From nobody Sat Jun 20 14:13:19 2026 Received: from mail-wm1-f74.google.com (mail-wm1-f74.google.com [209.85.128.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C93014657DD for ; Thu, 30 Apr 2026 16:02:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777564972; cv=none; b=pvL8vDwf1l2z2OtEF/IVXLrlHZwcTJIvF94dw7nfltpvakdbPGx/b7RWwAcqqeoX8u9CwVllQR9gykDaIFIx1yFXbC2etx5o/as/lStxyhaCQoFucB/KBcpsPOn97Ify1qp2rQWm0TUPtm94h430VQY/++gN/qtApX4H/ojGC74= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777564972; c=relaxed/simple; bh=rbgtcAYAQRUylV3Lhn5JG2lol9vvZkVALTDMx9L0izU=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=MpcSPKocGNd3tUv8Nf6JkRBYUUOmRzKxR4MMK/tKESnwGUiENSkI4z9TDjCnfdFPMR3MHLiyI47RymIc+58mueX4X6tpvvwAu+ZXmIf8iLgniaEnXiNz791djDf9wtLsXyBCy3zgU9BnFY7yG0iRm5yPNk7KGDxS4gf5ojiGQKk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=vQxJjgSZ; arc=none smtp.client-ip=209.85.128.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="vQxJjgSZ" Received: by mail-wm1-f74.google.com with SMTP id 5b1f17b1804b1-48a588ff84eso9040185e9.1 for ; Thu, 30 Apr 2026 09:02:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777564969; x=1778169769; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=sNzXqsExGNdsaK3Y+3cXtMsfTVlLQ8Rl/2Rw58fPhEE=; b=vQxJjgSZ1sC8SanBP4D1RovDyZrjWD9q0pEFtAuYnVc4OGCr5eJkVmzRFR4jXY3329 0ibg1NinGnyRpEvWSLBFiKXXOcu/6imNHGFENvYgxrDI/LVVWS2wDkv33iG8ZwTMy/RL p2AL0HhMGaZoUO9ePDk+JMN1Qg4OMCsJ0v3OSF8m3R9KnNdTNOR1K9oIbhKadl8Lzyv8 l59OXYx4RGYT3sff4XMHefGX7z8J1b+JTSAGHHSlWO+k6xuiRNx7vg5H8JAYWmlj0vYV VY7+57nN0/CsV9TQ5KRmObd+Bj6DgEwFyZQbGefidKSPl5US889jyjCTqAWHOkmFANli ZIpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777564969; x=1778169769; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sNzXqsExGNdsaK3Y+3cXtMsfTVlLQ8Rl/2Rw58fPhEE=; b=KcmqjKoCzndx3D/c0SDuzEk/dBxDzRoqMLSqACmYqIFw18B1R4VkOREkKLoSKiAeo7 fak656Fbd0EBv+4I6MuLhNAQ4QGHnEbcgcFD2MK3wc+zBCCdxVxJOuirrnw2IHhgezyk BNKQJTQAr7AB4rCAPco5J4fni3rEhH4M/oX/CpXuYT324Sou6pBj5PTb8BrpBJ9HeKBV IqK578oQmIM8rrWATGHXaRUX3uVyeLTeCAPbmwHAmRfYVVAOBQHV5QEoQZuPx3C8i3IA ZyKvdUTe55ltreViV8bKUaGseBfP8mMxtukZdQD9BCVt0gf6YN7LQgzNsqwEwEQFQPUh RoDg== X-Forwarded-Encrypted: i=1; AFNElJ+79Nyp2hPSndnif13yq7VikkMro1xWQt8ISHraKswlEAHpdgZXyScqc9b15QIHWqJjqkYUUzN4t5OxVAM=@vger.kernel.org X-Gm-Message-State: AOJu0YytjCQ8oSqQ1J7Ojh0hIItJZavFyyE9iBBoXXCHGgWM8eJ6M8L7 /T7SH9Bo3Kd7fIC70oX+l1Mm0U6lviqBXQSffE21M85Q1Fwt0v3eSJ3jDmBygaYYxi5miYIAaeB uL5YSHMo3VTMRilCQTvGWOf9qpIpyXg== X-Received: from wmcn10.prod.google.com ([2002:a05:600c:c0ca:b0:488:af7f:772a]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:888a:b0:488:9439:881a with SMTP id 5b1f17b1804b1-48a84256354mr40669335e9.2.1777564969247; Thu, 30 Apr 2026 09:02:49 -0700 (PDT) Date: Thu, 30 Apr 2026 16:02:40 +0000 In-Reply-To: <20260430160241.1934777-1-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260430160241.1934777-1-sebastianene@google.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Message-ID: <20260430160241.1934777-2-sebastianene@google.com> Subject: [PATCH v2 1/2] firmware: arm_ffa: Fix Endpoint Memory Access Descriptor offset calculation From: Sebastian Ene To: catalin.marinas@arm.com, maz@kernel.org, oupton@kernel.org, sudeep.holla@kernel.org, will@kernel.org Cc: joey.gouly@arm.com, korneld@google.