<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/firmware/qcom, branch linux-6.16.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>firmware: qcom: scm: request the waitqueue irq *after* initializing SCM</title>
<updated>2025-09-04T14:55:51+00:00</updated>
<author>
<name>Bartosz Golaszewski</name>
<email>bartosz.golaszewski@linaro.org</email>
</author>
<published>2025-06-30T12:12:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4e06c33aaa5ddcec2c01fed66082053153b19ebd'/>
<id>4e06c33aaa5ddcec2c01fed66082053153b19ebd</id>
<content type='text'>
commit 7ab36b51c6bee56e1a1939063dd10d602fe49d13 upstream.

There's a subtle race in the SCM driver: we assign the __scm pointer
before requesting the waitqueue interrupt. Assigning __scm marks the SCM
API as ready to accept calls. It's possible that a user makes a call
right after we set __scm and the firmware raises an interrupt before the
driver's ready to service it. Move the __scm assignment after we request
the interrupt.

This has the added benefit of allowing us to drop the goto label.

Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Signed-off-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-4-fa3851c98611@linaro.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7ab36b51c6bee56e1a1939063dd10d602fe49d13 upstream.

There's a subtle race in the SCM driver: we assign the __scm pointer
before requesting the waitqueue interrupt. Assigning __scm marks the SCM
API as ready to accept calls. It's possible that a user makes a call
right after we set __scm and the firmware raises an interrupt before the
driver's ready to service it. Move the __scm assignment after we request
the interrupt.

This has the added benefit of allowing us to drop the goto label.

Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Signed-off-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-4-fa3851c98611@linaro.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>firmware: qcom: scm: initialize tzmem before marking SCM as available</title>
<updated>2025-09-04T14:55:51+00:00</updated>
<author>
<name>Bartosz Golaszewski</name>
<email>bartosz.golaszewski@linaro.org</email>
</author>
<published>2025-06-30T12:12:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bcd14791ba62d2eaf85b27dc90ca71a96753639b'/>
<id>bcd14791ba62d2eaf85b27dc90ca71a96753639b</id>
<content type='text'>
commit 87be3e7a2d0030cda6314d2ec96b37991f636ccd upstream.

Now that qcom_scm_shm_bridge_enable() uses the struct device passed to
it as argument to make the QCOM_SCM_MP_SHM_BRIDGE_ENABLE SCM call, we
can move the TZMem initialization before the assignment of the __scm
pointer in the SCM driver (which marks SCM as ready to users) thus
fixing the potential race between consumer calls and the memory pool
initialization.

Reported-by: Johan Hovold &lt;johan+linaro@kernel.org&gt;
Closes: https://lore.kernel.org/all/20250120151000.13870-1-johan+linaro@kernel.org/
Signed-off-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-3-fa3851c98611@linaro.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 87be3e7a2d0030cda6314d2ec96b37991f636ccd upstream.

Now that qcom_scm_shm_bridge_enable() uses the struct device passed to
it as argument to make the QCOM_SCM_MP_SHM_BRIDGE_ENABLE SCM call, we
can move the TZMem initialization before the assignment of the __scm
pointer in the SCM driver (which marks SCM as ready to users) thus
fixing the potential race between consumer calls and the memory pool
initialization.

Reported-by: Johan Hovold &lt;johan+linaro@kernel.org&gt;
Closes: https://lore.kernel.org/all/20250120151000.13870-1-johan+linaro@kernel.org/
Signed-off-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-3-fa3851c98611@linaro.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>firmware: qcom: scm: take struct device as argument in SHM bridge enable</title>
<updated>2025-09-04T14:55:51+00:00</updated>
<author>
<name>Bartosz Golaszewski</name>
<email>bartosz.golaszewski@linaro.org</email>
</author>
<published>2025-06-30T12:12:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6e7c7570cec6a6ba5acd7491920d3036120047e9'/>
<id>6e7c7570cec6a6ba5acd7491920d3036120047e9</id>
<content type='text'>
commit dc3f4e75c54c19bad9a70419afae00ce6baf3ebf upstream.

qcom_scm_shm_bridge_enable() is used early in the SCM initialization
routine. It makes an SCM call and so expects the internal __scm pointer
in the SCM driver to be assigned. For this reason the tzmem memory pool
is allocated *after* this pointer is assigned. However, this can lead to
a crash if another consumer of the SCM API makes a call using the memory
pool between the assignment of the __scm pointer and the initialization
of the tzmem memory pool.

