From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2925E47AF69 for ; Tue, 28 Apr 2026 18:33:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401231; cv=none; b=M+MtUgGlIMT0/HvwgwzN0miyng/P3QEVkiNoo/xuTC5lx4ppU1+E2vB+glbZ7wsICxrLqM5ExK0gJlYsVgSmAvayLiLPjqcI5hyOya2hlVGtQLlJpBGIamkGOVle0X8Rmsv90ZL4ORmQqdeyo1YbdJ30hh6Knh12o+px/fstfuA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401231; c=relaxed/simple; bh=0gYTXT5cwiHXgjhwQq7mPkQl0OAfMOcDPdrEdHjjCvo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=BQ5ys3TOX4TSq/T/X82fqcI3Is26WC7wm3JugV4dYD2Jbobkx12fXbK5ogx5nfyz5WpWALWhukZytymDQZXpeVNifeB6khxMI2vuUMSiKdvFWGXQLwlFbm0omqYc+X8j+P8mIj/VKunaEz1zYEPW7ko9gmLRIVNwft88PphhKUE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ozaf3kur; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ozaf3kur" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 20157C2BCB3; Tue, 28 Apr 2026 18:33:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401230; bh=0gYTXT5cwiHXgjhwQq7mPkQl0OAfMOcDPdrEdHjjCvo=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=ozaf3kurp+MOugnbZiHhV4mumqMt0CWIXc3TmjJz+9k3+HFT50AoOX/4/pjC+sMeU 6hN1sgaklIpfra0+9/dpdNEvF2/pO75kLMChMyWERY4Fcnca3z8+a7XsxgKWInEK45 yueKt+AUXhou39YqbG2SGlKBzuSctYulIb4cCgY/8mVLjHX6eGwp056dam7wl19pyy fptxJnUvTrYJlj/BlO612zFx70bZ5/s/YpSyc9GsoE4iDnqxrVwp1R54/fk4+CfJrw /f26taxgq2kPyPP0mDmWn30WCyvs1XsHnebSIHBmftzeYJ10iQStSZPZE+d1Kw1rbR SG+KYDolsM3vA== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:25 +0100 Subject: [PATCH v2 01/11] firmware: arm_ffa: Check for NULL FF-A ID table while driver registration Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-1-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 The bus match callback assumes that every FF-A driver provides an id_table and dereferences it unconditionally. Enforce that contract at registration time so a buggy client driver cannot crash the bus during match. Fixes: 92743071464f ("firmware: arm_ffa: Ensure drivers provide a probe fun= ction") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/bus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/arm_ffa/bus.c b/drivers/firmware/arm_ffa/bus.c index 9576862d89c4..601c3418e0d9 100644 --- a/drivers/firmware/arm_ffa/bus.c +++ b/drivers/firmware/arm_ffa/bus.c @@ -26,6 +26,8 @@ static int ffa_device_match(struct device *dev, const str= uct device_driver *drv) =20 id_table =3D to_ffa_driver(drv)->id_table; ffa_dev =3D to_ffa_dev(dev); + if (!id_table) + return 0; =20 while (!uuid_is_null(&id_table->uuid)) { /* @@ -123,7 +125,7 @@ int ffa_driver_register(struct ffa_driver *driver, stru= ct module *owner, { int ret; =20 - if (!driver->probe) + if (!driver->probe || !driver->id_table) return -EINVAL; =20 driver->driver.bus =3D &ffa_bus_type; --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D89347B42E for ; Tue, 28 Apr 2026 18:33:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401232; cv=none; b=ldp/9fg1VjlMYQ1ZbtqvNJih7Ht2zIicMLBXYTZI7aU7PN3D5pzEHF4dIQekUHSXPXwqSj+5+gmHxqf5Qt/Fw/kYjwXb9ZT0zkl0+2WaG4k6UraVpvMA3cbuNUeLPDv2AmE5gJQJpLq++nPlUNiL1d38OBFPySaapspGuKJCLBs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401232; c=relaxed/simple; bh=c4BcYMZ0KWMorH09+B5vNrAhFQ4rDIDYqWvY5VR5Gws=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=awrpABr8HvCK9CdOTLbozt+CWHzKOKk1+jEHXJ1OALIngSVW6lFicnfwEIeGthfS8MtFVui+F8/Ret0IrbDiogJPMEMjeYJlvWb2hmPSgdCBYqtA31nC01UKn0McpWhLiFF03PpOwm1TPO/Fxx0scRG6SpRGwCxTabdM6b7nUJk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=PizZMWo5; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="PizZMWo5" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 36F85C2BCB8; Tue, 28 Apr 2026 18:33:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401231; bh=c4BcYMZ0KWMorH09+B5vNrAhFQ4rDIDYqWvY5VR5Gws=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=PizZMWo5iF5mC7v77JX2jAYXoibEaCFXb9qH/C2ZiF7e2nBNkAFo137PUezHHAqZG HWLqvgwuuQ7e2CK6X2b75VVmxpTVmXA9/pxWLASnmzN05XFINbsyP47f0TM77hYK51 lCC0/O20y4N9+YIDtzNJTnfFx5SS8FTfNT7gv0bEHmyomkCmLlzBSu3nu9R6vsEXFG DQeMQZkLNgO+uynrqKl6xbVG1W7FEsfNbwK1at2qTvLYAtvpqRylboe741wp8cPtBU CBXGIeZL9ioYF4WNDL7Yr4vlVAFB7G31XOVC4SS3ziycePGTWM0KwvK0iX/UyewmWW h26+M4fWtjoIQ== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:26 +0100 Subject: [PATCH v2 02/11] firmware: arm_ffa: Skip free_pages on RX buffer alloc failure Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-2-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 If the RX buffer allocation fails in ffa_init(), the error path jumps to free_pages even though no buffer has been allocated yet. Route that case directly to free_drv_info so the cleanup path is only used after at least one