release/5.2.47/firmware-imx-warn-on-unexpected-RX.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 80db57ba4bb1c836c9cc6d19f430d147d2f0d488 Mon Sep 17 00:00:00 2001
 From: Leonard Crestez <leonard.crestez@nxp.com>
 Date: Wed, 4 Sep 2019 10:54:58 +0300
 Subject: [PATCH] firmware: imx: warn on unexpected RX

 commit cf0fd404455ce13850cc15423a3c2958933de384 upstream.

 The imx_scu_call_rpc function returns the result inside the
 same "msg" struct containing the transmitted message. This is
 implemented by holding a pointer to msg (which is usually on the stack)
 in sc_imx_rpc and writing to it from imx_scu_rx_callback.

 This means that if the have_resp parameter is incorrect or SCU sends an
 unexpected response for any reason the most likely result is kernel stack
 corruption.

 Fix this by only setting sc_imx_rpc.msg for the duration of the
 imx_scu_call_rpc call and warning in imx_scu_rx_callback if unset.

 Print the unexpected response data to help debugging.

 Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
 Acked-by: Anson Huang <Anson.Huang@nxp.com>
 Signed-off-by: Shawn Guo <shawnguo@kernel.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/firmware/imx/imx-scu.c b/drivers/firmware/imx/imx-scu.c
 index 35a5f8f8eea5..6c6ac47d3c64 100644
 --- a/drivers/firmware/imx/imx-scu.c
 +++ b/drivers/firmware/imx/imx-scu.c
 @@ -116,6 +116,12 @@ static void imx_scu_rx_callback(struct mbox_client *c, void *msg)
  	struct imx_sc_rpc_msg *hdr;
  	u32 *data = msg;

 +	if (!sc_ipc->msg) {
 +		dev_warn(sc_ipc->dev, "unexpected rx idx %d 0x%08x, ignore!\n",
 +				sc_chan->idx, *data);
 +		return;
 +	}
 +
  	if (sc_chan->idx == 0) {
  		hdr = msg;
  		sc_ipc->rx_size = hdr->size;
 @@ -187,7 +193,8 @@ int imx_scu_call_rpc(struct imx_sc_ipc *sc_ipc, void *msg, bool have_resp)
  	mutex_lock(&sc_ipc->lock);
  	reinit_completion(&sc_ipc->done);

 -	sc_ipc->msg = msg;
 +	if (have_resp)
 +		sc_ipc->msg = msg;
  	sc_ipc->count = 0;
  	ret = imx_scu_ipc_write(sc_ipc, msg);
  	if (ret < 0) {
 @@ -209,6 +216,7 @@ int imx_scu_call_rpc(struct imx_sc_ipc *sc_ipc, void *msg, bool have_resp)
  	}

  out:
 +	sc_ipc->msg = NULL;
  	mutex_unlock(&sc_ipc->lock);

  	dev_dbg(sc_ipc->dev, "RPC SVC done\n");
 --
 2.27.0
	From 80db57ba4bb1c836c9cc6d19f430d147d2f0d488 Mon Sep 17 00:00:00 2001
	From: Leonard Crestez <leonard.crestez@nxp.com>
	Date: Wed, 4 Sep 2019 10:54:58 +0300
	Subject: [PATCH] firmware: imx: warn on unexpected RX

	commit cf0fd404455ce13850cc15423a3c2958933de384 upstream.

	The imx_scu_call_rpc function returns the result inside the
	same "msg" struct containing the transmitted message. This is
	implemented by holding a pointer to msg (which is usually on the stack)
	in sc_imx_rpc and writing to it from imx_scu_rx_callback.

	This means that if the have_resp parameter is incorrect or SCU sends an
	unexpected response for any reason the most likely result is kernel stack
	corruption.

	Fix this by only setting sc_imx_rpc.msg for the duration of the
	imx_scu_call_rpc call and warning in imx_scu_rx_callback if unset.

	Print the unexpected response data to help debugging.

	Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
	Acked-by: Anson Huang <Anson.Huang@nxp.com>
	Signed-off-by: Shawn Guo <shawnguo@kernel.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/firmware/imx/imx-scu.c b/drivers/firmware/imx/imx-scu.c
	index 35a5f8f8eea5..6c6ac47d3c64 100644
	--- a/drivers/firmware/imx/imx-scu.c
	+++ b/drivers/firmware/imx/imx-scu.c
	@@ -116,6 +116,12 @@ static void imx_scu_rx_callback(struct mbox_client c, void msg)
	struct imx_sc_rpc_msg *hdr;
	u32 *data = msg;

	+ if (!sc_ipc->msg) {
	+ dev_warn(sc_ipc->dev, "unexpected rx idx %d 0x%08x, ignore!\n",
	+ sc_chan->idx, *data);
	+ return;
	+ }
	+
	if (sc_chan->idx == 0) {
	hdr = msg;
	sc_ipc->rx_size = hdr->size;
	@@ -187,7 +193,8 @@ int imx_scu_call_rpc(struct imx_sc_ipc sc_ipc, void msg, bool have_resp)
	mutex_lock(&sc_ipc->lock);
	reinit_completion(&sc_ipc->done);

	- sc_ipc->msg = msg;
	+ if (have_resp)
	+ sc_ipc->msg = msg;
	sc_ipc->count = 0;
	ret = imx_scu_ipc_write(sc_ipc, msg);
	if (ret < 0) {
	@@ -209,6 +216,7 @@ int imx_scu_call_rpc(struct imx_sc_ipc sc_ipc, void msg, bool have_resp)
	}

	out:
	+ sc_ipc->msg = NULL;
	mutex_unlock(&sc_ipc->lock);

	dev_dbg(sc_ipc->dev, "RPC SVC done\n");
	--
	2.27.0