c
> index c7a83f6e38e5..3ed7ae0d6781 100644
> --- a/drivers/firmware/arm_scmi/clock.c
> +++ b/drivers/firmware/arm_scmi/clock.c
> @@ -194,6 +194,7 @@ static int rate_cmp_func(const void *_r1, const void *_r2)
>   }
>   
>   struct scmi_clk_ipriv {
> +	struct device *dev;
>   	u32 clk_id;
>   	struct scmi_clock_info *clk;
>   };
> @@ -223,6 +224,29 @@ iter_clk_describe_update_state(struct scmi_iterator_state *st,
>   	st->num_returned = NUM_RETURNED(flags);
>   	p->clk->rate_discrete = RATE_DISCRETE(flags);
>   
> +	/* Warn about out of spec replies ... */
> +	if (!p->clk->rate_discrete &&
> +	    (st->num_returned != 3 || st->num_remaining != 0)) {
> +		dev_warn(p->dev,
> +			 "Out-of-spec CLOCK_DESCRIBE_RATES reply for %s - returned:%d remaining:%d rx_len:%zd\n",
> +			 p->clk->name, st->num_returned, st->num_remaining,
> +			 st->rx_len);
> +
> +		/*
> +		 * A known quirk: a triplet is returned but num_returned != 3
> +		 * Check for a safe payload size and fix.
> +		 */
> +		if (st->num_returned != 3 && st->num_remaining == 0 &&
> +		    st->rx_len == sizeof(*r) + sizeof(__le32) * 2 * 3) {
> +			st->num_returned = 3;
> +			st->num_remaining = 0;
> +		} else {
> +			dev_err(p->dev,
> +				"Cannot fix out-of-spec reply !\n");
> +			return -EPROTO;
> +		}
> +	}
> +
>   	return 0;
>   }
>   
> @@ -255,7 +279,6 @@ iter_clk_describe_process_response(const struct scmi_protocol_handle *ph,
>   
>   		*rate = RATE_TO_U64(r->rate[st->loop_idx]);
>   		p->clk->list.num_rates++;
> -		//XXX dev_dbg(ph->dev, "Rate %llu Hz\n", *rate);
>   	}
>   
>   	return ret;
> @@ -275,6 +298,7 @@ scmi_clock_describe_rates_get(const struct scmi_protocol_handle *ph, u32 clk_id,
>   	struct scmi_clk_ipriv cpriv = {
>   		.clk_id = clk_id,
>   		.clk = clk,
> +		.dev = ph->dev,
>   	};
>   
>   	iter = ph->hops->iter_response_init(ph, &ops, SCMI_MAX_NUM_RATES,
> diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
> index c1922bd650ae..8b7ac6663d57 100644
> --- a/drivers/firmware/arm_scmi/driver.c
> +++ b/drivers/firmware/arm_scmi/driver.c
> @@ -1223,6 +1223,7 @@ static int scmi_iterator_run(void *iter)
>   		if (ret)
>   			break;
>   
> +		st->rx_len = i->t->rx.len;
>   		ret = iops->update_state(st, i->resp, i->priv);
>   		if (ret)
>   			break;
> diff --git a/drivers/firmware/arm_scmi/protocols.h b/drivers/firmware/arm_scmi/protocols.h
> index c679f3fb8718..51c31379f9b3 100644
> --- a/drivers/firmware/arm_scmi/protocols.h
> +++ b/drivers/firmware/arm_scmi/protocols.h
> @@ -179,6 +179,8 @@ struct scmi_protocol_handle {
>    * @max_resources: Maximum acceptable number of items, configured by the caller
>    *		   depending on the underlying resources that it is querying.
>    * @loop_idx: The iterator loop index in the current multi-part reply.
> + * @rx_len: Size in bytes of the currenly processed message; it can be used by
> + *	    the user of the iterator to verify a reply size.
>    * @priv: Optional pointer to some additional state-related private data setup
>    *	  by the caller during the iterations.
>    */
> @@ -188,6 +190,7 @@ struct scmi_iterator_state {
>   	unsigned int num_remaining;
>   	unsigned int max_resources;
>   	unsigned int loop_idx;
> +	size_t rx_len;
>   	void *priv;
>   };
>
Cristian Marussi June 17, 2022, 11:12 a.m. UTC | #2 
On Thu, Jun 16, 2022 at 07:02:49PM +0100, Robin Murphy wrote:
> On 2022-06-16 18:03, Cristian Marussi wrote:
> > A reply to CLOCK_DESCRIBE_RATES issued against a non rate-discrete clock
> > should be composed of a triplet of rates descriptors (min/max/step)
> > returned all in one reply message.
> > 
> > This is not always the case when dealing with some SCMI server deployed in
> > the wild: relax such constraint while maintaining memory safety by checking
> > carefully the returned payload size.
> > 
> > While at that cleanup a stale debug printout.
> 
> I know we're testing on the same platform so it's of limited value, but for
> the record this does indeed make my display work again, so FWIW:
> 
> Tested-by: Robin Murphy <robin.murphy@arm.com>
> 
> Thanks for the quick turnaround!
> Robin.
> 

Thanks Robin.

