From nobody Wed Jun 17 07:15:22 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A5C3738E124 for ; Thu, 23 Apr 2026 17:23:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965030; cv=none; b=sfmJBXN5w3aoiYUmh/DIKql3djQP8efP7fT4OTUMttdemB3I6QlafYP4gZYr02MRuQusBtfXm7UlLNP1iNaGVO0joQXLE3UZxu0cRpOsROtGk/GaNJTnmvaYLGOfTfBobT4+9PfZxQGPsOkdOrT4nqQXJVcxPsKvcYH8G2EpVoc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965030; c=relaxed/simple; bh=utWF0d0OTuccjyhZepa4vlGkotpk1+a6M/3wp4m9N20=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=uyX1Vh++EpWTkeSOxwPcuvEt1ev0AZ+4ckp55nkPQdxSox37J3RWNsFl+yjm6f0oHFEu/PCFVD/XRetGxau0j2BYUR0gsmImTUZP8/FA7S8f5CuM+rL87e6vmy3IFELJocuwsNlXeNqKIXDAsTnHYsRxVrF6Q0b0Q15NJ1k1lSo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=pmxabPHx; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="pmxabPHx" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 98BCFC2BCAF; Thu, 23 Apr 2026 17:23:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776965030; bh=utWF0d0OTuccjyhZepa4vlGkotpk1+a6M/3wp4m9N20=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=pmxabPHxcbHN0RlKvKSMpaq9ZoNTBviY0q5JpEZT4QOAqfPRJodQGKxXema5vnoff adiiBGOkPU9HizmPx3U173CKN6FnN6Gittu+j1l/0xWxRseYy1gTCsgJAGYSuU5JO5 xBlKIt4fLgQ/iXjGXc7kOGS3fOxfhDrRwCugxXjKyhSepnRqeuexY+1zL/UeKiDvyq XuUXBHoW/b4FoSIfzzfDouQSInZj4fLa+nvRHGtLLF1VJToF/v/I3UnDaeF6SoHy9z 45gjmLzOlRKIRhnkcSVWxuproHIwtM+rAo5n1oDDwAlj1DlY7DS/XVX99asLEqRIGs S19ptdQJ21ydg== From: Sudeep Holla Date: Thu, 23 Apr 2026 18:22:51 +0100 Subject: [PATCH 1/8] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-ffa_fixes-v1-1-61189661affe@kernel.org> References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 The bus match callback assumes that every FF-A driver provides an id_table and dereferences it unconditionally. Enforce that contract at registration time so a buggy client driver cannot crash the bus during match. Fixes: e781858488b9 ("firmware: arm_ffa: Add initial FFA bus support for de= vice enumeration") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/bus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/arm_ffa/bus.c b/drivers/firmware/arm_ffa/bus.c index 9576862d89c4..601c3418e0d9 100644 --- a/drivers/firmware/arm_ffa/bus.c +++ b/drivers/firmware/arm_ffa/bus.c @@ -26,6 +26,8 @@ static int ffa_device_match(struct device *dev, const str= uct device_driver *drv) =20 id_table =3D to_ffa_driver(drv)->id_table; ffa_dev =3D to_ffa_dev(dev); + if (!id_table) + return 0; =20 while (!uuid_is_null(&id_table->uuid)) { /* @@ -123,7 +125,7 @@ int ffa_driver_register(struct ffa_driver *driver, stru= ct module *owner, { int ret; =20 - if (!driver->probe) + if (!driver->probe || !driver->id_table) return -EINVAL; =20 driver->driver.bus =3D &ffa_bus_type; --=20 2.43.0 From nobody Wed Jun 17 07:15:22 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FAA53A7859 for ; Thu, 23 Apr 2026 