As qcom_scm_shm_bridge_enable() is a special case, not meant to be
called by ordinary users, pull it into the local SCM header. Make it
take struct device as argument. This is the device that will be used to
make the SCM call as opposed to the global __scm pointer. This will
allow us to move the tzmem initialization *before* the __scm assignment
in the core SCM driver.

Signed-off-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-2-fa3851c98611@linaro.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit dc3f4e75c54c19bad9a70419afae00ce6baf3ebf upstream.

qcom_scm_shm_bridge_enable() is used early in the SCM initialization
routine. It makes an SCM call and so expects the internal __scm pointer
in the SCM driver to be assigned. For this reason the tzmem memory pool
is allocated *after* this pointer is assigned. However, this can lead to
a crash if another consumer of the SCM API makes a call using the memory
pool between the assignment of the __scm pointer and the initialization
of the tzmem memory pool.

As qcom_scm_shm_bridge_enable() is a special case, not meant to be
called by ordinary users, pull it into the local SCM header. Make it
take struct device as argument. This is the device that will be used to
make the SCM call as opposed to the global __scm pointer. This will
allow us to move the tzmem initialization *before* the __scm assignment
in the core SCM driver.

Signed-off-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-2-fa3851c98611@linaro.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>firmware: qcom: scm: remove unused arguments from SHM bridge routines</title>
<updated>2025-09-04T14:55:51+00:00</updated>
<author>
<name>Bartosz Golaszewski</name>
<email>bartosz.golaszewski@linaro.org</email>
</author>
<published>2025-06-30T12:12:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=617ad64abf488e898a6b6c73c4ddf42a67385bf7'/>
<id>617ad64abf488e898a6b6c73c4ddf42a67385bf7</id>
<content type='text'>
commit 23972da96e1eee7f10c8ef641d56202ab9af8ba7 upstream.

qcom_scm_shm_bridge_create() and qcom_scm_shm_bridge_delete() take
struct device as argument but don't use it. Remove it from these
functions' prototypes.

Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Signed-off-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-1-fa3851c98611@linaro.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 23972da96e1eee7f10c8ef641d56202ab9af8ba7 upstream.

qcom_scm_shm_bridge_create() and qcom_scm_shm_bridge_delete() take
struct device as argument but don't use it. Remove it from these
functions' prototypes.

Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Signed-off-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Link: https://lore.kernel.org/r/20250630-qcom-scm-race-v2-1-fa3851c98611@linaro.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>docs: firmware: qcom_scm: Fix kernel-doc warning</title>
<updated>2025-05-19T23:04:28+00:00</updated>
<author>
<name>Unnathi Chalicheemala</name>
<email>unnathi.chalicheemala@oss.qualcomm.com</email>
</author>
<published>2025-04-03T20:38:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=936badf282388be78094e55bd5e2c96f86635e48'/>
<id>936badf282388be78094e55bd5e2c96f86635e48</id>
<content type='text'>
Add description for members of qcom_scm_desc struct to avoid:

drivers/firmware/qcom/qcom_scm.h:56: warning: Function parameter or struct
member 'svc' not described in 'qcom_scm_desc'

drivers/firmware/qcom/qcom_scm.h:56: warning: Function parameter or struct
member 'cmd' not described in 'qcom_scm_desc'

drivers/firmware/qcom/qcom_scm.h:56: warning: Function parameter or struct
member 'owner' not described in 'qcom_scm_desc'