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, mrigendra.chaubey@gmail.com, perlarsen@google.com, sebastianene@google.com, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the descriptor's `ep_mem_offset` to calculate the start of the endpoint memory access array and to comply with the FF-A spec instead of defaulting to `sizeof(struct ffa_mem_region)`. This requires moving `ffa_mem_region_additional_setup()` earlier in the set= up flow. Also, add sanity checks to ensure the calculated descriptor offsets do not exceed `max_fragsize`. Signed-off-by: Sebastian Ene --- drivers/firmware/arm_ffa/driver.c | 14 ++++++++++---- include/linux/arm_ffa.h | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/d= river.c index eb2782848283..56b166290b24 100644 --- a/drivers/firmware/arm_ffa/driver.c +++ b/drivers/firmware/arm_ffa/driver.c @@ -685,18 +685,25 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32= max_fragsize, struct ffa_composite_mem_region *composite; struct ffa_mem_region_addr_range *constituents; struct ffa_mem_region_attributes *ep_mem_access; - u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g); + u32 idx, frag_len, length, buf_sz =3D 0, num_entries =3D sg_nents(args->s= g), ep_offset; =20 mem_region->tag =3D args->tag; mem_region->flags =3D args->flags; mem_region->sender_id =3D drv_info->vm_id; mem_region->attributes =3D ffa_memory_attributes_get(func_id); + + ffa_mem_region_additional_setup(drv_info->version, mem_region); composite_offset =3D ffa_mem_desc_offset(buffer, args->nattrs, drv_info->version); + if (composite_offset > max_fragsize - sizeof(struct ffa_composite_mem_reg= ion)) + return -ENXIO; =20 for (idx =3D 0; idx < args->nattrs; idx++) { - ep_mem_access =3D buffer + - ffa_mem_desc_offset(buffer, idx, drv_info->version); + ep_offset =3D ffa_mem_desc_offset(buffer, idx, drv_info->version); + if (ep_offset > max_fragsize - sizeof(struct ffa_mem_region_attributes)) + return -ENXIO; + + ep_mem_access =3D buffer + ep_offset; ep_mem_access->receiver =3D args->attrs[idx].receiver; ep_mem_access->attrs =3D args->attrs[idx].attrs; ep_mem_access->composite_off =3D composite_offset; @@ -708,7 +715,6 @@ ffa_setup_and_transmit(u32 func_id, void *buffer, u32 m= ax_fragsize, } mem_region->handle =3D 0; mem_region->ep_count =3D args->nattrs; - ffa_mem_region_additional_setup(drv_info->version, mem_region); =20 composite =3D buffer + composite_offset; composite->total_pg_cnt =3D ffa_get_num_pages_sg(args->sg); diff --git a/include/linux/arm_ffa.h b/include/linux/arm_ffa.h index 81e603839c4a..62d67dae8b70 100644 --- a/include/linux/arm_ffa.h +++ b/include/linux/arm_ffa.h @@ -445,7 +445,7 @@ ffa_mem_desc_offset(struct ffa_mem_region *buf, int cou= nt, u32 ffa_version) if (!FFA_MEM_REGION_HAS_EP_MEM_OFFSET(ffa_version)) offset +=3D offsetof(struct ffa_mem_region, ep_mem_offset); else - offset +=3D sizeof(struct ffa_mem_region); + offset +=3D buf->ep_mem_offset; =20 return offset; } --=20 2.54.0.545.g6539524ca2-goog From nobody Sat Jun 20 14:13:19 2026 Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7049A4779AA for ; Thu, 30 Apr 2026 16:02:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777564974; cv=none; b=cCIyPh4B6RVhV+WCX8cwX775JgaY/Jo0i0GvWfvqHsaOCW9OtKttK87MISnmBmaqxQrwT/lwjV/auzWgi4Cwh59vh21LJ/6y05JPk17myBTH3kddKXNlFL0rpiDqYusPBr4OJfLntJoCuOq0yYokX0hdcgPMi0eNACzjPLUFSD4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777564974; c=relaxed/simple; bh=nSYWLOgCg9cYKYP1SSRIy1jcqnUttFghlsW4Zh+PYH4=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=o6GwjTvNZAh/JJyzaz74mxEAjQWIeSwnRU+sn5YuRK5rZB0pfK+r7YY5onsj0I1WFutuT46SrO+9J40nZttqb9toLKC3Q242iWrUmlyeeg2kBzVe+pGo4y3INuzTmff1GVCuBSTnhtouxuyLNxFVFsyuD9kIfYwgPztQTzFaXCc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=U1IUzs9W; arc=none smtp.client-ip=209.85.128.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--sebastianene.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="U1IUzs9W" Received: by mail-wm1-f73.google.com with SMTP id 5b1f17b1804b1-488ba2f4094so8020605e9.1 for ; Thu, 30 Apr 2026 09:02:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777564971; x=1778169771; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=4coEQbrBUmFUrjDBw9QngC1TQrHyKn5HQ1tDIlRoapE=; b=U1IUzs9WVgXlpHnutnz/7hWh1Itzt4FeOHH3rESDj8KzjXICkPOcoXb16O1kvfFG7o yOqVSGdfTHszUWMxzkeTYCcGFqvopGSNhQq7atiY5LEL4z9rkHAjYy7I78WQH6iO60rh fb0Yws0olfq5+W1n8uViSwRHi+R9Qj3G1n2VZucH271HniygdhIAClBmg9jk37jEyD39 Ctt5tONn6+jUnWKcssTCIA1jfnt930Blkz3EBXNTgb4Bx52Lzhvkaa7erKcZ9puaTuD/ V8ROX7MYP9bCCmP2t2BwwQn5J5Cnp4V/8TTbq25KDp8YItU5vkxD6fjKCVRK74c89S2n 7kew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777564971; x=1778169771; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4coEQbrBUmFUrjDBw9QngC1TQrHyKn5HQ1tDIlRoapE=; b=W4SotA3xQaDLIFp/DNYcLDto+IlgHsbI7/R/gfHonXHAMAs4qLRiIre08/vYPlOKEV 4CF6RLkvIx3OsYTVEw6/ipbob3Ycz78x7DcLM9OFCUrE/mbtD3I8bJOTKDw8Rt/ZOoJk 9ZUh8d/XNjQHOOVq08abAdROmGFh5rcqScALIC4h1xuLKtNx6198QmvuMhR7IrfgEExH lBoSsVcQdRTawiDiwKuX8MevFRJK2cDx6siBF38If0KYQV6sZ2m3MOTxLX2L9W5ALhXC cCvVjW6vR2yxA7RHsE5MS9W3XZtCGjHU3xL9LCphJM8VlllxYmLgMxygiYb95cCmD4nS sl7w== X-Forwarded-Encrypted: i=1; AFNElJ+vQcs3IKGBj/8F7ZiBWeZSHTa4U/drlOT2N4jFFImm8Ncn1zTmeekm4FcL/DGVceC79hxmQtDsN2uCF1Q=@vger.kernel.org X-Gm-Message-State: AOJu0Ywfzvcpyhzku85r9j/v2PkPNUiw15n65MExqHu2NKHC2wZZsvly mLj0SIPxrEpktTXk6K8LZM5hjvHCaP7p/zqrn+mRY0AEeM9Rl7d6+qNoXatN1bnte5CQF1rcSJH P6J/rb6MMjqlTRQWIhFA3++4tpe1mjw== X-Received: from wmjx19.prod.google.com ([2002:a05:600c:21d3:b0:487:2186:fcf7]) (user=sebastianene job=prod-delivery.src-stubby-dispatcher) by 2002:a05:600c:a14:b0:488:af7f:7707 with SMTP id 5b1f17b1804b1-48a84451bccmr53589865e9.18.1777564970647; Thu, 30 Apr 2026 09:02:50 -0700 (PDT) Date: Thu, 30 Apr 2026 16:02:41 +0000 In-Reply-To: <20260430160241.1934777-1-sebastianene@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260430160241.1934777-1-sebastianene@google.com> X-Mailer: git-send-email 2.54.0.545.g6539524ca2-goog Message-ID: <20260430160241.1934777-3-sebastianene@google.com> Subject: [PATCH v2 2/2] KVM: arm64: Validate the offset to the mem access descriptor From: Sebastian Ene To: catalin.marinas@arm.com, maz@kernel.org, oupton@kernel.org, sudeep.holla@kernel.org, will@kernel.org Cc: joey.gouly@arm.com, korneld@google.com, kvmarm@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, android-kvm@google.com, mrigendra.chaubey@gmail.com, perlarsen@google.com, sebastianene@google.com, suzuki.poulose@arm.com, vdonnefort@google.com, yuzenghui@huawei.