RX/TX buffer allocation has succeeded. Fixes: 3bbfe9871005 ("firmware: arm_ffa: Add initial Arm FFA driver support= ") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index eb2782848283..e6a051b20cb7 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -2067,7 +2067,7 @@ static int __init ffa_init(void) drv_info->rx_buffer =3D alloc_pages_exact(rxtx_bufsz, GFP_KERNEL); if (!drv_info->rx_buffer) { ret =3D -ENOMEM; - goto free_pages; + goto free_drv_info; } =20 drv_info->tx_buffer =3D alloc_pages_exact(rxtx_bufsz, GFP_KERNEL); --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4CC7F47CC6D for ; Tue, 28 Apr 2026 18:33:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401233; cv=none; b=uXSGrY5rnuI8E8iftds7LCMRDQVeM31hIi1DqUp9WSCQIiFMimkSxeRoUVnCW292IfHP0BGy/70OYJzl8MH7njqaS3I6CyXVJ8Q8BadC8YJqK3PXh1FHeB5aTo7dQUUMrsKveVAdR6UU71QqAHliys1xemRaJrFXFlf6IlxGVlA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401233; c=relaxed/simple; bh=KI+QPKXDOWz4gqqVl9tSItHxeUexJDKcaqOYZAUOUDo=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=eBuBPaY+uTFTblNzARdjL9jGqq9hP1CQWL3ltZfOF8mvHPDv+HDckAVymqGYejhk78LKHjWzEaUanMlcpe1ceNTZRfHWl4GJtOR7L5NY179rtt1ZCSRU2YgJIkt2x2R4vgPnSi5p3K4bVEo5P5PG7n6G09PQZSlmXJYR5WoazOc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hqPI2aJT; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hqPI2aJT" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4DCD7C2BCB3; Tue, 28 Apr 2026 18:33:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401233; bh=KI+QPKXDOWz4gqqVl9tSItHxeUexJDKcaqOYZAUOUDo=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=hqPI2aJTrZ6eFWW16hHtkiXn0B3l7o3L+Mqt61tgXMNh7DuWojwoPxJ+b3K+S/BqH NSOZ08qIR0Df4ISLavIqXM9DBBDUGC/7PwQO3rPAb1WPLDzbAnQ2UmsO/ZB0B3/eaU IsfvmSMFYwjHWPa3Ya4pj86jduKVpRhLc+sycdPgUPJi899dKL0102dc7CLB4ayEQU avokTj658+6e6cqLHT5uO11PtrIQRriaOTC8HH8DdW7KhOB/BZnnR4D6No4kn+Dd+b xkknnFt08olpLLq4yud6OsF5uVn2EQb0DfZpugOr5qo2kDxzslU/T+uJMITos/6O6T aUi1w+9dDDLFw== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:27 +0100 Subject: [PATCH v2 03/11] firmware: arm_ffa: Avoid collapsing NPI work from different CPUs Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-3-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 Notification pending interrupts are registered as per-CPU IRQs, but the driver queues all NPI handling through a single shared work_struct. That allows queue_work_on() calls from different CPUs to collapse onto a single pending work item even though the work function uses the CPU it runs on to fetch and handle per-CPU notifications. Move notif_pcpu_work into the per-CPU ffa_pcpu_irq state and initialize one work item per CPU. This keeps NPI handling independent per CPU and avoids losing notifications when multiple CPUs queue work concurrently. Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index e6a051b20cb7..4e66c7325a4e 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -87,6 +87,7 @@ static inline int ffa_to_linux_errno(int errno) =20 struct ffa_pcpu_irq { struct ffa_drv_info *info; + struct work_struct notif_pcpu_work; }; =20 struct ffa_drv_info { @@ -106,7 +107,6 @@ struct ffa_drv_info { unsigned int cpuhp_state; struct ffa_pcpu_irq __percpu *irq_pcpu; struct workqueue_struct *notif_pcpu_wq; - struct work_struct notif_pcpu_work; struct work_struct sched_recv_irq_work; struct xarray partition_info; DECLARE_HASHTABLE(notifier_hash, ilog2(FFA_MAX_NOTIFICATIONS)); @@ -1539,8 +1539,9 @@ ffa_self_notif_handle(u16 vcpu, bool is_per_vcpu, voi= d *cb_data) =20 static void notif_pcpu_irq_work_fn(struct work_struct *work) { - struct ffa_drv_info *info =3D container_of(work, struct ffa_drv_info, + struct ffa_pcpu_irq *pcpu =3D container_of(work, struct ffa_pcpu_irq, notif_pcpu_work); + struct ffa_drv_info *info =3D pcpu->info; =20 ffa_self_notif_handle(smp_processor_id(), true, info); } @@ -1811,7 +1812,7 @@ static irqreturn_t notif_pend_irq_handler(int irq, vo= id *irq_data) struct ffa_drv_info *info =3D pcpu->info; =20 queue_work_on(smp_processor_id(), info->notif_pcpu_wq, - &info->notif_pcpu_work); + &pcpu->notif_pcpu_work); =20 return IRQ_HANDLED; } @@ -1928,8 +1929,11 @@ static int ffa_init_pcpu_irq(void) if (!irq_pcpu) return -ENOMEM; =20 - for_each_present_cpu(cpu) + for_each_present_cpu(cpu) { per_cpu_ptr(irq_pcpu, cpu)->info =3D drv_info; + INIT_WORK(&per_cpu_ptr(irq_pcpu, cpu)->notif_pcpu_work, + notif_pcpu_irq_work_fn); + } =20 drv_info->irq_pcpu =3D irq_pcpu; =20 @@ -1958,7 +1962,6 @@ static int ffa_init_pcpu_irq(void) } =20 INIT_WORK(&drv_info->sched_recv_irq_work, ffa_sched_recv_irq_work_fn); - INIT_WORK(&drv_info->notif_pcpu_work, notif_pcpu_irq_work_fn); drv_info->notif_pcpu_wq =3D create_workqueue("ffa_pcpu_irq_notification"); if (!drv_info->notif_pcpu_wq) return -EINVAL; --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 39F7747CC86 for ; Tue, 28 Apr 2026 18:33:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401234; cv=none; b=SxzKtaY8/VVL/bD1atGYtDdXbWtf71WZVp0PzFQkpmRN/4dpDnGGka8XExJDNFvcNAZBICJFviejF69TbNb5etYxVu5nvCFDALnBDPKABYBo+CrFyQJ7Ns1H3eeAvft3GsH9J1dMrlEoEpQ2EREDmeiS4w+rhD1wrg76+zxCQ3Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401234; c=relaxed/simple; bh=yp/1hi9l3obsmLs0Y34XOImio+CPysYrpb/kn/OcNr4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=qiD6cD6EIkhMPPGq5zGpfbeY82gn8idSfF2vKiuPVTWlE4lP0XkXEE2NPjR4caVa5ltrZL+nCYZTidgXZha1uXRDiTklsC/WvjQBa1edEcMaa/sZk69pwPIuNTyUFbq7n5UbQ/IyNUrH+KDZsViR7JQZWtwzNNN7mFfmdKYpINQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=NHzm6RMZ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="NHzm6RMZ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 65F0BC2BCAF; Tue, 28 Apr 2026 18:33:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401234; bh=yp/1hi9l3obsmLs0Y34XOImio+CPysYrpb/kn/OcNr4=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=NHzm6RMZuKHquVMwjNHGyeqjIACwQ9hQlVzTTudRUidmD0zGBx3B+98IZMhI0qRQN iUmcO+TRLDbQ1WPeNuWOJJ6w22K9IBQ64f9Fcq/jFZAO2GWoLk8yRp7mipXNLT8Htp jYX6iPIxaDMIFobas4eoWZKqN989QDIpTVm08k81slJVEK3hLA8kfZioBTzrSK65uo 9GSHlopQplq28uJyzi6vaKBkcyJ11Obn0LeJhXENXWcVn4P+VQGr8XwbWOHabUz1tx LTIFFofILknuQCvRYe3Cb4wAHUHrnFPn2rzsTTzazBdtmCOT4wj4aC1m++BXfBfXss XhZNkLc0lpLtg== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:28 +0100 Subject: [PATCH v2 04/11] firmware: arm_ffa: Fix per-vcpu self notifications handling in workqueue Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-4-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 Per-vcpu notification handling already runs from a per-cpu work item on the target cpu. Routing that path back through smp_call_function_single() re-enters the call-function IPI path and executes the notification handler with interrupts disabled. That makes the framework path unsafe, since it takes a mutex, allocates memory with GFP_KERNEL, and invokes client callbacks. Handle per-vcpu self notifications directly from the existing per-cpu work item instead. This keeps the per-vcpu path in task context and avoids the extra IPI hop entirely. Fixes: 3a3e2b83e805 ("firmware: arm_ffa: Avoid queuing work when running on= the worker queue") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 4e66c7325a4e..2241e851f7ae 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1543,7 +1543,7 @@ static void notif_pcpu_irq_work_fn(struct work_struct= *work) notif_pcpu_work); struct ffa_drv_info *info =3D pcpu->info; =20 - ffa_self_notif_handle(smp_processor_id(), true, info); + notif_get_and_handle(info); } =20 static const struct ffa_info_ops ffa_drv_info_ops =3D { --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 958FD47D927 for ; Tue, 28 Apr 2026 18:33:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401235; cv=none; b=udV+X/sg/fnIjfvrLI8yUNQE8V3at2dbpwGoW02p346Ihcwm27k1UlsLdZuVufpdpcRC3GaRoz0Sxx0Ol+AtJ/VG7Fi3G+oP0yoGwVZrAD3MPTbiZhNoQ2yCy21CST5dWMP+8iBFc9/KybVZSlSqV4/80RfybELqRD3zgaNaFA0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401235; c=relaxed/simple; bh=huCvhNmWY+S6zgATfDF7+bXGZM8CIFQgdAwDVXkk144=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=fEqQZwoHtQcp0Cb93hy5vo64k5k4j46Q+mNCkovITatrYJJi/XlZ/pWFttSIkPNyEiFR+H8rcditKol30h8PS1g259CizNudvXnMvuG+lWyGX1omgG3TaMAVZoMjE7bDMEhXGUisVPtbytPupD5ae1M4Or9eJHUCiObqN7jzcvo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=kQpj1ADQ; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="kQpj1ADQ" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7D290C2BCB3; Tue, 28 Apr 2026 18:33:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401235; bh=huCvhNmWY+S6zgATfDF7+bXGZM8CIFQgdAwDVXkk144=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=kQpj1ADQ9gO967Y8guWFDfyXp2cwe2kNdWQYUu+7/xv6K6ArmWasgMaqziv92f59d 02w5dovgvxgHiVoXZO+9nv1eRlXx1Voa7lptjYkmO3UDxD0PfMBvV5HQymqOU0m+8L DoQHMjJUJ/8lRmtm+r9WUf6rugpkyztLak5Phhl2C+1DVUQdQ+rMS4eiNPLp+wNKfU uJR43Si9hmTH05jlh4TECg9GK10Q2qR1OI+dhA6zxQDEYvjnFvset3gVR0AO0q2tpj 9jKinHYqpusIfjPW43R4RjZzxmMI2pLm+OLN4mnyJO5bprpVfL40B11d89LUjbArgz r0/V/pdojaftA== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:29 +0100 Subject: [PATCH v2 05/11] firmware: arm_ffa: Unregister bus notifier on teardown for FF-A v1.