From: Geert Uytterhoeven Date: Fri, 8 May 2026 15:32:59 +0000 (+0100) Subject: firmware: arm_scmi: Fix OOB in scmi_clock_describe_rates_get_lazy() X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=4a07036d615976354ac806017f23ea800f1fc489;p=thirdparty%2Fkernel%2Flinux.git firmware: arm_scmi: Fix OOB in scmi_clock_describe_rates_get_lazy() Lazy discovery of discrete rates works as follows: A. Grab the first three rates, B. Grab the last rate, if there are more than three rates. It is up to the SCMI provider implementation to decide how many rates are returned in response to a single CLOCK_DESCRIBE_RATES command. Each rate received is stored in the scmi_clock_rates.rates[] array, and .num_rates is updated accordingly. When more than 3 rates have been received after step A, the last rate may have been received already, and stored in scmi_clock_rates.rates[] (which has space for scmi_clock_desc.tot_rates entries). Hence grabbing the last rate again will store it a second time, beyond the end of the array. Fix this by only grabbing the last rate when we don't already have it. Signed-off-by: Geert Uytterhoeven Signed-off-by: Cristian Marussi Link: https://patch.msgid.link/20260508153300.2224715-15-cristian.marussi@arm.com Signed-off-by: Sudeep Holla --- diff --git a/drivers/firmware/arm_scmi/clock.c b/drivers/firmware/arm_scmi/clock.c index 955bb9565ce31..ab8c65ed785af 100644 --- a/drivers/firmware/arm_scmi/clock.c +++ b/drivers/firmware/arm_scmi/clock.c @@ -582,8 +582,11 @@ scmi_clock_describe_rates_get_lazy(const struct scmi_protocol_handle *ph, if (ret) goto out; - /* If discrete grab the last value, which should be the max */ - if (clkd->rate_discrete && clkd->tot_rates > 3) { + /* + * If discrete and we don't already have it, grab the last value, which + * should be the max + */ + if (clkd->rate_discrete && clkd->tot_rates > clkd->num_rates) { first = clkd->tot_rates - 1; last = clkd->tot_rates - 1; ret = ph->hops->iter_response_run_bound(iter, &first, &last);