firmware: arm_scmi: Relax base protocol sanity checks on the protocol list

Even though malformed replies from firmware must be treated carefully to
avoid memory corruption in the kernel, some out-of-spec SCMI replies can
be tolerated to avoid breaking existing deployed system, as long as they
won't cause memory issues.

Relax the sanity checks on the recieved protocol list in the base protocol
to avoid breaking one of the deployed platform whose firmware is not easily
upgradable currently.

Link: https://lore.kernel.org/r/20220523171559.472112-1-cristian.marussi@arm.com
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Reported-by: NNicolas Frattaroli <frattaroli.nicolas@gmail.com>
Tested-By: NFrank Wunderlich <frank-w@public-files.de>
Acked-by: NMichael Riesch <michael.riesch@wolfvision.net>
Acked-by: NEtienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: NCristian Marussi <cristian.marussi@arm.com>
Signed-off-by: NSudeep Holla <sudeep.holla@arm.com>

drivers/firmware/arm_scmi/base.c

@@ -221,11 +221,17 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph,
 		calc_list_sz = (1 + (loop_num_ret - 1) / sizeof(u32)) *
 				sizeof(u32);
 		if (calc_list_sz != real_list_sz) {
-			dev_err(dev,
-				"Malformed reply - real_sz:%zd  calc_sz:%u\n",
-				real_list_sz, calc_list_sz);
-			ret = -EPROTO;
-			break;
+			dev_warn(dev,
+				 "Malformed reply - real_sz:%zd  calc_sz:%u  (loop_num_ret:%d)\n",
+				 real_list_sz, calc_list_sz, loop_num_ret);
+			/*
+			 * Bail out if the expected list size is bigger than the
+			 * total payload size of the received reply.
+			 */
+			if (calc_list_sz > real_list_sz) {
+				ret = -EPROTO;
+				break;
+			}
 		}
 
 		for (loop = 0; loop < loop_num_ret; loop++)