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-5-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 For FF-A v1.0 the driver registers a bus notifier to backfill UUID matching, but the notifier was never unregistered on cleanup paths. Track the registration state and unregister it during teardown and early partition-setup failure. Fixes: 9dd15934f60d ("firmware: arm_ffa: Move the FF-A v1.0 NULL UUID worka= round to bus notifier") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 2241e851f7ae..a122814eb6d7 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -101,6 +101,7 @@ struct ffa_drv_info { bool mem_ops_native; bool msg_direct_req2_supp; bool bitmap_created; + bool bus_notifier_registered; bool notif_enabled; unsigned int sched_recv_irq; unsigned int notif_pend_irq; @@ -1630,6 +1631,15 @@ static struct notifier_block ffa_bus_nb =3D { .notifier_call =3D ffa_bus_notifier, }; =20 +static void ffa_bus_notifier_unregister(void) +{ + if (!drv_info->bus_notifier_registered) + return; + + bus_unregister_notifier(&ffa_bus_type, &ffa_bus_nb); + drv_info->bus_notifier_registered =3D false; +} + static int ffa_xa_add_partition_info(struct ffa_device *dev) { struct ffa_dev_part_info *info; @@ -1713,6 +1723,8 @@ static void ffa_partitions_cleanup(void) struct list_head *phead; unsigned long idx; =20 + ffa_bus_notifier_unregister(); + /* Clean up/free all registered devices */ ffa_devices_unregister(); =20 @@ -1740,11 +1752,14 @@ static int ffa_setup_partitions(void) ret =3D bus_register_notifier(&ffa_bus_type, &ffa_bus_nb); if (ret) pr_err("Failed to register FF-A bus notifiers\n"); + else + drv_info->bus_notifier_registered =3D true; } =20 count =3D ffa_partition_probe(&uuid_null, &pbuf); if (count <=3D 0) { pr_info("%s: No partitions found, error %d\n", __func__, count); + ffa_bus_notifier_unregister(); return -EINVAL; } =20 --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9064747D93E for ; Tue, 28 Apr 2026 18:33:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401236; cv=none; b=R/XSwsnIJ9bTCTGj6RMpHJaaq1Xl6/WXbDpdplirz9ONs6lpbUG+EgZF5eqUBkRkMkwK1GUFWtUgiSdy/zSI3ziHnJ+4arP0nfYth9fa/WMTH0gpyx3PpgeUjBN3DanqfuIs+3SsceKBEpLyUhq1EFZCeFA6fUMDRsfIJtUYCOE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401236; c=relaxed/simple; bh=uKgrQnOZus6OAzZhiHvILH5M6NPJd7sMeaofGDLCLAU=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=BFOg3PNsCvrlSHOyeCrIR+TRkRXWRwn2Ea4jA3ErJy+3MuoEwuSo57WlH7GwG4hzxFX+RYu+7e356TyAo7+IQHHsQIL3YKqJU9y0fnCN5HAYPuG1gCM/7lpnWfVeZYMmr5Z+1+XaBa9njdi1XFdzKAAxqDHOm3LcV1/qSKpyvfE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=qoVxNJ2d; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qoVxNJ2d" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 965CAC2BCB8; Tue, 28 Apr 2026 18:33:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401236; bh=uKgrQnOZus6OAzZhiHvILH5M6NPJd7sMeaofGDLCLAU=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=qoVxNJ2d1Y90lQnZQX5s83RqE4eoHf4cu5jK6DiDnGcjR/Sb/1QkOMBcCr89uhpV3 czWRQyyTsPHOgWwGyyx5vNIOlPjAK2nJpMsEmXWOgfRYPb0Hz91SKYFPuGFstycjNa AH3fCOTJLxOzeXRbitSZvfexKjPnZKrnUsmW3JCVh7QSGJYyQXGbGb2jhEQHVLFJMa 0/+Z3FjH56SJHB/RrQXl09iQInF8QI6sKazRk6PFvWlb4kF8GP/EHOubZ8NWdUFnRE l3FM3xjpI5iHHvGqBTzw61nPJ+D+KBxSaYFw+ep+sCtzPfLxQyOX7muT2z5afIBVl7 EV29an1LxaPbg== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:30 +0100 Subject: [PATCH v2 06/11] firmware: arm_ffa: Bound PARTITION_INFO_GET_REGS copies Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-6-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 The register-based PARTITION_INFO_GET path trusted the firmware-provided indices when copying partition descriptors into the caller buffer. Reject inconsistent counts or index progressions so the copy loop cannot write past the allocated array. Fixes: ba85c644ac8d ("firmware: arm_ffa: Add support for FFA_PARTITION_INFO= _GET_REGS") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index a122814eb6d7..ed502486eb35 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -323,6 +323,12 @@ __ffa_partition_info_get(u32 uuid0, u32 uuid1, u32 uui= d2, u32 uuid3, #define PART_INFO_ID_MASK GENMASK(15, 0) #define PART_INFO_EXEC_CXT_MASK GENMASK(31, 16) #define PART_INFO_PROPS_MASK GENMASK(63, 32) +#define FFA_PART_INFO_GET_REGS_FIRST_REG 3 +#define FFA_PART_INFO_GET_REGS_REGS_PER_DESC 3 +#define FFA_PART_INFO_GET_REGS_MAX_DESC \ + (((sizeof(ffa_value_t) / sizeof_field(ffa_value_t, a0)) - \ + FFA_PART_INFO_GET_REGS_FIRST_REG) / \ + FFA_PART_INFO_GET_REGS_REGS_PER_DESC) #define PART_INFO_ID(x) ((u16)(FIELD_GET(PART_INFO_ID_MASK, (x)))) #define PART_INFO_EXEC_CXT(x) ((u16)(FIELD_GET(PART_INFO_EXEC_CXT_MASK, (x= )))) #define PART_INFO_PROPERTIES(x) ((u32)(FIELD_GET(PART_INFO_PROPS_MASK, (x)= ))) @@ -336,7 +342,7 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u32= uuid2, u32 uuid3, =20 do { __le64 *regs; - int idx; + int