17:23:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965031; cv=none; b=oc2/HBIPvWcc4dMDwwqvhJrY8Q4NXUVcVrV7J1EHnOlCTDiR7ubTAi40Dq91PFFa3bOKxMsa46TZG3ZCf4TtNt4zBPD83bAWrTLK+M4jABuSc7mn/q5iAJbPQZrrEIONSHdFcAq8eTEMm8CY6FqubT/VPlKLk4WJYK+I6QIDa48= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965031; c=relaxed/simple; bh=c4BcYMZ0KWMorH09+B5vNrAhFQ4rDIDYqWvY5VR5Gws=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=r1AdVUjEUjQ4IE7+OKJ4qp04Fbp1HXw7ElDE6y4JIUOsrXDAxWczlffHAv83nPd0Ne1fKuDbUKj0hSeB/QYbsF1mCs5zFEVo0h7POv4Earh2ix+Uv6MYxFEMIncYzTO6lJ4x8/HigHFM86jvvXY/UwFjADXEqSvfhGyR9+TYvqI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=TJyq/Udb; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="TJyq/Udb" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A7DADC2BCB3; Thu, 23 Apr 2026 17:23:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776965031; bh=c4BcYMZ0KWMorH09+B5vNrAhFQ4rDIDYqWvY5VR5Gws=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=TJyq/UdbIn7Ylv3yTN9y3bgSYNuxU6WqCRX/Hj6zPFxILEdXtEzjPWvDecb9bZF8x FkdCJrI+6o6qd7o7X2TIHCrcPEXbDrPpJes96F8ISs8BcmC1Yiyqu0Sk4A2XG87A7y ExFX0Q8BdDvdSL67amtyvJ8sAOH7opgk6uRa2x8N1glwFFoIjrZ2grq4ZnohbaPB51 vsYtS6EK3uASo4bnPjsg+sy1Gc9SUXaPwAqrA03fsVRbxJidCYg+wGefdV53d7X18f 19Re5W+H0HPN8ooi03kRDRkqicP5raw5jCLsX8vd3fItdvTKEE/vxFSBzG8Sc3hIj/ Xp3F7uvNQig2Q== From: Sudeep Holla Date: Thu, 23 Apr 2026 18:22:52 +0100 Subject: [PATCH 2/8] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-ffa_fixes-v1-2-61189661affe@kernel.org> References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 If the RX buffer allocation fails in ffa_init(), the error path jumps to free_pages even though no buffer has been allocated yet. Route that case directly to free_drv_info so the cleanup path is only used after at least one RX/TX buffer allocation has succeeded. Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support= ") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index eb2782848283..e6a051b20cb7 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -2067,7 +2067,7 @@ static int __init ffa_init(void) drv_info->rx_buffer =3D alloc_pages_exact(rxtx_bufsz, GFP_KERNEL); if (!drv_info->rx_buffer) { ret =3D -ENOMEM; - goto free_pages; + goto free_drv_info; } =20 drv_info->tx_buffer =3D alloc_pages_exact(rxtx_bufsz, GFP_KERNEL); --=20 2.43.0 From nobody Wed Jun 17 07:15:22 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A803A3A872A for ; Thu, 23 Apr 2026 17:23:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965032; cv=none; b=iqKSHviNnKh1zfytXGd+0usx9FJJX5LhVXUf/XTir6QYD2Z2mF24wMzDJ0T4aG6RnLJcwa6GAhRbEsI/IHc/la+O7yWVElJdSbu+saJs84qvtz7J/zLgqTgW/bSYwTjcpS5bpUw0yzGFAMx+AkJagNxmyYOoK7iNnA3tcqj7Tto= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965032; c=relaxed/simple; bh=i1zlfKqoBWN27zTMIh+OOnDw/plffp5P3L7s2aSHSfI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=TDUZSiIK1v3OwFI49sZUhE0/cN4QASxhgsVIdU5KWPETBpvVpg3pUZEA1PPXlOKFZq7GnHo7vv6RWMeC+7OJBZm61f9yIinfZX2x0QWUAiRfULA+v+3FLOo1oUrNpMXAOM8x88jyaZed1PRqDc7xfhprwKj9ro4qZ13EuHCJHj0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=OFNk6j0K; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="OFNk6j0K" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B7302C2BCAF; Thu, 23 Apr 2026 