Signed-off-by: Unnathi Chalicheemala &lt;unnathi.chalicheemala@oss.qualcomm.com&gt;
Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Link: https://lore.kernel.org/r/20250403-fix_scm_doc_warn-v1-1-9cd36345db77@oss.qualcomm.com
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Add description for members of qcom_scm_desc struct to avoid:

drivers/firmware/qcom/qcom_scm.h:56: warning: Function parameter or struct
member 'svc' not described in 'qcom_scm_desc'

drivers/firmware/qcom/qcom_scm.h:56: warning: Function parameter or struct
member 'cmd' not described in 'qcom_scm_desc'

drivers/firmware/qcom/qcom_scm.h:56: warning: Function parameter or struct
member 'owner' not described in 'qcom_scm_desc'

Signed-off-by: Unnathi Chalicheemala &lt;unnathi.chalicheemala@oss.qualcomm.com&gt;
Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Link: https://lore.kernel.org/r/20250403-fix_scm_doc_warn-v1-1-9cd36345db77@oss.qualcomm.com
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>firmware: qcom: scm: Allow QSEECOM for HP EliteBook Ultra G1q</title>
<updated>2025-05-14T20:52:59+00:00</updated>
<author>
<name>Juerg Haefliger</name>
<email>juerg.haefliger@canonical.com</email>
</author>
<published>2025-04-29T14:49:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eb47bca4cc8ab06bd25385c87406e0f27ebdbf07'/>
<id>eb47bca4cc8ab06bd25385c87406e0f27ebdbf07</id>
<content type='text'>
This is required to get access to efivars and uefi boot loader support.

Signed-off-by: Juerg Haefliger &lt;juerg.haefliger@canonical.com&gt;
Link: https://lore.kernel.org/r/20250429144957.2088284-5-juerg.haefliger@canonical.com
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This is required to get access to efivars and uefi boot loader support.

Signed-off-by: Juerg Haefliger &lt;juerg.haefliger@canonical.com&gt;
Link: https://lore.kernel.org/r/20250429144957.2088284-5-juerg.haefliger@canonical.com
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>firmware: qcom: tzmem: disable sm7150 platform</title>
<updated>2025-05-09T22:12:55+00:00</updated>
<author>
<name>Danila Tikhonov</name>
<email>danila@jiaxyga.com</email>
</author>
<published>2025-04-22T21:31:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=db3de3ff2611fd1da2267a5a92ee86b463e555f6'/>
<id>db3de3ff2611fd1da2267a5a92ee86b463e555f6</id>
<content type='text'>
The SHM bridge makes the SM7150 devices reset while probing the RMTFS
(in qcom_scm_assign_mem()). Blacklist the SHM Bridge on corresponding
platforms using SoC-level compat string.

Signed-off-by: Danila Tikhonov &lt;danila@jiaxyga.com&gt;
Reviewed-by: Dmitry Baryshkov &lt;dmitry.baryshkov@oss.qualcomm.com&gt;
Link: https://lore.kernel.org/r/20250422213137.80366-13-danila@jiaxyga.com
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The SHM bridge makes the SM7150 devices reset while probing the RMTFS
(in qcom_scm_assign_mem()). Blacklist the SHM Bridge on corresponding
platforms using SoC-level compat string.

Signed-off-by: Danila Tikhonov &lt;danila@jiaxyga.com&gt;
Reviewed-by: Dmitry Baryshkov &lt;dmitry.baryshkov@oss.qualcomm.com&gt;
Link: https://lore.kernel.org/r/20250422213137.80366-13-danila@jiaxyga.com
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>firmware: qcom: scm: Allow QSEECOM on Asus Zenbook A14</title>
<updated>2025-05-06T20:14:26+00:00</updated>
<author>
<name>Aleksandrs Vinarskis</name>
<email>alex.vinarskis@gmail.com</email>
</author>
<published>2025-04-26T12:57:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=56c8edc6eeaa16f777b1c030aad12e2e8da92104'/>
<id>56c8edc6eeaa16f777b1c030aad12e2e8da92104</id>
<content type='text'>
Allow particular machine accessing eg. efivars.