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Prevent the pKVM hypervisor from making assumptions that the endpoint memory access descriptor (EMAD) comes right after the FF-A memory region header. Prior to FF-A version 1.1 the header of the memory region didn't contain an offset to the endpoint memory access descriptor. The layout of a memory transaction looks like this from 1.1 onward: Type | Field name | Offset [ Header | ffa_mem_region | 0 EMAD 1 | ffa_mem_region_attributes) | ffa_mem_region.ep_mem_offset ] Verify that the offset to the first endpoint memory access descriptor is within the mailbox buffer bounds. Signed-off-by: Sebastian Ene --- v1 -> v2: * don't enforce a strict placement for the ep_mem_offset since this is not compliant with the spec and we should not make assumptions about the driver. Link to v1: https://lore.kernel.org/all/ae9KN9nkOgDYJcGP@google.com/T/#t --- --- arch/arm64/kvm/hyp/nvhe/ffa.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/ffa.c b/arch/arm64/kvm/hyp/nvhe/ffa.c index 1af722771178..8e9017fc8e39 100644 --- a/arch/arm64/kvm/hyp/nvhe/ffa.c +++ b/arch/arm64/kvm/hyp/nvhe/ffa.c @@ -479,7 +479,7 @@ static void __do_ffa_mem_xfer(const u64 func_id, struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; struct ffa_mem_region *buf; - u32 offset, nr_ranges, checked_offset; + u32 offset, nr_ranges, checked_offset, em_mem_access_off; int ret =3D 0; =20 if (addr_mbz || npages_mbz || fraglen > len || @@ -508,8 +508,14 @@ static void __do_ffa_mem_xfer(const u64 func_id, buf =3D hyp_buffers.tx; memcpy(buf, host_buffers.tx, fraglen); =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if (em_mem_access_off > + KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE - (struct ffa_mem_region_attributes= )) { + ret =3D FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; if (!offset || buf->ep_count !=3D 1 || buf->sender_id !=3D HOST_FFA_ID) { ret =3D FFA_RET_INVALID_PARAMETERS; @@ -576,7 +582,7 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_reg= s *res, DECLARE_REG(u32, flags, ctxt, 3); struct ffa_mem_region_attributes *ep_mem_access; struct ffa_composite_mem_region *reg; - u32 offset, len, fraglen, fragoff; + u32 offset, len, fraglen, fragoff, em_mem_access_off; struct ffa_mem_region *buf; int ret =3D 0; u64 handle; @@ -599,8 +605,14 @@ static void do_ffa_mem_reclaim(struct arm_smccc_1_2_re= gs *res, len =3D res->a1; fraglen =3D res->a2; =20 - ep_mem_access =3D (void *)buf + - ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + em_mem_access_off =3D ffa_mem_desc_offset(buf, 0, hyp_ffa_version); + if (em_mem_access_off > + KVM_FFA_MBOX_NR_PAGES * PAGE_SIZE - (struct ffa_mem_region_attributes= )) { + ret =3D FFA_RET_INVALID_PARAMETERS; + goto out_unlock; + } + + ep_mem_access =3D (void *)buf + em_mem_access_off; offset =3D ep_mem_access->composite_off; /* * We can trust the SPMD to get this right, but let's at least --=20 2.54.0.545.g6539524ca2-goog