17:23:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776965032; bh=i1zlfKqoBWN27zTMIh+OOnDw/plffp5P3L7s2aSHSfI=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=OFNk6j0KAd1NN8/nvgHQ6Egdms+ZX6699lnUxuVMk9JPdCRyrtnSRIiyg0GLGjUmm qesvgUwzgDwny0MXo2jU7QZ/VaIcsfPC82NZf109I2lyr8ZWL+m4xYUkWf1cLMAuCT ofd1IWRLCi26k48NpsVh0Pah/dXkvVKyrugEnyFFBLzXLM13DzRVl4CFBuuQ0O4XCZ W9uQpFDIreYtGlYeNbAbOmqVo/4JAZRodVcUn3g5N6BV4KG3YbUl7FPDiU9ExqAu/v 6Ei/PWoUBUW4UiLwWUEzj13MDb0mbdM3oy9mfV5jXtIqLTDSXffKtle82za4UBbQA0 Lr7N8qsaccf0g== From: Sudeep Holla Date: Thu, 23 Apr 2026 18:22:53 +0100 Subject: [PATCH 3/8] firmware: arm_ffa: Align RxTx buffer size before mapping Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-ffa_fixes-v1-3-61189661affe@kernel.org> References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla , Sebastian Ene X-Mailer: b4 0.15.2 Commit 83210251fd70 ("firmware: arm_ffa: Use the correct buffer size during RXTX_MAP") advertises PAGE_ALIGN(rxtx_bufsz) to firmware when mapping the buffers but the driver continues to stores the minimum FF-A buffer size in drv_info->rxtx_bufsz which is used elsewhere in the driver. Align the size before storing it so that the allocation, validation and FFA_RXTX_MAP all use the same buffer size. Fixes: 83210251fd70 ("firmware: arm_ffa: Use the correct buffer size during= RXTX_MAP") Cc: Sebastian Ene Link: https://sashiko.dev/#/patchset/20260402113939.930221-1-sebastianene@g= oogle.com Signed-off-by: Sudeep Holla Reviewed-by: Sebastian Ene . --- drivers/firmware/arm_ffa/driver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index e6a051b20cb7..4dec7ca52f8c 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -2063,6 +2063,7 @@ static int __init ffa_init(void) rxtx_bufsz =3D SZ_4K; } =20 + rxtx_bufsz =3D PAGE_ALIGN(rxtx_bufsz); drv_info->rxtx_bufsz =3D rxtx_bufsz; drv_info->rx_buffer =3D alloc_pages_exact(rxtx_bufsz, GFP_KERNEL); if (!drv_info->rx_buffer) { @@ -2078,7 +2079,7 @@ static int __init ffa_init(void) =20 ret =3D ffa_rxtx_map(virt_to_phys(drv_info->tx_buffer), virt_to_phys(drv_info->rx_buffer), - PAGE_ALIGN(rxtx_bufsz) / FFA_PAGE_SIZE); + rxtx_bufsz / FFA_PAGE_SIZE); if (ret) { pr_err("failed to register FFA RxTx buffers\n"); goto free_pages; --=20 2.43.0 From nobody Wed Jun 17 07:15:22 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED3A131A567 for ; Thu, 23 Apr 2026 17:23:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965034; cv=none; b=k7PV8zLCjBndx+JU4QmEYVgxZ6k+La2KKKnmSwn7Ykhtbal5af+AIdheBG8ZeaOS8HQ8fVm8WZ1o6fQLk3wLx/fBOlB5lFwWb5825qHda5b3r4S02y0XXfOK39sBDwWWD5orza7WKt8p3Pk/3VVznQLNBHo5gr6Ugq2Ti3QobYY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965034; c=relaxed/simple; bh=+yGV+FJC4L0WAgipLE4zNhiVdIllPsS497DhNi03mkc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=TArYHyHMGciJ87ypRhkYORcxLZ/a8ELo2jmG2p5BLehCnTGpPCBtGQ6iOqUIVaDYINH8rkYDJurCrXbkjopPQr1nA5AP8aUoWhysM/T1UuOW6SspOh2YeZL+ZHRby2jFMgZXf9GmoFfL1kTOXQBK27RgfHkmatU0lyeMfxQT/YE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=jvAXMPNd; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="jvAXMPNd" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9F15C2BCAF; Thu, 23 Apr 2026 