git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Geert Uytterhoeven <geert+renesas@glider.be>
	Fri, 8 May 2026 15:32:56 +0000 (16:32 +0100)
committer	Sudeep Holla <sudeep.holla@kernel.org>
	Tue, 12 May 2026 14:29:11 +0000 (15:29 +0100)
commit	ae4a088f13debc1d7bbb6a9b265a31d25b60ddd4
tree	86c92a41814bff19775e7f79a6a4b3c328b3aded	tree \| snapshot
parent	4848d07ea9fc5e4c2239e10b3eb9fe7e647aaa12	commit \| diff

firmware: arm_scmi: Fix bound iterators returning too many items

When using a bound-iterator with an upper bound, commands are sent, and
responses are received, until the upper bound is reached.  However, it
is up to the SCMI provider implementation to decide how many rates are
returned in response to a single CLOCK_DESCRIBE_RATES command.  If the
last response contains rates beyond the specified upper bound, they are
still passed up for further processing.  This may lead to buffer
overflows in unprepared callsites.

While the imprecise bound handling may have been intentional (it was
mentioned in the commit message introducing the code), it is still
confusing for users, and may cause hard to debug crashes.  Fix this by
strictly enforcing the upper bound.

Note that this may cause an increase in the number of
CLOCK_DESCRIBE_RATES commands issued, as retrieving the last rate may no
longer be done inadvertentently, but require its own command.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20260508153300.2224715-12-cristian.marussi@arm.com
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>