From f829935c8d92e5809ded37610d8582ad42a16360 Mon Sep 17 00:00:00 2001
From: Ivan T. Ivanov <iivanov@suse.de>
Date: Mar 21 2024 07:13:06 +0000
Subject: firmware: arm_scmi: Check mailbox/SMT channel for consistency (bsc#1221375 CVE-2023-52608)


---

diff --git a/patches.suse/firmware-arm_scmi-Check-mailbox-SMT-channel-for-consistency.patch b/patches.suse/firmware-arm_scmi-Check-mailbox-SMT-channel-for-consistency.patch
new file mode 100644
index 0000000..f4ba7f9
--- /dev/null
+++ b/patches.suse/firmware-arm_scmi-Check-mailbox-SMT-channel-for-consistency.patch
@@ -0,0 +1,94 @@
+From: Cristian Marussi <cristian.marussi@arm.com>
+Date: Wed, 20 Dec 2023 17:21:12 +0000
+Subject: firmware: arm_scmi: Check mailbox/SMT channel for consistency
+Git-commit: 437a310b22244d4e0b78665c3042e5d1c0f45306
+Patch-mainline: v6.8-rc2
+References: bsc#1221375 CVE-2023-52608
+
+On reception of a completion interrupt the shared memory area is accessed
+to retrieve the message header at first and then, if the message sequence
+number identifies a transaction which is still pending, the related
+payload is fetched too.
+
+When an SCMI command times out the channel ownership remains with the
+platform until eventually a late reply is received and, as a consequence,
+any further transmission attempt remains pending, waiting for the channel
+to be relinquished by the platform.
+
+Once that late reply is received the channel ownership is given back
+to the agent and any pending request is then allowed to proceed and
+overwrite the SMT area of the just delivered late reply; then the wait
+for the reply to the new request starts.
+
+It has been observed that the spurious IRQ related to the late reply can
+be wrongly associated with the freshly enqueued request: when that happens
+the SCMI stack in-flight lookup procedure is fooled by the fact that the
+message header now present in the SMT area is related to the new pending
+transaction, even though the real reply has still to arrive.
+
+This race-condition on the A2P channel can be detected by looking at the
+channel status bits: a genuine reply from the platform will have set the
+channel free bit before triggering the completion IRQ.
+
+Add a consistency check to validate such condition in the A2P ISR.
+
+Reported-by: Xinglong Yang <xinglong.yang@cixtech.com>
+Closes: https://lore.kernel.org/all/PUZPR06MB54981E6FA00D82BFDBB864FBF08DA@PUZPR06MB5498.apcprd06.prod.outlook.com/
+Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type")
+Cc: stable@vger.kernel.org # 5.15+
+Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
+Tested-by: Xinglong Yang <xinglong.yang@cixtech.com>
+Link: https://lore.kernel.org/r/20231220172112.763539-1-cristian.marussi@arm.com
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Acked-by: Ivan T. Ivanov <iivanov@suse.de>
+---
+ drivers/firmware/arm_scmi/common.h  |    1 +
+ drivers/firmware/arm_scmi/mailbox.c |   14 ++++++++++++++
+ drivers/firmware/arm_scmi/shmem.c   |    6 ++++++
+ 3 files changed, 21 insertions(+)
+
+--- a/drivers/firmware/arm_scmi/common.h
++++ b/drivers/firmware/arm_scmi/common.h
+@@ -351,6 +351,7 @@ void shmem_fetch_notification(struct scm
+ void shmem_clear_channel(struct scmi_shared_mem __iomem *shmem);
+ bool shmem_poll_done(struct scmi_shared_mem __iomem *shmem,
+ 		     struct scmi_xfer *xfer);
++bool shmem_channel_free(struct scmi_shared_mem __iomem *shmem);
+ 
+ void scmi_notification_instance_data_set(const struct scmi_handle *handle,
+ 					 void *priv);
+--- a/drivers/firmware/arm_scmi/mailbox.c
++++ b/drivers/firmware/arm_scmi/mailbox.c
+@@ -43,6 +43,20 @@ static void rx_callback(struct mbox_clie
+ {
+ 	struct scmi_mailbox *smbox = client_to_scmi_mailbox(cl);
+ 
++	/*
++	 * An A2P IRQ is NOT valid when received while the platform still has
++	 * the ownership of the channel, because the platform at first releases
++	 * the SMT channel and then sends the completion interrupt.
++	 *
++	 * This addresses a possible race condition in which a spurious IRQ from
++	 * a previous timed-out reply which arrived late could be wrongly
++	 * associated with the next pending transaction.
++	 */
++	if (cl->knows_txdone && !shmem_channel_free(smbox->shmem)) {
++		dev_warn(smbox->cinfo->dev, "Ignoring spurious A2P IRQ !\n");
++		return;
++	}
++
+ 	scmi_rx_callback(smbox->cinfo, shmem_read_header(smbox->shmem));
+ }
+ 
+--- a/drivers/firmware/arm_scmi/shmem.c
++++ b/drivers/firmware/arm_scmi/shmem.c
+@@ -99,3 +99,9 @@ bool shmem_poll_done(struct scmi_shared_
+ 		(SCMI_SHMEM_CHAN_STAT_CHANNEL_ERROR |
+ 		 SCMI_SHMEM_CHAN_STAT_CHANNEL_FREE);
+ }
++
++bool shmem_channel_free(struct scmi_shared_mem __iomem *shmem)
++{
++	return (ioread32(&shmem->channel_status) &
++			SCMI_SHMEM_CHAN_STAT_CHANNEL_FREE);
++}
diff --git a/series.conf b/series.conf
index 3e2adbc..550ccd6 100644
--- a/series.conf
+++ b/series.conf
@@ -45326,6 +45326,7 @@
 	patches.suse/gpiolib-acpi-Ignore-touchpad-wakeup-on-GPD-G1619-04.patch
 	patches.suse/gpio-eic-sprd-Clear-interrupt-after-set-the-interrup.patch
 	patches.suse/spi-hisi-sfc-v3xx-Return-IRQ_NONE-if-no-interrupts-w.patch
+	patches.suse/firmware-arm_scmi-Check-mailbox-SMT-channel-for-consistency.patch
 	patches.suse/drm-exynos-fix-accidental-on-stack-copy-of-exynos_dr.patch
 	patches.suse/drm-exynos-gsc-minor-fix-for-loop-iteration-in-gsc_r.patch
 	patches.suse/drm-amdgpu-pm-Fix-the-power-source-flag-error.patch