idx, nr_desc, buf_idx; =20 start_idx =3D prev_idx ? prev_idx + 1 : 0; =20 @@ -354,15 +360,28 @@ __ffa_partition_info_get_regs(u32 uuid0, u32 uuid1, u= 32 uuid2, u32 uuid3, count =3D PARTITION_COUNT(partition_info.a2); if (!buffer || !num_parts) /* count only */ return count; + if (count > num_parts) + return -EINVAL; =20 cur_idx =3D CURRENT_INDEX(partition_info.a2); + if (cur_idx < start_idx || cur_idx >=3D count) + return -EINVAL; + + nr_desc =3D cur_idx - start_idx + 1; + if (nr_desc > FFA_PART_INFO_GET_REGS_MAX_DESC) + return -EINVAL; + + buf_idx =3D buf - buffer; + if (buf_idx + nr_desc > num_parts) + return -EINVAL; + tag =3D UUID_INFO_TAG(partition_info.a2); buf_sz =3D PARTITION_INFO_SZ(partition_info.a2); if (buf_sz > sizeof(*buffer)) buf_sz =3D sizeof(*buffer); =20 regs =3D (void *)&partition_info.a3; - for (idx =3D 0; idx < cur_idx - start_idx + 1; idx++, buf++) { + for (idx =3D 0; idx < nr_desc; idx++, buf++) { union { uuid_t uuid; u64 regs[2]; --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8311247D94F for ; Tue, 28 Apr 2026 18:33:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401237; cv=none; b=jfnSn+i6MyaA343WpDRHvEGh0RFnGnI6HUcrOqtVPrEEJBI+12V5pj/kf7CuAbuSjcmntNByOF593M3MN6mW8DfyVgmsIb/wv6B0z/Ctjwjt0KTNbSWKMjnqbO79FRAYYWUuj1nHMttcVdtof7b4hVRT/z1QYjvLgYRlkB2719Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401237; c=relaxed/simple; bh=eNiNzrXTttjfdrO7y5bhY8rTyrVCsaLHM+IpsjVfBiI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bTQRn/rjh7xbEGh5O2S46MviQhzVVrDpa0KIh8yYvvRd+4ExoaJvydG/j6empnxTZjq6GPCPcC9XCiOV88MFPjNEjnh3JvfjhpRlb3KpOSHPCPyvSuVOTkf2WVHLHJH2FDufs7TX0DmJyQdraQO84QQ7BNHaU/A8aaGIyjoP1Eo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=dt1zG7Sg; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="dt1zG7Sg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AE107C2BCB3; Tue, 28 Apr 2026 18:33:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401237; bh=eNiNzrXTttjfdrO7y5bhY8rTyrVCsaLHM+IpsjVfBiI=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=dt1zG7Sgb1C2R/yc+aiUzhiemV9UezXjVvGza8bdQAKqo71o1H84zPi67I1SvlRBE K17s7XmcN0a4ITjUfFpgZmGazXRhwcubjkyKd1emVJwyXkEsutKi6ke46IYD5PA7Wd 7K3OSYqXfd/vA1UVpeymM+mm+noT2EhMrx5qU3rjllbtd1ofF6VONPVFEboWRhsLtf 1NFSUOLEK/AecomFx4tS6sOdot4XwyU6dYfdjgKkWaxzdR3ZRzBJy4bKMOzyZQEGFA dVEfkNPCyUfvBHjRIAx27029DX8vx73blxNQBxT6aGTDTpbIV1Uae+ZMQdu6GV4kaR jBlVwYvOsyqZA== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:31 +0100 Subject: [PATCH v2 07/11] firmware: arm_ffa: Keep framework RX release under lock Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-7-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 The framework notification handler drops rx_lock before issuing FFA_RX_RELEASE, leaving a window where another RX-buffer user can start a new FF-A transaction before ownership has actually been returned to firmware. Move the FFA_RX_RELEASE calls so they execute while rx_lock is still held on both the kmemdup() failure path and the normal success path. While doing that, switch the handler to scoped_guard() to keep the critical section explicit. Fixes: 285a5ea0f542 ("firmware: arm_ffa: Add support for handling framework= notifications") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index ed502486eb35..18bcbd161805 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1494,25 +1494,22 @@ static void handle_fwk_notif_callbacks(u32 bitmap) if (!(bitmap & FRAMEWORK_NOTIFY_RX_BUFFER_FULL)) return; =20 - mutex_lock(&drv_info->rx_lock); + scoped_guard(mutex, &drv_info->rx_lock) { + msg =3D drv_info->rx_buffer; + buf =3D kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL); + if (!buf) { + ffa_rx_release(); + return; + } =20 - msg =3D drv_info->rx_buffer; - buf =3D kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL); - if (!buf) { - mutex_unlock(&drv_info->rx_lock); - return; + target =3D SENDER_ID(msg->send_recv_id); + if (msg->offset >=3D sizeof(*msg)) + uuid_copy(&uuid, &msg->uuid); + else + uuid_copy(&uuid, &uuid_null); + ffa_rx_release(); } =20 - target =3D SENDER_ID(msg->send_recv_id); - if (msg->offset >=3D sizeof(*msg)) - uuid_copy(&uuid, &msg->uuid); - else - uuid_copy(&uuid, &uuid_null); - - mutex_unlock(&drv_info->rx_lock); - - ffa_rx_release(); - read_lock(&drv_info->notify_lock); cb_info =3D notifier_hnode_get_by_vmid_uuid(notify_id, target, &uuid); read_unlock(&drv_info->notify_lock); --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D484447DD49 for ; Tue, 28 Apr 2026 