Signed-off-by: Aleksandrs Vinarskis &lt;alex.vinarskis@gmail.com&gt;
Link: https://lore.kernel.org/r/20250426130203.37659-4-alex.vinarskis@gmail.com
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Allow particular machine accessing eg. efivars.

Signed-off-by: Aleksandrs Vinarskis &lt;alex.vinarskis@gmail.com&gt;
Link: https://lore.kernel.org/r/20250426130203.37659-4-alex.vinarskis@gmail.com
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>firmware: qcom: uefisecapp: fix efivars registration race</title>
<updated>2025-02-08T17:38:03+00:00</updated>
<author>
<name>Johan Hovold</name>
<email>johan+linaro@kernel.org</email>
</author>
<published>2025-01-20T15:10:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=da8d493a80993972c427002684d0742560f3be4a'/>
<id>da8d493a80993972c427002684d0742560f3be4a</id>
<content type='text'>
Since the conversion to using the TZ allocator, the efivars service is
registered before the memory pool has been allocated, something which
can lead to a NULL-pointer dereference in case of a racing EFI variable
access.

Make sure that all resources have been set up before registering the
efivars.

Fixes: 6612103ec35a ("firmware: qcom: qseecom: convert to using the TZ allocator")
Cc: stable@vger.kernel.org	# 6.11
Cc: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Signed-off-by: Johan Hovold &lt;johan+linaro@kernel.org&gt;
Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Reviewed-by: Maximilian Luz &lt;luzmaximilian@gmail.com&gt;
Reviewed-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Link: https://lore.kernel.org/r/20250120151000.13870-1-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Since the conversion to using the TZ allocator, the efivars service is
registered before the memory pool has been allocated, something which
can lead to a NULL-pointer dereference in case of a racing EFI variable
access.

Make sure that all resources have been set up before registering the
efivars.

Fixes: 6612103ec35a ("firmware: qcom: qseecom: convert to using the TZ allocator")
Cc: stable@vger.kernel.org	# 6.11
Cc: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Signed-off-by: Johan Hovold &lt;johan+linaro@kernel.org&gt;
Reviewed-by: Konrad Dybcio &lt;konrad.dybcio@oss.qualcomm.com&gt;
Reviewed-by: Maximilian Luz &lt;luzmaximilian@gmail.com&gt;
Reviewed-by: Bartosz Golaszewski &lt;bartosz.golaszewski@linaro.org&gt;
Link: https://lore.kernel.org/r/20250120151000.13870-1-johan+linaro@kernel.org
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>firmware: qcom: scm: Fix error code in probe()</title>
<updated>2025-02-05T03:16:02+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@linaro.org</email>
</author>
<published>2025-01-15T06:52:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7f048b202333b967782a98aa21bb3354dc379bbf'/>
<id>7f048b202333b967782a98aa21bb3354dc379bbf</id>
<content type='text'>
Set the error code if devm_qcom_tzmem_pool_new() fails.  Don't return
success.

Fixes: 1e76b546e6fc ("firmware: qcom: scm: Cleanup global '__scm' on probe failures")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Krzysztof Kozlowski &lt;krzysztof.kozlowski@linaro.org&gt;
Link: https://lore.kernel.org/r/a0845467-4f83-4070-ab1e-ff7e6764609f@stanley.mountain
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Set the error code if devm_qcom_tzmem_pool_new() fails.  Don't return
success.

Fixes: 1e76b546e6fc ("firmware: qcom: scm: Cleanup global '__scm' on probe failures")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@linaro.org&gt;
Reviewed-by: Krzysztof Kozlowski &lt;krzysztof.kozlowski@linaro.org&gt;
Link: https://lore.kernel.org/r/a0845467-4f83-4070-ab1e-ff7e6764609f@stanley.mountain
Signed-off-by: Bjorn Andersson &lt;andersson@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