Testing is never enough :P

Thanks,
Cristian

> > Fixes: 7bc7caafe6b1 ("firmware: arm_scmi: Use common iterators in the clock protocol")
> > Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
> > ---
> >   drivers/firmware/arm_scmi/clock.c     | 26 +++++++++++++++++++++++++-
> >   drivers/firmware/arm_scmi/driver.c    |  1 +
> >   drivers/firmware/arm_scmi/protocols.h |  3 +++
> >   3 files changed, 29 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c
> > index c7a83f6e38e5..3ed7ae0d6781 100644
> > --- a/drivers/firmware/arm_scmi/clock.c
> > +++ b/drivers/firmware/arm_scmi/clock.c
> > @@ -194,6 +194,7 @@ static int rate_cmp_func(const void *_r1, const void *_r2)
> >   }
> >   struct scmi_clk_ipriv {
> > +	struct device *dev;
> >   	u32 clk_id;
> >   	struct scmi_clock_info *clk;
> >   };
> > @@ -223,6 +224,29 @@ iter_clk_describe_update_state(struct scmi_iterator_state *st,
> >   	st->num_returned = NUM_RETURNED(flags);
> >   	p->clk->rate_discrete = RATE_DISCRETE(flags);
> > +	/* Warn about out of spec replies ... */
> > +	if (!p->clk->rate_discrete &&
> > +	    (st->num_returned != 3 || st->num_remaining != 0)) {
> > +		dev_warn(p->dev,
> > +			 "Out-of-spec CLOCK_DESCRIBE_RATES reply for %s - returned:%d remaining:%d rx_len:%zd\n",
> > +			 p->clk->name, st->num_returned, st->num_remaining,
> > +			 st->rx_len);
> > +
> > +		/*
> > +		 * A known quirk: a triplet is returned but num_returned != 3
> > +		 * Check for a safe payload size and fix.
> > +		 */
> > +		if (st->num_returned != 3 && st->num_remaining == 0 &&
> > +		    st->rx_len == sizeof(*r) + sizeof(__le32) * 2 * 3) {
> > +			st->num_returned = 3;
> > +			st->num_remaining = 0;
> > +		} else {
> > +			dev_err(p->dev,
> > +				"Cannot fix out-of-spec reply !\n");
> > +			return -EPROTO;
> > +		}
> > +	}
> > +
> >   	return 0;
> >   }
> > @@ -255,7 +279,6 @@ iter_clk_describe_process_response(const struct scmi_protocol_handle *ph,
> >   		*rate = RATE_TO_U64(r->rate[st->loop_idx]);
> >   		p->clk->list.num_rates++;
> > -		//XXX dev_dbg(ph->dev, "Rate %llu Hz\n", *rate);
> >   	}
> >   	return ret;
> > @@ -275,6 +298,7 @@ scmi_clock_describe_rates_get(const struct scmi_protocol_handle *ph, u32 clk_id,
> >   	struct scmi_clk_ipriv cpriv = {
> >   		.clk_id = clk_id,
> >   		.clk = clk,
> > +		.dev = ph->dev,
> >   	};
> >   	iter = ph->hops->iter_response_init(ph, &ops, SCMI_MAX_NUM_RATES,
> > diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
> > index c1922bd650ae..8b7ac6663d57 100644
> > --- a/drivers/firmware/arm_scmi/driver.c
> > +++ b/drivers/firmware/arm_scmi/driver.c
> > @@ -1223,6 +1223,7 @@ static int scmi_iterator_run(void *iter)
> >   		if (ret)
> >   			break;
> > +		st->rx_len = i->t->rx.len;
> >   		ret = iops->update_state(st, i->resp, i->priv);
> >   		if (ret)
> >   			break;
> > diff --git a/drivers/firmware/arm_scmi/protocols.h b/drivers/firmware/arm_scmi/protocols.h
> > index c679f3fb8718..51c31379f9b3 100644
> > --- a/drivers/firmware/arm_scmi/protocols.h
> > +++ b/drivers/firmware/arm_scmi/protocols.h
> > @@ -179,6 +179,8 @@ struct scmi_protocol_handle {
> >    * @max_resources: Maximum acceptable number of items, configured by the caller
> >    *		   depending on the underlying resources that it is querying.
> >    * @loop_idx: The iterator loop index in the current multi-part reply.
> > + * @rx_len: Size in bytes of the currenly processed message; it can be used by
> > + *	    the user of the iterator to verify a reply size.
> >    * @priv: Optional pointer to some additional state-related private data setup
> >    *	  by the caller during the iterations.
> >    */
> > @@ -188,6 +190,7 @@ struct scmi_iterator_state {
> >   	unsigned int num_remaining;
> >   	unsigned int max_resources;
> >   	unsigned int loop_idx;
> > +	size_t rx_len;
> >   	void *priv;
> >   };
Sudeep Holla June 21, 2022, 7:27 p.m. UTC | #3 
On Thu, 16 Jun 2022 18:03:47 +0100, Cristian Marussi wrote:
> A reply to CLOCK_DESCRIBE_RATES issued against a non rate-discrete clock
> should be composed of a triplet of rates descriptors (min/max/step)
> returned all in one reply message.
> 
> This is not always the case when dealing with some SCMI server deployed in
> the wild: relax such constraint while maintaining memory safety by checking
> carefully the returned payload size.
> 
> [...]

