CVE-2023-52608

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> firmware: arm_scmi: Check mailbox/SMT channel for consistency<br /> <br /> On reception of a completion interrupt the shared memory area is accessed<br /> to retrieve the message header at first and then, if the message sequence<br /> number identifies a transaction which is still pending, the related<br /> payload is fetched too.<br /> <br /> When an SCMI command times out the channel ownership remains with the<br /> platform until eventually a late reply is received and, as a consequence,<br /> any further transmission attempt remains pending, waiting for the channel<br /> to be relinquished by the platform.<br /> <br /> Once that late reply is received the channel ownership is given back<br /> to the agent and any pending request is then allowed to proceed and<br /> overwrite the SMT area of the just delivered late reply; then the wait<br /> for the reply to the new request starts.<br /> <br /> It has been observed that the spurious IRQ related to the late reply can<br /> be wrongly associated with the freshly enqueued request: when that happens<br /> the SCMI stack in-flight lookup procedure is fooled by the fact that the<br /> message header now present in the SMT area is related to the new pending<br /> transaction, even though the real reply has still to arrive.<br /> <br /> This race-condition on the A2P channel can be detected by looking at the<br /> channel status bits: a genuine reply from the platform will have set the<br /> channel free bit before triggering the completion IRQ.<br /> <br /> Add a consistency check to validate such condition in the A2P ISR.