17:23:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776965033; bh=+yGV+FJC4L0WAgipLE4zNhiVdIllPsS497DhNi03mkc=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=jvAXMPNdhyz1hMYVHgljosCvAFReQtMoiJT5kDmXgq105o6ti/nBOefIXzqggW7FN I/0RvheNAJsDv6s7JIE1lSELYKQ5gkGMPDNMIIX8YbDxCXt4HIq/5k/lzHJ6KYHGFe 29VzVvwZgK/l2W94wG/LBS5vGhG9k3e3NzGNmLc8XOu10h16yo3X9AmyQYUJBz/bRM qEJZfELjtApvBHtMS7s1rFjh0zxU61MNKVKZj7SmWJYSn9PfmAGLUUdPfyQ3T9qZUi dgN7gADfkZ+Pu0mJ3ZTsKjgHCO8JLUUVkTBphsAesnAIUT0cM4uIk/3+39jBGgW23r WBYrqQ4JVtPsw== From: Sudeep Holla Date: Thu, 23 Apr 2026 18:22:54 +0100 Subject: [PATCH 4/8] firmware: arm_ffa: Fix Rx buffer release in fwk notification handler Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-ffa_fixes-v1-4-61189661affe@kernel.org> References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 Refactor handle_fwk_notif_callbacks() so that all exit paths funnel through a single FFA_RX_RELEASE call. While doing that, use scoped_guard() for the Rx buffer lock and keep the message parsing under the lock scope. This makes the Rx buffer release explicit for the kmemdup() failure path and for the early exit when the framework notification bit is not set. This will ensure the Rx buffer is always release in the framework notification handler. Fixes: 285a5ea0f542 ("firmware: arm_ffa: Add support for handling framework= notifications") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 4dec7ca52f8c..764cb1226182 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1472,25 +1472,21 @@ static void handle_fwk_notif_callbacks(u32 bitmap) =20 /* Only one framework notification defined and supported for now */ if (!(bitmap & FRAMEWORK_NOTIFY_RX_BUFFER_FULL)) - return; + goto release_rx; =20 - mutex_lock(&drv_info->rx_lock); + scoped_guard(mutex, &drv_info->rx_lock) { + msg =3D drv_info->rx_buffer; + buf =3D kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL); + if (!buf) + goto release_rx; =20 - msg =3D drv_info->rx_buffer; - buf =3D kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL); - if (!buf) { - mutex_unlock(&drv_info->rx_lock); - return; + target =3D SENDER_ID(msg->send_recv_id); + if (msg->offset >=3D sizeof(*msg)) + uuid_copy(&uuid, &msg->uuid); + else + uuid_copy(&uuid, &uuid_null); } =20 - target =3D SENDER_ID(msg->send_recv_id); - if (msg->offset >=3D sizeof(*msg)) - uuid_copy(&uuid, &msg->uuid); - else - uuid_copy(&uuid, &uuid_null); - - mutex_unlock(&drv_info->rx_lock); - ffa_rx_release(); =20 read_lock(&drv_info->notify_lock); @@ -1500,6 +1496,11 @@ static void handle_fwk_notif_callbacks(u32 bitmap) if (cb_info && cb_info->fwk_cb) cb_info->fwk_cb(notify_id, cb_info->cb_data, buf); kfree(buf); + + return; + +release_rx: + ffa_rx_release(); } =20 static void notif_get_and_handle(void *cb_data) --=20 2.43.0 From nobody Wed Jun 17 07:15:22 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAEFE3A9D93 for ; Thu, 23 Apr 2026 