18:33:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401238; cv=none; b=Ff1VyexbaT7d3LQfeQcv441NaZD7j3lhHcBEUVm4OjzGS/YhpRe5lo8xHluZGPW4kSicNZiTGzHTNMv5mFZwy3gn4msstlyv1sbeLmAPjyhJkjk6uiKShtF/IyIQTUdKb5sjOJXhICaFV9RCwuAk5y/6p91D0tqCovgTxtNa4gs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401238; c=relaxed/simple; bh=ZtF8wUA98yxBhzg89vYttX0W+hwz45ZUK1h4OgYNLN8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=K8vLa/xD3sFJWKmX3WE2wLgN/uPlVdXkorysoB2p2bNIClf9XEKYDyhAd1lO1arTdsp+KZHW7v6ku4PPQ40i1w01GwAwUD2TLm5TSK9eLiDYBvUh3zv5swPDI0usWu5Vo1CFgeSJmg8mf1ISPcNcsfrET8T1rkQvoO+yt4fkVfA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=oEhnX1O5; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="oEhnX1O5" Received: by smtp.kernel.org (Postfix) with ESMTPSA id CA669C2BCC7; Tue, 28 Apr 2026 18:33:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401238; bh=ZtF8wUA98yxBhzg89vYttX0W+hwz45ZUK1h4OgYNLN8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=oEhnX1O5jl/aul4uv/eVhhCvSnj/eOI2cDb7FvDALf5eo9lh7O8KsK23esyn3IYbs 7tAFWHRsWUOlCfdd9WlLjFUnB2VmldEOVFQRAlGKeuHjb8lFEMCjZsFhzZVzwCL54c rpsIA+ypLsAEcG58uN6eqQtfZ5bkpDnV0Ozx0UEgVUCn4Lj2VmozY1sQehnEZknJq8 o7xVax4bxCNiTg9MXNqqv8rYPA/jy7btYadnPdb4zpeYDqZ0hEjOC4kvkpNDoHSQgG eynluTeStbtAW0MoPmRZoRW1wEtHrKyrc7TDOzvr5Z4niMp3XbywEGEcjTLuGv5c76 ZImonFAyyb5sg== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:32 +0100 Subject: [PATCH v2 08/11] firmware: arm_ffa: Validate framework notification message layout Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-8-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 Framework notifications carry an indirect message in the shared RX buffer. Validate the reported offset and size before using them, reject zero-length payloads, and ensure that any non-header payload starts at the UUID field rather than in the middle of the message header. Use the validated offset and size values for both kmemdup() and the UUID parsing path so malformed firmware data cannot drive an out-of-bounds read or an oversized allocation. Fixes: 285a5ea0f542 ("firmware: arm_ffa: Add support for handling framework= notifications") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 18bcbd161805..4944aa6b815f 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1489,21 +1489,35 @@ static void handle_fwk_notif_callbacks(u32 bitmap) int notify_id =3D 0, target; struct ffa_indirect_msg_hdr *msg; struct notifier_cb_info *cb_info =3D NULL; + size_t min_offset =3D offsetof(struct ffa_indirect_msg_hdr, uuid); =20 /* Only one framework notification defined and supported for now */ if (!(bitmap & FRAMEWORK_NOTIFY_RX_BUFFER_FULL)) return; =20 scoped_guard(mutex, &drv_info->rx_lock) { + u32 offset, size; + msg =3D drv_info->rx_buffer; - buf =3D kmemdup((void *)msg + msg->offset, msg->size, GFP_KERNEL); + offset =3D msg->offset; + size =3D msg->size; + + if (!size || (offset !=3D min_offset && offset < sizeof(*msg)) || + offset > drv_info->rxtx_bufsz || + size > drv_info->rxtx_bufsz - offset) { + pr_err("invalid framework notification message\n"); + ffa_rx_release(); + return; + } + + buf =3D kmemdup((void *)msg + offset, size, GFP_KERNEL); if (!buf) { ffa_rx_release(); return; } =20 target =3D SENDER_ID(msg->send_recv_id); - if (msg->offset >=3D sizeof(*msg)) + if (offset >=3D sizeof(*msg)) uuid_copy(&uuid, &msg->uuid); else uuid_copy(&uuid, &uuid_null); --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 20EFA47DD5E for ; Tue, 28 Apr 2026 18:33:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401240; cv=none; b=BRG70Rzu1+KISRTYdsTYJjrfmYkZmTiAhQjI3ziaa7sBjRvYX/y6P3oF5u/2MEhsK0u+eC9uB810BUplOhE16oN61njKDCSFKSMQONiZNwUWGtJxBFJxpiq1VD5SxjBs8NEPdJ5CB0LdNxsNTpCSFTfm2l6IpauH/pzNRVpvk6Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401240; c=relaxed/simple; bh=glclu19M+ae3lxxFIpyNkrMWO2EeTxJY2bLvze3ItMw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=rewwJYoJyPwoVwcoMPR2us6Rtsi82srTl062wQDZECAIk02e9G9fGuPcMgD6eGOXr+WtZjRdyw/agaXBCKl3XjR74V83tNDlYG+sq1an/aHKTyrPklp+BO5dOnn+cPa53lrFwH/rQy//k/pzXyJpM0sZ5VQqnz7fyV0UaQeYLF4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=lQa1Y+IX; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="lQa1Y+IX" Received: by smtp.kernel.org (Postfix) with ESMTPSA id EE7B5C4AF09; Tue, 28 Apr 2026 18:33:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401239; bh=glclu19M+ae3lxxFIpyNkrMWO2EeTxJY2bLvze3ItMw=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=lQa1Y+IXQW6XtGnsJPHuWIf2nBxsh/1yj3srE/jhY54PyKn0clyUnlNa2Kp+VFbfS aGoQR8m6UoiLQE6JF5EBn5N6ZG8rVsEMTsSHqyiGs4497sjVnE5uRxc7CAu96vwX4T vFNcJRrh/Ft8w1rlh+Bp5NvFnSYKbhCVEzRbClz3AbUd7JkmqN5223RuQC/orNrpim vwh8dD7m/KxwVVvEYoSn4DaRtWx4GJhcNriBVdmmNAw8X4dF5RHR6uATFYQYwUho8U XTlNq2b3hUdh5FFXF7a8tyXDePoxoEsZB/W9406igqlg9jgiHopvs3PbUgTTCTsiUJ 4um1wuvjeBKvg== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:33 +0100 Subject: [PATCH v2 09/11] firmware: arm_ffa: Align RxTx buffer size before mapping Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-9-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla , Sebastian Ene X-Mailer: b4 0.15.2 Commit 83210251fd70 ("firmware: arm_ffa: Use the correct buffer size during RXTX_MAP") advertises PAGE_ALIGN(rxtx_bufsz) to firmware when mapping the buffers but the driver continues to stores the minimum FF-A buffer size in drv_info->rxtx_bufsz which is used elsewhere in the driver. Align the size before storing it so that the allocation, validation and FFA_RXTX_MAP all use the same buffer size. Fixes: 83210251fd70 ("firmware: arm_ffa: Use the correct buffer size during= RXTX_MAP") Cc: Sebastian Ene Link: https://sashiko.dev/#/patchset/20260402113939.930221-1-sebastianene@g= oogle.com Reviewed-by: Sebastian Ene Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 4944aa6b815f..9181cc752ce1 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -2111,6 +2111,7 @@ static int __init ffa_init(void) rxtx_bufsz =3D SZ_4K; } =20 + rxtx_bufsz =3D PAGE_ALIGN(rxtx_bufsz); drv_info->rxtx_bufsz =3D rxtx_bufsz; drv_info->rx_buffer =3D alloc_pages_exact(rxtx_bufsz, GFP_KERNEL); if (!drv_info->rx_buffer) { @@ -2126,7 +2127,7 @@ static int __init ffa_init(void) =20 ret =3D ffa_rxtx_map(virt_to_phys(drv_info->tx_buffer), virt_to_phys(drv_info->rx_buffer), - PAGE_ALIGN(rxtx_bufsz) / FFA_PAGE_SIZE); + rxtx_bufsz / FFA_PAGE_SIZE); if (ret) { pr_err("failed to register FFA RxTx buffers\n"); goto free_pages; --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36C5447DD6E for ; Tue, 28 Apr 2026 18:34:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401241; cv=none; b=BrGTuZF30M/NjWYDHMRz5x0kosLz76jfOirckpTPv0dKYZPhwQhcsqrjSvjXJUN0OqQ2twtMmLfInq3AM84GfWu15pe9iCl39XCvv+2dKP1of51ljKRaGiEY5rmnvE3oDTWH7ZCR0kQiV/4AdRI8RIYjeAbXeef3oUubbsOeeWA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401241; c=relaxed/simple; bh=lf8FNqMoY3bRcXhsXqO47iWYBbsuI1PT5XjhAchyLzA=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=S4y7wmgLnblntZNeVg3LmtBKZQu+jINz1r4OZODJeWSu9NlrlYaC5vQayfxhobmzpWOCHmiq6sWXNhsxsb6js532VCuJ7HvFeOk9eNM8uS13sek0/q1FkFYSrBjfv1hjLGwy56b5Am2YjXAydnzyAtvA0AbYewSa46fVDUjDaUA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=hH4eFv/r; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="hH4eFv/r" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3EA02C2BCB3; Tue, 28 Apr 2026 18:34:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401241; bh=lf8FNqMoY3bRcXhsXqO47iWYBbsuI1PT5XjhAchyLzA=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=hH4eFv/r3Ct/0fM0RVmVj1w5VgfvyfC8dc6MpnKeCDivTlmJbzfFG6SGiiCXbl18g UJjXpVhSjqzzgatsJoxPNy4bJwIgKpvMVgZJePHRMcxgArSsS0/o6AO58KSQM+FQrK JFAvxMCUqMEY9H8338oGFaRUYzte1KEgWLCQnhu3njrI9r6MUnhxFNVOBNdbdnM3tz V3uNd3b9p8T1ujyJ1HLFT9kaSZBBf31lB9RrmE19+tcZ/StxXebZqS54iU+2jCaDnr Xv8ygPv0K8A8VmYCKPXKM+YsLsg8KxucsbFVTXGjRch37PYTYaBuVGhUWpEkgyY+Lv igWMUgBCmtTlQ== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:34 +0100 Subject: [PATCH v2 10/11] firmware: arm_ffa: Snapshot notifier callbacks under lock Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-10-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 Both notification handlers currently look up a notifier callback under notify_lock, drop the lock, and then dereference the returned notifier entry. A concurrent unregister can delete and free that entry in the gap, leaving the handler to dereference stale memory. Copy the callback pointer and callback data while notify_lock is still held and invoke the callback only after the lock is dropped. This keeps the existing callback execution model while removing the use-after-free window in both the framework and non-framework notification paths. Fixes: 285a5ea0f542 ("firmware: arm_ffa: Add support for handling framework= notifications") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 9181cc752ce1..2e9820395162 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1465,20 +1465,25 @@ static int ffa_notify_send(struct ffa_device *dev, = int notify_id, =20 static void handle_notif_callbacks(u64 bitmap, enum notify_type type) { + ffa_notifier_cb cb; + void *cb_data; int notify_id; - struct notifier_cb_info *cb_info =3D NULL; =20 for (notify_id =3D 0; notify_id <=3D FFA_MAX_NOTIFICATIONS && bitmap; notify_id++, bitmap >>=3D 1) { if (!