firmware: arm_scmi: Fix OOB in scmi_clock_describe_rates_get_lazy()

Lazy discovery of discrete rates works as follows:
  A. Grab the first three rates,
  B. Grab the last rate, if there are more than three rates.

It is up to the SCMI provider implementation to decide how many rates
are returned in response to a single CLOCK_DESCRIBE_RATES command.  Each
rate received is stored in the scmi_clock_rates.rates[] array, and
.num_rates is updated accordingly.

When more than 3 rates have been received after step A, the last rate
may have been received already, and stored in scmi_clock_rates.rates[]
(which has space for scmi_clock_desc.tot_rates entries).  Hence grabbing
the last rate again will store it a second time, beyond the end of the
array.

Fix this by only grabbing the last rate when we don't already have it.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Link: https://patch.msgid.link/20260508153300.2224715-15-cristian.marussi@arm.com
Signed-off-by: Sudeep Holla <sudeep.holla@kernel.org>

diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c
index 955bb9565ce31d7a12aec2bb5b0e596355f0dc08..ab8c65ed785afef71b0b6038b10b076d4db71e4e 100644 (file)
--- a/drivers/firmware/arm_scmi/clock.c
+++ b/drivers/firmware/arm_scmi/clock.c
@@ -582,8 +582,11 @@ scmi_clock_describe_rates_get_lazy(const struct scmi_protocol_handle *ph,
        if (ret)
                goto out;
 
-       /* If discrete grab the last value, which should be the max */
-       if (clkd->rate_discrete && clkd->tot_rates > 3) {
+       /*
+        * If discrete and we don't already have it, grab the last value, which
+        * should be the max
+        */
+       if (clkd->rate_discrete && clkd->tot_rates > clkd->num_rates) {
                first = clkd->tot_rates - 1;
                last = clkd->tot_rates - 1;
                ret = ph->hops->iter_response_run_bound(iter, &first, &last);