17:23:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965034; cv=none; b=Q7/cuavVruVpzCwMoe+IwHCvCvhA2EHd5A56ivGLZpvRskvysk5tr6ks7SC02F/kwlsti0D7PmGwB68ohbdjRIt3/VlThvKZpoOjSWBnn1ZeD5X9FIdAyCBg5Fvbit1I2J7434KY0OTyP9Ypsm0vlciSb4XCzTSRYc8RwxA0xIk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965034; c=relaxed/simple; bh=4GMGB4p8iCuyXlrORu3AvP0h9ZKS32L0djQtHAsgD8M=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=lWQoqne7zOPtNpzNSdiUHMwTZQkOPIKTsYj/tkNdxzcyHBLeGz2mw2KapNHwaBPEKhv1X1HFgN8SkfSAhtMqBCyPTpKmI5ZzmQIfoEFHsiqVwbGI2XULPERKUkhwZ3d6xlXSt/1SbjFLjvOSK29PDBZ5pqgkX5iei1AJSCaWHkU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=NOiwObeH; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="NOiwObeH" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0666CC2BCC4; Thu, 23 Apr 2026 17:23:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776965034; bh=4GMGB4p8iCuyXlrORu3AvP0h9ZKS32L0djQtHAsgD8M=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=NOiwObeHUNMF+zIV4jjQLsGimaaOae+Wi33QJik/ayvcadfDcVWlGJVjECsvlQ0zH yoX/96Ex9Go05nHTEA8Avsf4smU1UZBJcU/tLX2XbQJ0g+D01TFV/Oh7p0zJnV493M l+VUHX2KzTkQyuZ2OdjHAJhfikzYwR2R0MU/ZNjKeun+fCtN47lZRp/n+C2VoO11MO Q8PHCE/MV27vmYDZdIkQxhWj28aSpsw3MGxPrunxGTk8Izhci1tBJmhukMbdNTOcev VG4CSkg/1Tp4eRxIT6NvYBX060pkaPgzmaAE8aTqetkOEEhm5M6zjvd/8J3jamZSeg v8rp3Mvs9CP7w== From: Sudeep Holla Date: Thu, 23 Apr 2026 18:22:55 +0100 Subject: [PATCH 5/8] firmware: arm_ffa: Validate framework notification payload bounds Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-ffa_fixes-v1-5-61189661affe@kernel.org> References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 Framework notification callbacks copy an indirect message payload out of the shared Rx buffer. Validate the reported offset and size before kmemdup() so malformed firmware data cannot drive an out-of-bounds read or an oversized allocation. Fixes: 285a5ea0f542 ("firmware: arm_ffa: Add support for handling framework= notifications") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 764cb1226182..0e030f377985 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1469,6 +1469,7 @@ static void handle_fwk_notif_callbacks(u32 bitmap) int notify_id =3D 0, target; struct ffa_indirect_msg_hdr *msg; struct notifier_cb_info *cb_info =3D NULL; + size_t min_offset =3D offsetof(struct ffa_indirect_msg_hdr, uuid); =20 /* Only one framework notification defined and supported for now */ if (!(bitmap & FRAMEWORK_NOTIFY_RX_BUFFER_FULL)) @@ -1476,6 +1477,13 @@ static void handle_fwk_notif_callbacks(u32 bitmap) =20 scoped_guard(mutex, &drv_info->rx_lock) { msg =3D drv_info->rx_buffer; + if ((msg->offset !=3D min_offset && msg->offset < sizeof(*msg)) || + msg->offset > drv_info->rxtx_bufsz || + msg->size > drv_info->rxtx_bufsz - msg->offset) { + pr_err("invalid framework notification message\n"); + goto release_rx; + } + buf =3D kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL); if (!buf) goto release_rx; --=20 2.43.0 From nobody Wed Jun 17 07:15:22 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 212D03AA1B5 for ; Thu, 23 Apr 2026 