(bitmap & 1)) continue; =20 - read_lock(&drv_info->notify_lock); - cb_info =3D notifier_hnode_get_by_type(notify_id, type); - read_unlock(&drv_info->notify_lock); + scoped_guard(read_lock, &drv_info->notify_lock) { + struct notifier_cb_info *cb_info; + + cb_info =3D notifier_hnode_get_by_type(notify_id, type); + cb =3D cb_info ? cb_info->cb : NULL; + cb_data =3D cb_info ? cb_info->cb_data : NULL; + } =20 - if (cb_info && cb_info->cb) - cb_info->cb(notify_id, cb_info->cb_data); + if (cb) + cb(notify_id, cb_data); } } =20 @@ -1486,9 +1491,10 @@ static void handle_fwk_notif_callbacks(u32 bitmap) { void *buf; uuid_t uuid; + void *fwk_cb_data; int notify_id =3D 0, target; + ffa_fwk_notifier_cb fwk_cb; struct ffa_indirect_msg_hdr *msg; - struct notifier_cb_info *cb_info =3D NULL; size_t min_offset =3D offsetof(struct ffa_indirect_msg_hdr, uuid); =20 /* Only one framework notification defined and supported for now */ @@ -1524,12 +1530,17 @@ static void handle_fwk_notif_callbacks(u32 bitmap) ffa_rx_release(); } =20 - read_lock(&drv_info->notify_lock); - cb_info =3D notifier_hnode_get_by_vmid_uuid(notify_id, target, &uuid); - read_unlock(&drv_info->notify_lock); + scoped_guard(read_lock, &drv_info->notify_lock) { + struct notifier_cb_info *cb_info; + + cb_info =3D notifier_hnode_get_by_vmid_uuid(notify_id, target, + &uuid); + fwk_cb =3D cb_info ? cb_info->fwk_cb : NULL; + fwk_cb_data =3D cb_info ? cb_info->cb_data : NULL; + } =20 - if (cb_info && cb_info->fwk_cb) - cb_info->fwk_cb(notify_id, cb_info->cb_data, buf); + if (fwk_cb) + fwk_cb(notify_id, fwk_cb_data, buf); kfree(buf); } =20 --=20 2.43.0 From nobody Wed Jun 17 01:58:18 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 296CE47DF80 for ; Tue, 28 Apr 2026 18:34:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401242; cv=none; b=InGuQJk6u/XAUFinuz8PE3p2vccZvETghn38THwYmyFV2ZCejEcYRiR4njTXQhe0PYQeeII+nDond5nSxzeZFeufBhfraIfUzcsg0E307XDEDA90KvN6y8CkrMF/BlzdwCk5Q4bp4r0TVXEW6diUhXBhi/ouWjTUDpl5z8z7nos= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777401242; c=relaxed/simple; bh=C+4w7EMpQKOpxtLgrnXYA5pSlXeRslLcugB75oDKjPM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=aqUIdvvaB8yRS0JKutdF+Ghj3USMbYkgowCx6Pay3LnmGnmF/081GZmnifKi1man31wJMXJguT1MTQIXOuKps51qHsi+1gr3noLsnbQ8nfsJG9svVXPmU5wyscbTBdYT8rrcE+YE/5u41ZujPWapOEULNShQeLERVINK7YmMDHA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=bn3VpF3J; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="bn3VpF3J" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 56222C2BCB3; Tue, 28 Apr 2026 18:34:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777401242; bh=C+4w7EMpQKOpxtLgrnXYA5pSlXeRslLcugB75oDKjPM=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=bn3VpF3J1jinjnSX1CFpVa7iHxLyRW6wR+pwi2XsaBQUoQs1vMrk7iTc3NrDBw2+a CVpmuQ+maQLwD0488fA8mr7fZ+MPU5UnQZJfpjNYNPCJ7O2S90MpK20WadiA+SUL+K CYCU+2p2X7g/TEq9i2Y/qQYt8pOvYG7q0MROAAcULsYBBfB83jFwaQUPW/G/cr1s7v 54QJ+6pXZftz3A60sWGA+EE03joBcfS5D3yjinPWJFIgc+sJjRjyiZ2vF9DPOQ67Pr y1T6U97hJZWQinJUWuhqSh3GXkAcI+fWR1aOJOrERomP6hY4KKRPA0n1BnMGmokJuS SQxtEAMmUHepw== From: Sudeep Holla Date: Tue, 28 Apr 2026 19:33:35 +0100 Subject: [PATCH v2 11/11] firmware: arm_ffa: Fix sched-recv callback partition lookup Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260428-ffa_fixes-v2-11-8595ae450034@kernel.org> References: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> In-Reply-To: <20260428-ffa_fixes-v2-0-8595ae450034@kernel.org> To: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: Jens Wiklander , Sudeep Holla X-Mailer: b4 0.15.2 ffa_sched_recv_cb_update() used list_for_each_entry_safe() to search for a matching partition and then tested the iterator against NULL. That is not a valid end-of-list check for circular lists and can fall through with an invalid pointer. Use a normal iterator and detect the not-found case correctly before touching the partition state. Fixes: be61da938576 ("firmware: arm_ffa: Allow multiple UUIDs per partition= to register SRI callback") Signed-off-by: Sudeep Holla --- drivers/firmware/arm_ffa/driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index 2e9820395162..7bf8555c09da 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -1209,7 +1209,7 @@ static int ffa_sched_recv_cb_update(struct ffa_device *dev, ffa_sched_recv_cb callbac= k, void *cb_data, bool is_registration) { - struct ffa_dev_part_info *partition =3D NULL, *tmp; + struct ffa_dev_part_info *partition =3D NULL; struct list_head *phead; bool cb_valid; =20 @@ -1222,11 +1222,11 @@ ffa_sched_recv_cb_update(struct ffa_device *dev, ff= a_sched_recv_cb callback, return -EINVAL; } =20 - list_for_each_entry_safe(partition, tmp, phead, node) + list_for_each_entry(partition, phead, node) if (partition->dev =3D=3D dev) break; =20 - if (!partition) { + if (&partition->node =3D=3D phead) { pr_err("%s: No such partition ID 0x%x\n", __func__, dev->vm_id); return -EINVAL; } --=20 2.43.0