[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <DB3PR0402MB3916932DFC5401F3573F13FDF5B80@DB3PR0402MB3916.eurprd04.prod.outlook.com>
Date: Wed, 4 Sep 2019 07:41:35 +0000
From: Anson Huang <anson.huang@....com>
To: Leonard Crestez <leonard.crestez@....com>,
Aisheng Dong <aisheng.dong@....com>
CC: "shawnguo@...nel.org" <shawnguo@...nel.org>,
"s.hauer@...gutronix.de" <s.hauer@...gutronix.de>,
"kernel@...gutronix.de" <kernel@...gutronix.de>,
"festevam@...il.com" <festevam@...il.com>,
Daniel Baluta <daniel.baluta@....com>,
Abel Vesa <abel.vesa@....com>,
"linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
dl-linux-imx <linux-imx@....com>
Subject: RE: [PATCH] soc: imx: imx-scu: Getting UID from SCU should have
response
Hi, Leonard
> On 2019-09-04 10:14 AM, Anson Huang wrote:
> > The SCU firmware API for getting UID should have response, otherwise,
> > the message stored in function stack could be released and then the
> > response data received from SCU will be stored into that released
> > stack and cause kernel NULL pointer dump.
>
> This fix looks good, but looking at imx-scu code it seems that passing the
> incorrect "have_resp" argument to imx_scu_call_rpc or just receiving an
> unexpected message from SCFW will always result in kernel stack corruption!
>
> This is worth handling inside imx-scu itself: unless a response was explicitly
> requested it should ignore and print a warning on rx, for example by setting
> imx_sc_ipc to NULL when not waiting for a response.
>
> Holding on to arbitrary stack pointers is bad.
We noticed this issue recently during the development of ON/OFF button support,
this UID is lucky, the stack is NOT released when SCU response data is received, but
this fix should be applied.
We talked to Chuck about adding return value for these special APIs, response data
needed but no return value from SCU, so very likely we will need a patch in imx_sc_ipc
driver to enhance/handle that, will do a patch for it later.
Thanks,
Anson
Powered by blists - more mailing lists