17:23:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965036; cv=none; b=bYrhqzCcA0wJUN+xhklw9OboKTt0DuNSNSr9+uCZVTsyBB14HqZ1hjKV5UyxSn9kjbh9Jb/GaVvjN2ukrFDFnQFt4pI+GgsRIzwXum2bKSF4d3ZTX5GxzcU3AxQ8iXE7Pu4AHiOrSUQbvbJfyAJjIodtPo5NBrr3SKOkRr1So8k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965036; c=relaxed/simple; bh=Sf1aBgZQBBHoZh/jIDqPw5Ja/XaZRFBpyaILdxqZ3rE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=e+g/2+2JrH1jUxadnFMhngBYFldnH8aD8CrZEjjMwFV8gbXzHBj1KiVmw+fr7s/BFOkrPkHEmmpyLiz6rkgDLdRutATdnC6OhzqmVJFFb/wdpp72hFuMSf+m3W9f+ZMqMYGpZE1Wp9/jDGEfW0Vogh6faC5K3zzfysno+A2Y74w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=nV75orVY; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="nV75orVY" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1A17DC2BCB4; Thu, 23 Apr 2026 17:23:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776965035; bh=Sf1aBgZQBBHoZh/jIDqPw5Ja/XaZRFBpyaILdxqZ3rE=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=nV75orVYw0VeiwzfuxSYdYMs7MGANGfv9rcR45y5mElYgWyEkGr9+TBAdSZiIj5r2 hXxiWYXr71flMF2VpeMPjeLWclhN+6Li2LUqOXz6hf2G25JH3S5BLtnZQ5StbE8p2/ ZOeLcMtzq1Vnp8EZheQhVW0gVJvkpZml0k/HpWcrXgyUCBitSpMYHryHKu6kv1AolS 1XuHM6oVCE/PNdt+retDNpUqjVg8FImnusDZiMQOGEhjgsMc53GxCWu7D8klqI0meu YPkGPG99rk/tVLauyrNyOFgsYPZC6fv8wfSQ4N+0UkmnooxrUEnVEQbPl9qoISH5UH HABT+7rjEKYPw== From: Sudeep Holla Date: Thu, 23 Apr 2026 18:22:56 +0100 Subject: [PATCH 6/8] firmware: arm_ffa: Unregister v1.0 bus notifier on teardown Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-ffa_fixes-v1-6-61189661affe@kernel.org> References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 For FF-A v1.0 the driver registers a bus notifier to backfill UUID matching, but the notifier was never unregistered on cleanup paths. Track the registration state and unregister it during teardown and early partition-setup failure. Fixes: 9dd15934f60d ("firmware: arm_ffa: Move the FF-A v1.0 NULL UUID worka= round to bus notifier") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 0e030f377985..4edb88079bac 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -100,6 +100,7 @@ struct ffa_drv_info { bool mem_ops_native; bool msg_direct_req2_supp; bool bitmap_created; + bool bus_notifier_registered; bool notif_enabled; unsigned int sched_recv_irq; unsigned int notif_pend_irq; @@ -1638,6 +1639,15 @@ static struct notifier_block ffa_bus_nb =3D { .notifier_call =3D ffa_bus_notifier, }; =20 +static void ffa_bus_notifier_unregister(void) +{ + if (!drv_info->bus_notifier_registered) + return; + + bus_unregister_notifier(&ffa_bus_type, &ffa_bus_nb); + drv_info->bus_notifier_registered =3D false; +} + static int ffa_xa_add_partition_info(struct ffa_device *dev) { struct ffa_dev_part_info *info; @@ -1721,6 +1731,8 @@ static void ffa_partitions_cleanup(void) struct list_head *phead; unsigned long idx; =20 + ffa_bus_notifier_unregister(); + /* Clean up/free all registered devices */ ffa_devices_unregister(); =20 @@ -1748,11 +1760,14 @@ static int ffa_setup_partitions(void) ret =3D bus_register_notifier(&ffa_bus_type, &ffa_bus_nb); if (ret) pr_err("Failed to register FF-A bus notifiers\n"); + else + drv_info->bus_notifier_registered =3D true; } =20 count =3D ffa_partition_probe(&uuid_null, &pbuf); if (count <=3D 0) { pr_info("%s: No partitions found, error %d\n", __func__, count); + ffa_bus_notifier_unregister(); return -EINVAL; } =20 --=20 2.43.0 From nobody Wed Jun 17 07:15:22 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB71A3A75B2 