Applied to sudeep.holla/linux (for-next/scmi), thanks!

[1/1] firmware: arm_scmi: Relax CLOCK_DESCRIBE_RATES out-of-spec checks
      https://git.kernel.org/sudeep.holla/c/754f04cac3

--
Regards,
Sudeep
diff mbox series

Patch

diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c
index c7a83f6e38e5..3ed7ae0d6781 100644
--- a/drivers/firmware/arm_scmi/clock.c
+++ b/drivers/firmware/arm_scmi/clock.c
@@ -194,6 +194,7 @@  static int rate_cmp_func(const void *_r1, const void *_r2)
 }
 
 struct scmi_clk_ipriv {
+	struct device *dev;
 	u32 clk_id;
 	struct scmi_clock_info *clk;
 };
@@ -223,6 +224,29 @@  iter_clk_describe_update_state(struct scmi_iterator_state *st,
 	st->num_returned = NUM_RETURNED(flags);
 	p->clk->rate_discrete = RATE_DISCRETE(flags);
 
+	/* Warn about out of spec replies ... */
+	if (!p->clk->rate_discrete &&
+	    (st->num_returned != 3 || st->num_remaining != 0)) {
+		dev_warn(p->dev,
+			 "Out-of-spec CLOCK_DESCRIBE_RATES reply for %s - returned:%d remaining:%d rx_len:%zd\n",
+			 p->clk->name, st->num_returned, st->num_remaining,
+			 st->rx_len);
+
+		/*
+		 * A known quirk: a triplet is returned but num_returned != 3
+		 * Check for a safe payload size and fix.
+		 */
+		if (st->num_returned != 3 && st->num_remaining == 0 &&
+		    st->rx_len == sizeof(*r) + sizeof(__le32) * 2 * 3) {
+			st->num_returned = 3;
+			st->num_remaining = 0;
+		} else {
+			dev_err(p->dev,
+				"Cannot fix out-of-spec reply !\n");
+			return -EPROTO;
+		}
+	}
+
 	return 0;
 }
 
@@ -255,7 +279,6 @@  iter_clk_describe_process_response(const struct scmi_protocol_handle *ph,
 
 		*rate = RATE_TO_U64(r->rate[st->loop_idx]);
 		p->clk->list.num_rates++;
-		//XXX dev_dbg(ph->dev, "Rate %llu Hz\n", *rate);
 	}
 
 	return ret;
@@ -275,6 +298,7 @@  scmi_clock_describe_rates_get(const struct scmi_protocol_handle *ph, u32 clk_id,
 	struct scmi_clk_ipriv cpriv = {
 		.clk_id = clk_id,
 		.clk = clk,
+		.dev = ph->dev,
 	};
 
 	iter = ph->hops->iter_response_init(ph, &ops, SCMI_MAX_NUM_RATES,
diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
index c1922bd650ae..8b7ac6663d57 100644
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@@ -1223,6 +1223,7 @@  static int scmi_iterator_run(void *iter)
 		if (ret)
 			break;
 
+		st->rx_len = i->t->rx.len;
 		ret = iops->update_state(st, i->resp, i->priv);
 		if (ret)
 			break;
diff --git a/drivers/firmware/arm_scmi/protocols.h b/drivers/firmware/arm_scmi/protocols.h
index c679f3fb8718..51c31379f9b3 100644
--- a/drivers/firmware/arm_scmi/protocols.h
+++ b/drivers/firmware/arm_scmi/protocols.h
@@ -179,6 +179,8 @@  struct scmi_protocol_handle {
  * @max_resources: Maximum acceptable number of items, configured by the caller
  *		   depending on the underlying resources that it is querying.
  * @loop_idx: The iterator loop index in the current multi-part reply.
+ * @rx_len: Size in bytes of the currenly processed message; it can be used by
+ *	    the user of the iterator to verify a reply size.
  * @priv: Optional pointer to some additional state-related private data setup
  *	  by the caller during the iterations.
  */
@@ -188,6 +190,7 @@  struct scmi_iterator_state {
 	unsigned int num_remaining;
 	unsigned int max_resources;
 	unsigned int loop_idx;
+	size_t rx_len;
 	void *priv;
 };