for ; Thu, 23 Apr 2026 17:23:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965037; cv=none; b=dxFWbLlZL0THZVu5qdJlxoNEIAMzHdKJbaom2YAZmU+og/5QtfIHFHWZ/En5y6G3Rsba5CM1fYWqlA5/3gSdCKn1mJa4p8A+V6xMSYsxG1a4U+OYeJ1/QS54VisEoazr+WWB5nF8o8oQRX/Q74tdey96SYNfhnt8pEE9dRkM6Lw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965037; c=relaxed/simple; bh=V+0omjvHArZDeRZA0oOFMICKk6VUNuVS78dDmsvofzM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fSHrbw5lh3JymgM5wIEhKzX9UgqTkBMQA2uXmZxy/KWmBIIhy9/CcHt0O6QcuH30hEfyKiPDjBXSAwaQHGjzlIGsT0N3ZXOEUqb4w3m2PYvBRhAuCygPRAXn25Hkq4TLg7AIPhPyjYLYJC/G/BVmL9rlCT1LP4nJ7hjwTuRp4T4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=LS3egZBg; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="LS3egZBg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2956EC2BCB6; Thu, 23 Apr 2026 17:23:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776965036; bh=V+0omjvHArZDeRZA0oOFMICKk6VUNuVS78dDmsvofzM=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=LS3egZBgTB5OFnBUaH/MP9/lajAboFFr9M6afpMNDKmj6x3a69rDKhBEL7/KoSppl g1v72wT4F+wWvhc4DcArQ0hL8xbIsdjYFpG8XSJDGsXdEIZ9L/33rexytC2FdKbSSO 0/dTAQO5uK3g+aDE3TmC5ufaL4FHw/Z5gS2ZQqMpwkoKNopkbPV5So7M6Dhl8Yo0zt ezGkA6x0DVRZCQvFFueFqVcALjNh4gTyzInxioor+n7z3REJwavyDDnjWpUVT5ymro LTRWaKWtImzTg7+XXQxUG4oK1hmFAPBym/F/5DEkVO0l72KM4ihsYn5RS7dyB1fp4e jcaZzJd6luFYg== From: Sudeep Holla Date: Thu, 23 Apr 2026 18:22:57 +0100 Subject: [PATCH 7/8] firmware: arm_ffa: Fix sched-recv callback partition lookup Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-ffa_fixes-v1-7-61189661affe@kernel.org> References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 ffa_sched_recv_cb_update() used list_for_each_entry_safe() to search for a matching partition and then tested the iterator against NULL. That is not a valid end-of-list check for circular lists and can fall through with an invalid pointer. Use a normal iterator and detect the not-found case correctly before touching the partition state. Fixes: be61da938576 ("firmware: arm_ffa: Allow multiple UUIDs per partition= to register SRI callback") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 4edb88079bac..40ade6edcf33 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1190,7 +1190,7 @@ static int ffa_sched_recv_cb_update(struct ffa_device *dev, ffa_sched_recv_cb callbac= k, void *cb_data, bool is_registration) { - struct ffa_dev_part_info *partition =3D NULL, *tmp; + struct ffa_dev_part_info *partition =3D NULL; struct list_head *phead; bool cb_valid; =20 @@ -1203,11 +1203,11 @@ ffa_sched_recv_cb_update(struct ffa_device *dev, ff= a_sched_recv_cb callback, return -EINVAL; } =20 - list_for_each_entry_safe(partition, tmp, phead, node) + list_for_each_entry(partition, phead, node) if (partition->dev =3D=3D dev) break; =20 - if (!partition) { + if (&partition->node =3D=3D phead) { pr_err("%s: No such partition ID 0x%x\n", __func__, dev->vm_id); return -EINVAL; } --=20 2.43.0 From nobody Wed Jun 17 07:15:22 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3AFCA3AB291 for ; Thu, 23 Apr 2026 17:23:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965038; cv=none; b=gTmMkYXlVzBnbWZg1Eoz8SJZBwTr/TYRamYomgd2Uu2Ktpmq97Oxgg7oQyFTaeEn/Xt3Act+3x254NRZdvak9EPKT8dk4rabct3Qxjzz7Oiywo0v62Wu6RqeKAJr+cWXatV83idwq9sQkejYF/oyqR+bFgl8b5cO9Nku+MYBnVs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776965038; c=relaxed/simple; bh=opSPYP8vrEcfC+ep0LCq7BxX+8CG6gyOiB90BHHWtWs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=kscE0RAa51KCBxn80VfxCmWSIXHd/pSVsUQi9wv3zZP6jm8Gk1mbGqd6uqXN+Z7Wi3i+d5Oai6rqoHRhNIEhMtjMtmYEAn9Bug0Evb10yt92uQErvs61zVjUzMEy2CYhnAffB1IAmxqdpEgfkyznY50j6qp8CIx3nfxGppnVG1w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=tYfsUpPT; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="tYfsUpPT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3892BC2BCB4; Thu, 23 Apr 2026 17:23:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1776965037; bh=opSPYP8vrEcfC+ep0LCq7BxX+8CG6gyOiB90BHHWtWs=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=tYfsUpPTQkS3+AvZMTyXpSb5X0BnxIuTVqgw3TuZhQrNB+AcjNIe8THmB9w76FwK1 255MCs1y5iLIiarhivH1t0rlHbvxUzXWPl5PIkXjV6Uxixl7NBBAOFD6glnrD3sv29 2zx6M4omFLg8axTsvFs6f33aT+uJSVotkZk+KucSeEthsMj7z7QJBFvF0fMUFSTDzL IikkI5V4PbIVF7xj6clTEt56lQwnihoJ8dyIAVupDv796MzXie8urYVqx9EN3l7/Zr zGhvwyC6uqIbsr58txQEBiXX92laYk6JH3Q9F9ZS1sFE7+4C3p50Dcbtd3CKO+58+H aQ3m/LJZ64WyA== From: Sudeep Holla Date: Thu, 23 Apr 2026 18:22:58 +0100 Subject: [PATCH 8/8] firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-ffa_fixes-v1-8-61189661affe@kernel.org> References: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> In-Reply-To: <20260423-ffa_fixes-v1-0-61189661affe@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 The register-based PARTITION_INFO_GET path trusted the firmware-provided indices when copying partition descriptors into the caller buffer. Reject inconsistent counts or index progressions so the copy loop cannot write past the allocated array. Fixes: ba85c644ac8d ("firmware: arm_ffa: Add support for FFA_PARTITION_INFO= _GET_REGS") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 40ade6edcf33..4bb86eb721cd 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -336,7 +336,7 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32= uuid2, u32 uuid3, =20 do { __le64 *regs; - int idx; + int idx, nr_desc, buf_idx; =20 start_idx =3D prev_idx ? prev_idx + 1 : 0; =20 @@ -354,15 +354,25 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u= 32 uuid2, u32 uuid3, count =3D PARTITION_COUNT(partition_info.a2); if (!buffer || !num_parts) /* count only */ return count; + if (count > num_parts) + return -EINVAL; =20 cur_idx =3D CURRENT_INDEX(partition_info.a2); + if (cur_idx < start_idx || cur_idx >=3D count) + return -EINVAL; + + nr_desc =3D cur_idx - start_idx + 1; + buf_idx =3D buf - buffer; + if (buf_idx + nr_desc > num_parts) + return -EINVAL; + tag =3D UUID_INFO_TAG(partition_info.a2); buf_sz =3D PARTITION_INFO_SZ(partition_info.a2); if (buf_sz > sizeof(*buffer)) buf_sz =3D sizeof(*buffer); =20 regs =3D (void *)&partition_info.a3; - for (idx =3D 0; idx < cur_idx - start_idx + 1; idx++, buf++) { + for (idx =3D 0; idx < nr_desc; idx++, buf++) { union { uuid_t uuid; u64 regs[2]; --=20 2.43.0